Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Currently Connected Clients - Experience Regular Disconnects #3898

Open
denizciftci-sec opened this issue Nov 15, 2024 · 8 comments
Open

Currently Connected Clients - Experience Regular Disconnects #3898

denizciftci-sec opened this issue Nov 15, 2024 · 8 comments

Comments

@denizciftci-sec
Copy link

denizciftci-sec commented Nov 15, 2024
edited
Loading

Hi Team,

I am facing a strange issue relate to connected clients.
Is there a way to see the cause of this glitch? We dont experience in any network problem.
The disconnect interval is per 2-3 mins and it longs 5-10 seconds.
How can I debug it ?

Server and Client "version":"0.73.3"

image
image
@denizciftci-sec denizciftci-sec changed the title Currently Connected Clients Currently Connected Clients - Experience Regular Disconnects Nov 15, 2024
@predictiple
Copy link
Contributor

Is your server behind a reverse proxy or load balancer?

@scudette
Copy link
Contributor

It is difficult to tell by your screenshots what the time axis is but it is quite normal for clients to reconnect quickly when they are sending messages. We do this to avoid stale connections from proxies etc. Each time a message is sent, the client reconnects with another HTTP request (if you are using websocket this is less noticeable).

Usually we set the HTTP connection to reuse the TCP connection so there is very little overheads in reconnections.

@denizciftci-sec
Copy link
Author

denizciftci-sec commented Nov 15, 2024
edited
Loading

thanks for the response.
The network flow is going through proxy but we are using the identical client.config file. The only major difference is - we upgraded to latest version and our clients are using windows 11 now.

Here is the thing,

As you can see here, after sometime the endpoint agent connection stops for some reason.
The status is green, but dashboard and indicator inside the host shows there was a disconnection.

When I was initially trigger the client connection via Velociraptor.exe --config client.config.yaml client -v, then I can confirm that the conncetion is back again. Could you please assist here, what kind of further steps should I do for debugging?

Status seems Green while client is disconnected.
image

Here shows the green indicator but no connecion between server and client
image

@scudette
Copy link
Contributor

The color is controlled by the last seen time

velociraptor/gui/velociraptor/src/components/clients/client-status.jsx

Line 22 in 1a17e32

return <div className="online-btn" alt="online" />;

it will be green if the client is connected less than 15 min ago.

To understand why you have connection issues you should go through the troubleshooting steps - in particular run with -v and see when the client is failing to connect.

Are you using websockets or http style connections?

@denizciftci-sec
Copy link
Author

denizciftci-sec commented Nov 15, 2024
edited
Loading

We are using http style conncetion in client.config.yaml as below:

Client:
server_urls:

I think I am able to re-produce the issue.

When I override the system.exe and execute the manual command in cmd as
Velociraptor.exe --config client.config.yaml client -v > the connection is established and - I see no further disconnects.

The problem appears when I closed the cmd.exe and endpoint communication was gone.

But I can confirm that velociraptor service is running under services.exe
image

sc qc velociraptor output>
image

Is there a misconfiguration for end-point? or shall I try to degrade the velociraptor version?

@scudette
Copy link
Contributor

There should be no difference between running as a service or a client - you can also run the command directly (i.e. not in a service) by manually running the same as the binary path name above (this runs the exact same code as the service but in the console):

velociraptor.exe -v --config ... service run

You can also enable local logging temporarily which will cause the service to log everything - just change the client config file to add a logging clause

Logging:
  output_directory: c:\somedir\
  separate_logs_per_component: true
  debug:
    rotation_time: 604800
    max_age: 31536000
  info:
    rotation_time: 604800
    max_age: 31536000
  error:
    rotation_time: 604800
    max_age: 31536000

You are looking for the logs with the component VelociraptorClient at the info level - look for why connections are dropping.

Usually putting a proxy in front of the clients makes connections more complicated because proxies expect to buffer connections (you have to disable buffering). Try to enable websocket as that is more proxy friendly (if the proxy supports websocket protocol).

