Jump start with Docker
1. Install Docker
2. Pull Docker image
3. Run Docker image
4. Accessing the Web GUI
5. Import EVTX
If you are using Docker, you can pull the following image.
https://hub.docker.com/r/jpcertcc/docker-logontracer/
If you do not have Docker, please check this page and install it.
$ docker image pull jpcertcc/docker-logontracer$ docker container run \
--detach \
--publish=7474:7474 --publish=7687:7687 --publish=8080:8080 \
-e LTHOSTNAME=[IP_Address] \
jpcertcc/docker-logontracerWait for a while for LogonTracer to run.
Access http://[IP_Address]:8080/ via Web browser. Enable JavaScript on your browser.
Please note that docker image contains sample data on itself. And for the first access, you see the images by those data. This sample data will be purged for the first time you import your own logs.
Supported browsers
- Mozilla Firefox
- Google Chrome
- Microsoft Edge
Login with the default account (neo4j:password) from the Web GUI.
Import the event log using Web GUI or logontracer.py. After importing EVTX, you need to reload the web browser.
Event log can be imported with upload EVTX button. Supported file format is EVTX or XML(exported Event Viewer). If the import of the EVTX file is not successful, please check the "Log" button.
You can import from host to Docker image with logontracer.py.
$ git clone https://github.com/JPCERTCC/LogonTracer.gitEvent log can be imported by logontracer.py option -e or -x.
$ cd LogonTracer
$ python3 logontracer.py --delete -e [EVTX File] -z [TIME Zone] -u neo4j -p password -s [Docker image IP Address]or
$ cd LogonTracer
$ python3 logontracer.py --delete -x [XML File] -z [TIME Zone] -u [USERNAME] -p [PASSWORD] -s [Docker image IP Address]- --delete: Delete data in Neo4j
- -e: EVTX filename to import
- -x: XML filename to import
- -z: Time zone (ex: +9, -5)
- -u: Neo4j username (Docker image is “neo4j”)
- -p: Neo4j password (Docker image is “password”)
- -s: Address where the Docker image (ex: localhost)