Compresses all uploaded files.
When artifacts collect files they are normally stored on the server uncompressed. This artifact watches all completed flows and compresses the files in the file store when the flow completes. This is very useful for cloud based deployments with limited storage space or when collecting large files.
In order to run this artifact you would normally run it as part of an artifact acquisition process:
$ velociraptor --config /etc/server.config.yaml artifacts acquire Admin.System.CompressUploads
Note that there is nothing special about compressed files - you can
also just run find and gzip in the file store. Velociraptor will
automatically decompress the file when displaying it in the GUI
text/hexdump etc.
name: Admin.System.CompressUploads
description: |
Compresses all uploaded files.
When artifacts collect files they are normally stored on the server
uncompressed. This artifact watches all completed flows and
compresses the files in the file store when the flow completes. This
is very useful for cloud based deployments with limited storage
space or when collecting large files.
In order to run this artifact you would normally run it as part of
an artifact acquisition process:
$ velociraptor –config /etc/server.config.yaml artifacts acquire Admin.System.CompressUploads
Note that there is nothing special about compressed files - you can
also just run `find` and `gzip` in the file store. Velociraptor will
automatically decompress the file when displaying it in the GUI
text/hexdump etc.
type: SERVER_EVENT
parameters:
- name: blacklistCompressionFilename
type: regex
description: Filenames which match this regex will be excluded from compression.
default: 'ntuser.dat$'
sources:
- query: |
LET files = SELECT ClientId,
Flow.session_id as Flow,
Flow.uploaded_files as Files
FROM watch_monitoring(artifact='System.Flow.Completion')
WHERE Files and not Files =~ blacklistCompressionFilename
SELECT ClientId, Flow, Files,
compress(path=Files) as CompressedFiles
FROM files