# System Layout
RAIN consists of two systems, the target host, which is the machine being monitored and a analysis server. The analysis server is responsible for generating the audit logs used for downstream analysis.
On the host machine (`kacb3110d13/theia`) you can run the command:
```
virsh list --all
Id Name State
----------------------------------------------------
2 e5-analysis running
13 ubuntu12.04 running
- e5-target shut off
- generic shut off
```
Currently, the `ubuntu12.04` vm is the target machine and the `e5-analysis` vm is the analysis host. Additionally, for the remainder of this writeup, we will reference the host machine as `theia`.
# Setting up logging on the target machine.
From the `theia` box you can log into the target machine using the following command. The password for the target machine is theia.
```
ssh theia@192.168.123.7
```
Next, you will need to start the `relay-read-file` process, which is responsible for writing the audit logs to disk.
```
sudo relay-read-file &
```
Once `relay-read-file` is running, you can turn on the logging with the following commands:
RAIN currently supports 1 CPU.
```
sudo ./disable_cores.sh
```
Finally, you can turn on the logging:
```
echo 1 | sudo tee /sys/kernel/theia/theia_logging_toggle
```
In order to verify the logging is running, you can verify that the output file size is increasing:
```
ls -al /data/ahg.dump.7.1
-rw-r--r-- 1 root root 921457 May 15 15:35 ahg.dump.7.1
```
Finally, in order to turn the logging off you can run the command:
```
echo 0 | sudo tee /sys/kernel/theia/theia_logging_toggle
```
# Converting the audit logs into CDM format.
From the `theia` box, log into the `analysis server`. The password is `darpatheia1`.
```
ssh theia@192.168.123.6
```
Next, you need to run the following command to generate the CDM data for the audit logs:
```
sudo ahg_queue_file -c /etc/theia/handler.cfg
```
This will generate the file:
```
cdm-data.bin
```
__NOTE__: The ahg_queue_file application is designed such that it runs an infinite loop, in order to keep processing incoming logs. However, since you are using it on a file that is static, you will need to use `Ctl-C` to kill the application.
In order to determine if the ahg_queue_file is finished processing the data, it will be spamming the following output:
```
%7|1590692309.267|BUFQ|query-ta1-theia-e3-12#producer-1| [thrd:localhost:9092/bootstrap]: localhost:9092/bootstrap: Updating 0 buffers on connection reset
```
Once you see this, you can kill the application.
The final step is converting this data into a JSON format:
```
java -jar avro-tools-1.8.2.jar tojson cdm-data.bin > cdm-data.json
```
The output file will be stored in `cdm-data.json`
## Rerunning the logging
The easiest method to rerun the logging is to delete the file `/data/ahg.dump.*` and rebooting the target machine.
However, if you do not want to restart the machine you need to stop the `relay-read-file` application and then delete or move the file `/data/ahg.dump.*`. Once this is complete, you can rerun the commands discussed previously.:
Restarting relay-read-file application:
```
sudo kill -s 15 $(pgrep -f relay-read-file)
```
Sign in with Wallet
Connect another wallet