@denizciftci-sec
Copy link
Author

denizciftci-sec commented Nov 15, 2024
edited
Loading

Hi Mike,

Is there a way to disable the buffering for server config? also how can I enable the websocekting for the proxy?

Here is the debug output -I am not sure log has any indicator why the connections are dropped.

{"level": "info", "msg": "Starting...", "time": "2024-11-15T16:46:46.7622759Z"}
{"level":"info","msg":"Setting client proxy to HTTP_PROXY=http://BC-PROXY-VIP-PROD.de.pri.o2.com:8080/ HTTPS_PROXY=http://BC-PROXY-VIP-PROD.de.pri.o2.com:8080/ </>","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Writeback Manager: Loading config from writeback (C:\Program Files\Velociraptor\velociraptor.writeback.yaml)","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Setting temp directory to C:\Program Files\Velociraptor\Tools","time":"2024-11-15T16:46:46Z"}
{"level": "info", "msg": "Starting...", "time": "2024-11-15T16:46:46.804783Z"}
{"level":"info","msg":"Setting client proxy to HTTP_PROXY=http://BC-PROXY-VIP-PROD.de.pri.o2.com:8080/ HTTPS_PROXY=http://BC-PROXY-VIP-PROD.de.pri.o2.com:8080/ </>","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Writeback Manager: Loading config from writeback (C:\Program Files\Velociraptor\velociraptor.writeback.yaml)","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Setting temp directory to C:\Program Files\Velociraptor\Tools","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Starting</> nanny with MaxConnectionDelay 10m0s and MaxMemoryHardLimit 0","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Closing EventTable\n","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Starting</> monitoring query $1e5947258831ea0badca8aef00c9a6ef1ac11bf4467ce49a3e3d074f36a2ad04","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Starting</> monitoring query $1e5947258831ea0badca8aef00c9a6ef1ac11bf4467ce49a3e3d074f36a2ad04","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Starting query execution for $1e5947258831ea0badca8aef00c9a6ef1ac11bf4467ce49a3e3d074f36a2ad04.\n","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Starting query execution for $1e5947258831ea0badca8aef00c9a6ef1ac11bf4467ce49a3e3d074f36a2ad04.\n","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Starting Crypto for client C.172bcdeeec1ee409","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Expecting self signed certificate for server.","time":"2024-11-15T16:46:46Z"}
{"filename":"C:\Program Files\Velociraptor\Tools/Velociraptor_Buffer.bin","level":"info","max_size":1073741874,"msg":"FileBasedRingBuffer: Creation","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"Starting HTTPCommunicator: HTTP Connector to [https://velociraptor.azr.de.pri.o2.com:8000/]","time":"2024-11-15T16:46:46Z"}
{"level":"info","msg":"$1e5947258831ea0badca8aef00c9a6ef1ac11bf4467ce49a3e3d074f36a2ad04: Skipping query due to preconditions\n","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Collection $1e5947258831ea0badca8aef00c9a6ef1ac11bf4467ce49a3e3d074f36a2ad04 is done after 18.1694ms\n","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Finished monitoring query $1e5947258831ea0badca8aef00c9a6ef1ac11bf4467ce49a3e3d074f36a2ad04","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Received PEM for VelociraptorServer from https://velociraptor.azr.de.pri.o2.com:8000/","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: Connected to https://velociraptor.azr.de.pri.o2.com:8000/reader after waiting for limiter for 0s","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: sent 947 bytes, response with status: 200 after 27.168ms, waiting for server messages","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: received 2243 bytes in 31.227ms","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Client event query update 1731689207225399964 did not change queries, skipping","time":"2024-11-15T16:46:47Z"}
{"item_len":80,"level":"info","msg":"Ring Buffer: Enqueue","time":"2024-11-15T16:46:47Z","total_length":80}
{"item_len":80,"level":"info","msg":"Ring Buffer: Enqueue","time":"2024-11-15T16:46:47Z","total_length":160}
{"leased_length":160,"level":"info","msg":"Ring Buffer: Leased","time":"2024-11-15T16:46:47Z","total_length":160}
{"level":"info","msg":"Sender: Connected to https://velociraptor.azr.de.pri.o2.com:8000/control after waiting for limiter for 0s","time":"2024-11-15T16:46:47Z"}
{"level":"info","msg":"Sender: sent 755 bytes, response with status: 200 after 27.2192ms, waiting for server messages","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Sender: received 626 bytes in 27.2192ms","time":"2024-11-15T16:46:48Z"}
{"leased_length":160,"level":"info","msg":"Ring Buffer: Commit","time":"2024-11-15T16:46:48Z","total_length":160}
{"level":"info","msg":"Ring Buffer: Truncate","time":"2024-11-15T16:46:48Z","total_length":0}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: Connected to https://velociraptor.azr.de.pri.o2.com:8000/reader after waiting for limiter for 0s","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: sent 674 bytes, response with status: 200 after 26.5193ms, waiting for server messages","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: received 499268 bytes in 129.3059ms","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Starting query execution for $633e437fbabf408f04d0afa2c834fcef1cb38b1655e9b0c9be5dd65b82307cb6636f8ec059270c7236bdceb947c3a7bd.