9.4. Location of Scan Logs
Q: Where are Scan Logs on the system located?
You can find the Scan Logs in /var/lib/asgard-analysis-cockpit/events.
In this folder you will find three different naming schemes:
.txt.gz - Logs which are not imported yet
.txt.gz.ok - Logs which were imported successfully
.txt.gz.problem - Logs which could not be imported correctly due to an error
If you need to manually investigate logs which failed during the import (.gz.problem),
you can do so by copying the files to a different location (/tmp for example)
and remove the suffix .problem. After that you can use gunzip to extract the log
and inspect it. Most likely you will find that the file did not transfer correctly
over to the Analysis Cockpit. This can be seen if you open the file and scroll to the
very end. In this case the file will just end in the middle of a log line.
The Logs can be imported into the Cockpit via the Scans menu. Select the Asset which
had a problem with the log transfer and click Request Events. This will transfer
the Events from the corresponding ASGARD. You can also use the Fields Log Requested,
Log Received and Log Received Error to filter and look for other failed log transmissions.