cslogwatch is a tool designed to help Cobalt Strike users get handle on the logs generated by the tool. While we can certainly spend our time grepping for data across myriad of beacon session log files, wouldn’t it be nice if we had a tool that could reliably track Cobalt Strike log files for changes, parse the entries, and then store them in a database or return them in some kind of structured fashion? Well, cslogwatch does just that.
cslogwatch monitor a specified Cobalt Strike log directory for any file create, modification, or deletion events. When a creation or modification is detected, the file is automatically parsed and the results are stored in an sqlite database.
The tool is even resilient to crashes or gaps in run time; by maintaining an on-disk state of the log directory, every time cslogwatch is started a comparison is made between this state and the present state. All delta changes are processed to bring the on-disk state up to date.
cs_log_parser.py can even be used independently to facilitate Cobalt Strike log parsing. It’s capable of returning log entries in both python
json formats for use at your whim.
In the short term future, I will likely follow up the release of cslogwatch with a front-end component that facilitates user-friendly searching, sorting and visualization
To download cslogwatch and get more information on features and usage, check out cslogwatch on GitHub