\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Selecting BasicCollection\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Boot\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Extend\$UsnJrnl:$J\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Extend\$UsnJrnl:$Max\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Extend\$J\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Extend\$Max\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $LogFile\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $MFT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Secure:$SDS\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Secure$SDS\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Extend\$RmMetadata\$TxfLog\$Tops:$T\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"ntfs: Selecting glob $Extend\$RmMetadata\$TxfLog\$T\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\AppCompat\Programs\Amcache.hve\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\AppCompat\Programs\Amcache.hve\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\AppCompat\Programs\Amcache.hve.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\AppCompat\Programs\Amcache.hve.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\appcompat\pca\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\.evt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\winevt\logs\.evtx\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\winevt\logs\.evtx\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Roaming\Microsoft\Windows\Recent\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Roaming\Microsoft\Office\Recent\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Documents and Settings\\Recent\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Documents and Settings\\Desktop\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\Desktop\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob System Volume Information\_restore*\RP*\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob ProgramData\Microsoft\Windows\Start Menu\Programs\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\_history.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\_history.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\history.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName\\AutoSaveFiles\.ps1\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName\\.config\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\prefetch\.pf\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\prefetch\.pf\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\AppCompat\Programs\RecentFileCache.bcf\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\AppCompat\Programs\RecentFileCache.bcf\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob $Recycle.Bin\10\$I\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob RECYCLE\**10\INFO2\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Packages\\SystemAppData\Helium\Registry.dat*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Packages\\SystemAppData\Helium\User.dat*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Packages\\SystemAppData\Helium\UserClasses.dat*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SAM.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SAM.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SECURITY.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SECURITY.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SOFTWARE.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SOFTWARE.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SYSTEM.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SYSTEM.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SAM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SAM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SECURITY\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SECURITY\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SOFTWARE\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SOFTWARE\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\SYSTEM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\SYSTEM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\RegBack\.LOG\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\RegBack\.LOG\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\RegBack\SAM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\RegBack\SAM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\RegBack\SECURITY\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\RegBack\SECURITY\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\RegBack\SOFTWARE\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\RegBack\SOFTWARE\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\RegBack\SYSTEM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\RegBack\SYSTEM\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\RegBack\SYSTEM1\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\RegBack\SYSTEM1\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\systemprofile\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\systemprofile\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\ServiceProfiles\LocalService\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\ServiceProfiles\NetworkService\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob System Volume Information\restore*\RP*\snapshot\REGISTRY\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Documents and Settings\\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\NTUSER.DAT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\DEFAULT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\DEFAULT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\DEFAULT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\config\DEFAULT.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Microsoft\Windows\UsrClass.dat\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\SRU\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\SRU\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\Tasks\.job\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\Tasks\.job\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\SchedLgU.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\SchedLgU.