Over a million developers have joined DZone.

Securing Your Metasploit Logs

Logs can tell you a lot, and if they can tell you a lot, they can also tell other people a lot. Check out why you should secure your Metasploit logs: what they are, where to find you, and various log types.

· Performance Zone

Download Forrester’s “Vendor Landscape, Application Performance Management” report that examines the evolving role of APM as a key driver of customer satisfaction and business success, brought to you in partnership with BMC.

securing-your-metasploit-logsMetasploit, backed by a community of 200,000 users and contributors is the most impactful penetration testing solution on the planet. With it, uncover weaknesses in your defenses, focus on the highest risks, and improve your security outcomes.

Your Metasploit Pro console produces a lot of important logs. It is essential to be able to review these logs, alert on them, and keep them secure.

Why Should I Monitor These Logs?

The logs produced by your Metasploit Pro console are helpful when troubleshooting, and also for monitoring the usage of the Metasploit product. Metasploit Pro is impressively powerful, which also makes it crucial to closely monitor the usage. Unfortunately, you must always plan fo the worst possible scenario, including the potential for a Metasploit user to alter the logs created by the console to hide their actions.

Sending these logs to a secure central location in real-time, can ensure that they remain unaltered and easy to review.

What and Where are the Metasploit Pro Logs?

The list below details all of the logs created by your Metasploit Pro console and where they are saved. Your installation root directory may vary; by default, the installation root for Linux is: /opt/metasploit and for Windows: C:\metasploit

  • $INSTALL_ROOT/apps/pro/nginx/logs/error.log – Console web server error log
  • $INSTALL_ROOT/apps/pro/nginx/logs/access.log – Console web server access log
  • $INSTALL_ROOT/apps/pro/ui/log/production.log – Rails (ruby) log
  • $INSTALL_ROOT/apps/pro/engine/config/logs/framework.log – Metasploit Framework log
  • $INSTALL_ROOT/apps/pro/engine/prosvc_stdout.log – Metasploit RPC output log
  • $INSTALL_ROOT/apps/pro/engine/prosvc_stderr.log – Metasploit RPC error log
  • $INSTALL_ROOT/apps/pro/tasks – Task logs
  • $INSTALL_ROOT/apps/pro/engine/license.log – License log

As a best practice, all of the above logs should be sent to a secure, off-site, location for storage and analysis. For the purposes of this post we will focus on the three most imperative logs:

  1. tasks
  2. framework.log
  3. access.log

The Tasks Directory

The tasks directory provides text files detailing all of the actions taken by all Metasploit users.  It will record any exploit that is run, the creation of a listener, establishment of a pivot, and any other action taken through the console.

Configure the Logentries Agent

To capture the log data saved to the tasks directory first ensure that you have installed the appropriate Logentries Agent on the Metasploit Console machine.

The Logentries Agent can automatically identify and forward the newest log file written to a directory by using a wildcard configuration.

For the Linux Agent issue the following command to follow the tasks directory:

sudo le follow '/opt/metasploit/apps/pro/tasks/*.txt'

and with the Windows Agent:

AgentService.exe follow c:\metasploit\apps\pro\tasks\*.txt

Always remember to restart the Logentries service after making changes to its configuration.

View in Logentries

Now as new tasks are written to the directory on your console server you can see them stream into Logentries in real time, creating an immutable offsite backup of these important audit trails.

Screen Shot 2016-01-28 at 9.36.43 PM


framework.log is your best friend when you are trying to troubleshoot an issue you are encountering with Metasploit. All the logged errors are saved here.  When you dig into this log you will gain insight into which exploits failed, and for what reasons, as well as general stack traces.

Configure the Logentries Agent

In this case, because framework.log is just a single file, there is no need for special configuration. The command to follow this file with the Linux Agent would simply be:

sudo le follow /opt/metasploit/apps/pro/engine/config/logs/framework.log


The final log discussed here is the NGINX access.log produced by the Metasploit console. The information available in this log is imperative to maintain complete audit trails of all actions taken in the console. This log will contain every request made to the web interface including the IP address of the requester, making it invaluable in an investigation.

Metasploit’s NGINX server is configured to log in combined log format, and as a result, Logentries will be able to perform in-depth analysis on these logs with ease.  The video below provides a tutorial on using the advanced search functionalities of Logentries to query an Apache access.log, all the same, features and functionality will be available with this NGINX access.log.

Ready to secure your Metasploit logs? Give it a try by creating a free Logentries account today!

See Forrester’s Report, “Vendor Landscape, Application Performance Management” to identify the right vendor to help IT deliver better service at a lower cost, brought to you in partnership with BMC.


Published at DZone with permission of Justin Buchanan, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}