Logging

Cobalt Strike logs all of its activity on the team server. These logs are located in the logs/ folder in the same directory where you started your team server. All Beacon activity is logged here with a date and timestamp.

Control Date Formatting.

You can control the formatting of some dates and timestamps in the logging output with the following fields in the TeamServer.Prop file.

NOTE: TeamServer.prop is an optional file containing a number of parameters that can be used to customize settings. This file is not included in the distribution as the defaults are the recommended settings. If there is a need to modify the settings, download the default TeamServer.prop file from https://github.com/Cobalt-Strike/teamserver-prop repository into the Cobalt Strike installation directory. Make any modifications and restart the teamserver.

For additional information on a setting see the README.md in the repository and comments in the TeamServer.prop file.

logfile.timestamp.pattern

This controls the format of timestamps used in logging.
The default is "MM/dd HH:mm:ss zzz".
Text values must comply with rules defined for a Java DateTimeFormatter patterns.

logfile.timezone

This controls the timezone of timestamps used in logging.
This also controls how the date is determined for the file system path used for daily log files.

Example: .../logs/[date]/events.log

Example: .../logs/[date]/[target-ip]/screenshots.log
The default is UTC.
A special value of "*default" can be used to inherit the value from the system.
Text values must comply with standard java TimeZone values.

Example of TeamServer.prop Definitions

logfile.timestamp.pattern=yyyy-MM-dd HH:mm:ss zzz
 
logfile.timezone=America/Los_Angeles
# logfile.timezone=*default