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\Tasks\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\syswow64\Tasks\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\System32\Tasks\*10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob System Volume Information\Syscache.hve\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob System Volume Information\Syscache.hve.LOG\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache.db\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\setupapi.log\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\inf\setupapi..log\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows.old\Windows\inf\setupapi..log\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob programdata\microsoft\search\data\applications\windows\\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob programdata\microsoft\search\data\applications\windows\GatherLogs\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Users\\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\\Output\\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\\Output\\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"auto: Selecting glob Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\\Output\\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Boot\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Extend\$UsnJrnl:$J\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Extend\$UsnJrnl:$Max\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Extend\$J\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Extend\$Max\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$LogFile\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$MFT\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Secure:$SDS\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Secure$SDS\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Extend\$RmMetadata\$TxfLog\$Tops:$T\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with ntfs: glob is \\.\C:\$Extend\$RmMetadata\$TxfLog\$T\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\AppCompat\Programs\Amcache.hve\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\AppCompat\Programs\Amcache.hve\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\AppCompat\Programs\Amcache.hve.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\AppCompat\Programs\Amcache.hve.LOG*\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\appcompat\pca\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\.evt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\winevt\logs\.evtx\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\winevt\logs\.evtx\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Roaming\Microsoft\Office\Recent\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Documents and Settings\\Recent\**10\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Documents and Settings\\Desktop\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\Desktop\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\System Volume Information\_restore*\RP*\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\.LNK\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\_history.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\_history.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\_history.txt\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName\\AutoSaveFiles\.ps1\n","time":"2024-11-15T16:46:48Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName\\.config\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\prefetch\.pf\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\prefetch\.pf\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\AppCompat\Programs\RecentFileCache.bcf\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\AppCompat\Programs\RecentFileCache.bcf\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\$Recycle.Bin\10\$I\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\RECYCLE\**10\INFO2\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Packages\\SystemAppData\Helium\Registry.dat*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Packages\\SystemAppData\Helium\User.dat*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Packages\\SystemAppData\Helium\UserClasses.dat*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SAM.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SAM.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SECURITY.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SECURITY.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SOFTWARE.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SOFTWARE.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SYSTEM.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SYSTEM.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SAM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SAM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SECURITY\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SECURITY\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SOFTWARE\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SOFTWARE\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SYSTEM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SYSTEM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\RegBack\.LOG\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\RegBack\.LOG\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\RegBack\SAM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\RegBack\SAM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\RegBack\SECURITY\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\RegBack\SECURITY\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\RegBack\SOFTWARE\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\RegBack\SOFTWARE\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\RegBack\SYSTEM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\RegBack\SYSTEM\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\RegBack\SYSTEM1\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\RegBack\SYSTEM1\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\systemprofile\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\System Volume Information\restore*\RP*\snapshot\REGISTRY\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Documents and Settings\\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\NTUSER.DAT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\NTUSER.DAT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\DEFAULT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\DEFAULT\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\DEFAULT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\DEFAULT.