Skip to main content
Once you are on the log entries page, you will be presented with an empty table. The following sections outline how to interact with the table and log entries.
There will be times when you will need the log’s unique ID. The ID number is always displayed at the top of the page, below the log’s name.

Creating an Entry

To manually create an entry, click on the “Create a new entry” button in the top right corner:
You see a new row appear pre-populated with the current UTC timestamps and your username in the Operator field.

Modifying an Entry

You can modify fields by double-clicking the table row you want to edit or pressing Enter while it is selected. A modal form will open:
You can also press Enter to submit your changes.
Once you submit a change, the edits will sync via WebSockets and be visible to anyone with the log open.

Linking, Copying, & Deleting Entries

When you select a log entry, the right pane displays the entry’s details. This detail pane includes several buttons.
ActionDescription
EditOpens the editing modal
CopyCreates a copy of the log entry (good for repeated tasks)
Copy as JSONCopies the entry’s details as JSON (good for quickly passing activity details to a client)
LinkCopy a deep-link to the log entry to your clipboard
DeleteDeletes the log entry from the log

Managing the Table View

The command bar at the top of the page includes several powerful customization features and your connection status indicator.

Customizing Columns

You can customize the left-hand table view using the Show/Hide Columns button. Click it to reveal the column options and toggle columns on or off.

Sorting Entries

You can also sort your log entries. By default, the page sorts log entries in descending order, from the most recent to the oldest. You can sort by any column by clicking it. You can sort by multiple columns by holding Shift as a you click.
Your table column customizations and sorting will be saved in your browser’s local storage, so it will persist between reloads. Reset table sorting by clicking the Reset Sort button.

Filtering Entries

You can filter the table using the box on the right. This filter helps you view log entries related to a specific user, host, or command. To use the filter, type in the keyword and pres. The filter is applied as you type, so you can keep typing to narrow the results further.
Note that text search will include columns you may have hidden. If you’re unsure why the filter returned certain log entries, check for hidden columns.

Connection Status Indicator

At the end of the controls is a connection status indicator. Since all entries are created/modified/deleted using WebSockets, a persistent connection is maintained. If the connection is ever lost, the connection status will turn red and indicate that the WebSocket connection is disconnected. When disconnected, you will not be able to create/modify/or delete any rows.

Applying Tags to Log Entries

Like many objects in Ghostwriter, you can add tags to a log entry to help with filtering and tracking. The log table will change how certain tags appear in the table:
Tags that include:
  • att&ck, attack, mitre, or ttp will appear as red tags (e.g., ttp:t1549)
  • creds or credentials will appear as yellow tags
  • vuln will appear as green tags (e.g., vulnerable:DotNetPE)
  • detect will appear as blue tags (e.g., detected)
  • objective will appear as purple tags (e.g., objective:1)
Additional styles may be added in the future for different tags. The development is open to suggestions.
Ghostwriter automatically tags log entries that have multimedia content—e.g., linked evidence files and terminal recordings (more on that below). When you link multimedia files, Ghostwriter will add the evidence tag for linked evidence and the recording tag for terminal recordings. Ghostwriter will also remove the tags automatically if you remove the file(s).
You can use tags to easily find log entries—like those with linked evidence or terminal recordings—by entering the tag into the filter box.

Muting Log Notifications

By default, all new operation logs have notifications enabled. The optional Operation Log Monitor task handles notifications. If desired, a user with the admin or manager role can mute notifications from the hamburger menu in the upper-right corner of the logging page. Notification status is also displayed in the operation logs table:

Attaching Content to Log Entries

Beyond the core log entry fields, Ghostwriter supports attaching additional content to entries to provide more context and documentation.

Attaching Evidence

You can link existing report evidence to a log entry. This allows you to associate relevant information with the specific activity documented in the entry. Evidence is displayed in a dedicated section within the entry details, with direct links to the original evidence. See Linking Evidence to Log Entries for detailed instructions.
Your project must have an available report before you will be able to upload evidence or link evidence to a log entry.

Attaching Terminal Recordings

You can upload terminal session recordings (Asciinema .cast or .cast.gz files) to document the exact commands and output from your operational activities. Recordings are stored with the log entry and can be played back directly within the application using the integrated Asciinema player. See Attaching Terminal Recordings to Log Entries for detailed instructions.