Corelight@Home Sensors Don’t Seem to Send Any Logs Over to AC-Hunter

The Corelight@home package appears to save its hourly logs in an uncompressed format by default. To change this to the compressed logs that AC-Hunter is expecting, please do the following:

sudo nano /etc/corelight-softsensor.conf

(You’re welcome to use a different editor than nano.) Search down through the file (with ctrl-w) for the characters gzip . You should find this line:

Corelight::batch_log_gzip F

Please change the capital F to a capital T:

Corelight::batch_log_gzip T

Please save and exit. Now you’ll need to restart the corelight@home suite:

systemctl restart corelight-softsensor.service

Logs created from this point on should be compressed by default, allowing AC-Hunter to find the compressed logs it expects. You should have a new database for this system within a few hours.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7684