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Microsoft\Windows\UsrClass.dat\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\SRU\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\SRU\10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SOFTWARE\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SOFTWARE\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\SOFTWARE.LOG\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\config\SOFTWARE.LOG\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\Tasks\.job\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\Tasks\.job\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\SchedLgU.txt\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\SchedLgU.txt\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\Tasks\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\syswow64\Tasks\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\System32\Tasks\*10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\System Volume Information\Syscache.hve\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\System Volume Information\Syscache.hve.LOG\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache.db\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\setupapi.log\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\inf\setupapi..log\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows.old\Windows\inf\setupapi..log\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\programdata\microsoft\search\data\applications\windows\\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\programdata\microsoft\search\data\applications\windows\GatherLogs\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Users\\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\\Output\\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\\Output\\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Processing Device C: with auto: glob is C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\\Output\\**10\n","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"\n","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":8340,"MaxSize":1073741874,"AvailableBytes":8282,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":8424,"MaxSize":1073741874,"AvailableBytes":8358,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":8582,"MaxSize":1073741874,"AvailableBytes":8508,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":8696,"MaxSize":1073741874,"AvailableBytes":8614,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":1057384,"MaxSize":1073741874,"AvailableBytes":1057294,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":2106127,"MaxSize":1073741874,"AvailableBytes":2106029,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":2106278,"MaxSize":1073741874,"AvailableBytes":2106172,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":3154974,"MaxSize":1073741874,"AvailableBytes":3154860,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":4203666,"MaxSize":1073741874,"AvailableBytes":4203544,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":4597020,"MaxSize":1073741874,"AvailableBytes":4596890,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":5645720,"MaxSize":1073741874,"AvailableBytes":5645582,"LeasedBytes":0}","leased_pointer":50,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":6170150,"MaxSize":1073741874,"AvailableBytes":4063975,"LeasedBytes":2106029}","leased_pointer":2106127,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":7218843,"MaxSize":1073741874,"AvailableBytes":5112660,"LeasedBytes":2106029}","leased_pointer":2106127,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":8267525,"MaxSize":1073741874,"AvailableBytes":6161334,"LeasedBytes":2106029}","leased_pointer":2106127,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":9316226,"MaxSize":1073741874,"AvailableBytes":7210027,"LeasedBytes":2106029}","leased_pointer":2106127,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":9852944,"MaxSize":1073741874,"AvailableBytes":7746737,"LeasedBytes":2106029}","leased_pointer":2106127,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":10901637,"MaxSize":1073741874,"AvailableBytes":8795422,"LeasedBytes":2106029}","leased_pointer":2106127,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":11950323,"MaxSize":1073741874,"AvailableBytes":9844100,"LeasedBytes":2106029}","leased_pointer":2106127,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":12896624,"MaxSize":1073741874,"AvailableBytes":7250840,"LeasedBytes":5645582}","leased_pointer":5645720,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":13441534,"MaxSize":1073741874,"AvailableBytes":6222635,"LeasedBytes":7218689}","leased_pointer":7218843,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":14490227,"MaxSize":1073741874,"AvailableBytes":7271320,"LeasedBytes":7218689}","leased_pointer":7218843,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":15538914,"MaxSize":1073741874,"AvailableBytes":6222632,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":15543131,"MaxSize":1073741874,"AvailableBytes":6226841,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":16591824,"MaxSize":1073741874,"AvailableBytes":7275526,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":17083486,"MaxSize":1073741874,"AvailableBytes":7767180,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":17087703,"MaxSize":1073741874,"AvailableBytes":7771389,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":18136390,"MaxSize":1073741874,"AvailableBytes":8820068,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":19185083,"MaxSize":1073741874,"AvailableBytes":9868753,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":19189300,"MaxSize":1073741874,"AvailableBytes":9872962,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":19713731,"MaxSize":1073741874,"AvailableBytes":10397385,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":19717948,"MaxSize":1073741874,"AvailableBytes":10401594,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":20766635,"MaxSize":1073741874,"AvailableBytes":11450273,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":20770852,"MaxSize":1073741874,"AvailableBytes":11454482,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":20774817,"MaxSize":1073741874,"AvailableBytes":11458439,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":20774921,"MaxSize":1073741874,"AvailableBytes":11458535,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":21299352,"MaxSize":1073741874,"AvailableBytes":11982958,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":22348045,"MaxSize":1073741874,"AvailableBytes":13031643,"LeasedBytes":9316056}","leased_pointer":9316226,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":23396732,"MaxSize":1073741874,"AvailableBytes":12494927,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":23921163,"MaxSize":1073741874,"AvailableBytes":13019350,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":24969856,"MaxSize":1073741874,"AvailableBytes":14068035,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":25494287,"MaxSize":1073741874,"AvailableBytes":14592458,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":26542974,"MaxSize":1073741874,"AvailableBytes":15641137,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":27067405,"MaxSize":1073741874,"AvailableBytes":16165560,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":28116098,"MaxSize":1073741874,"AvailableBytes":17214245,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":28640529,"MaxSize":1073741874,"AvailableBytes":17738668,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":29689216,"MaxSize":1073741874,"AvailableBytes":18787347,"LeasedBytes":10901451}","leased_pointer":10901637,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":30737909,"MaxSize":1073741874,"AvailableBytes":17841061,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":31262340,"MaxSize":1073741874,"AvailableBytes":18365484,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":32311027,"MaxSize":1073741874,"AvailableBytes":19414163,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":33359720,"MaxSize":1073741874,"AvailableBytes":20462848,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":33884151,"MaxSize":1073741874,"AvailableBytes":20987271,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":34932844,"MaxSize":1073741874,"AvailableBytes":22035956,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":35981531,"MaxSize":1073741874,"AvailableBytes":23084635,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":36505962,"MaxSize":1073741874,"AvailableBytes":23609058,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":37554655,"MaxSize":1073741874,"AvailableBytes":24657743,"LeasedBytes":12896422}","leased_pointer":12896624,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":38603342,"MaxSize":1073741874,"AvailableBytes":24112835,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":39127773,"MaxSize":1073741874,"AvailableBytes":24637258,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":40176466,"MaxSize":1073741874,"AvailableBytes":25685943,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":41225153,"MaxSize":1073741874,"AvailableBytes":26734622,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":41749584,"MaxSize":1073741874,"AvailableBytes":27259045,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":42798277,"MaxSize":1073741874,"AvailableBytes":28307730,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":43846964,"MaxSize":1073741874,"AvailableBytes":29356409,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":44371395,"MaxSize":1073741874,"AvailableBytes":29880832,"LeasedBytes":14490009}","leased_pointer":14490227,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":45420088,"MaxSize":1073741874,"AvailableBytes":28827944,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":45944519,"MaxSize":1073741874,"AvailableBytes":29352367,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":46993206,"MaxSize":1073741874,"AvailableBytes":30401046,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":48041899,"MaxSize":1073741874,"AvailableBytes":31449731,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":48566330,"MaxSize":1073741874,"AvailableBytes":31974154,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":49090761,"MaxSize":1073741874,"AvailableBytes":32498577,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":50139448,"MaxSize":1073741874,"AvailableBytes":33547256,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":51188141,"MaxSize":1073741874,"AvailableBytes":34595941,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":51712572,"MaxSize":1073741874,"AvailableBytes":35120364,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":52761259,"MaxSize":1073741874,"AvailableBytes":36169043,"LeasedBytes":16591582}","leased_pointer":16591824,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":53285690,"MaxSize":1073741874,"AvailableBytes":35148924,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":54334383,"MaxSize":1073741874,"AvailableBytes":36197609,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: Connected to https://velociraptor.azr.de.pri.o2.com:8000/reader after waiting for limiter for 0s","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":55383070,"MaxSize":1073741874,"AvailableBytes":37246288,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":55907501,"MaxSize":1073741874,"AvailableBytes":37770711,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":56956194,"MaxSize":1073741874,"AvailableBytes":38819396,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":58004881,"MaxSize":1073741874,"AvailableBytes":39868075,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":58529312,"MaxSize":1073741874,"AvailableBytes":40392498,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":59578005,"MaxSize":1073741874,"AvailableBytes":41441183,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":60102436,"MaxSize":1073741874,"AvailableBytes":41965606,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":61151123,"MaxSize":1073741874,"AvailableBytes":43014285,"LeasedBytes":18136124}","leased_pointer":18136390,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":62199816,"MaxSize":1073741874,"AvailableBytes":42485653,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":62724247,"MaxSize":1073741874,"AvailableBytes":43010076,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":63772934,"MaxSize":1073741874,"AvailableBytes":44058755,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":64821627,"MaxSize":1073741874,"AvailableBytes":45107440,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":65346058,"MaxSize":1073741874,"AvailableBytes":45631863,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":66394745,"MaxSize":1073741874,"AvailableBytes":46680542,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":67443438,"MaxSize":1073741874,"AvailableBytes":47729227,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"level":"info","msg":"Receiver C.172bcdeeec1ee409: sent 674 bytes, response with status: 200 after 28.9756ms, waiting for server messages","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":67967869,"MaxSize":1073741874,"AvailableBytes":48253650,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":69016556,"MaxSize":1073741874,"AvailableBytes":49302329,"LeasedBytes":19713441}","leased_pointer":19713731,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":69540987,"MaxSize":1073741874,"AvailableBytes":48241179,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":70589680,"MaxSize":1073741874,"AvailableBytes":49289864,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":71114111,"MaxSize":1073741874,"AvailableBytes":49814287,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":72162798,"MaxSize":1073741874,"AvailableBytes":50862966,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":73211491,"MaxSize":1073741874,"AvailableBytes":51911651,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":73735922,"MaxSize":1073741874,"AvailableBytes":52436074,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":74784609,"MaxSize":1073741874,"AvailableBytes":53484753,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":75833302,"MaxSize":1073741874,"AvailableBytes":54533438,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":76357733,"MaxSize":1073741874,"AvailableBytes":55057861,"LeasedBytes":21299014}","leased_pointer":21299352,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":77406420,"MaxSize":1073741874,"AvailableBytes":54009176,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":78455113,"MaxSize":1073741874,"AvailableBytes":55057861,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":78979544,"MaxSize":1073741874,"AvailableBytes":55582284,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":80028231,"MaxSize":1073741874,"AvailableBytes":56630963,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":80552662,"MaxSize":1073741874,"AvailableBytes":57155386,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":81601355,"MaxSize":1073741874,"AvailableBytes":58204071,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":82125786,"MaxSize":1073741874,"AvailableBytes":58728494,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":83174473,"MaxSize":1073741874,"AvailableBytes":59777173,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":84223166,"MaxSize":1073741874,"AvailableBytes":60825858,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":84747597,"MaxSize":1073741874,"AvailableBytes":61350281,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":85796284,"MaxSize":1073741874,"AvailableBytes":62398960,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":86320715,"MaxSize":1073741874,"AvailableBytes":62923383,"LeasedBytes":23396378}","leased_pointer":23396732,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":87369408,"MaxSize":1073741874,"AvailableBytes":62398960,"LeasedBytes":24969486}","leased_pointer":24969856,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePointer":87893839,"MaxSize":1073741874,"AvailableBytes":62923383,"LeasedBytes":24969486}","leased_pointer":24969856,"level":"info","msg":"File Ring Buffer: Enqueue","time":"2024-11-15T16:46:49Z"}
{"header":"{"ReadPointer":50,"WritePoin

@scudette
Copy link
Contributor

The buffering is done in the proxy not in the server - by adding a proxy in front of the server it is intercepting the HTTP connection and stopping it from reaching the server in the first place. This is because the way HTTP is used in Velociraptor is a long poll - the client connects to the server and just waits for messages without closing the connection. If the proxy attempts to buffer the connection it will timeout and disconnect it before any data is relayed.

This is described here https://docs.velociraptor.app/blog/2020/2020-09-28-velociraptor-network-communications-30568624043a/#ssl-offloading

with some potential solutions for nginx

To enable websockets, you need to change the client URLs to use websocket protocol. In the client config:

Replace https:// with wss:// for example:

  server_urls:
  - wss://192.168.1.11:8000/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@scudette @predictiple @denizciftci-sec