Server Administration¶
After AC-Hunter is installed and receiving Zeek logs, ongoing administration is straightforward. This page covers the hunt CLI, service management, disk usage monitoring, log maintenance, and other routine tasks.
The hunt Command¶
The hunt command is the primary management tool for AC-Hunter. It is installed at /usr/local/bin/hunt and wraps Docker Compose operations with AC-Hunter-specific logic.
Run hunt help to see all available commands:
Starting, Stopping, and Restarting Services¶
| Command | Description |
|---|---|
hunt up -d |
Start all AC-Hunter services in the background |
hunt down |
Stop all AC-Hunter services |
hunt restart |
Restart all services (always runs detached) |
The -d flag runs containers in detached mode so your terminal is not blocked. hunt restart automatically runs detached.
If the remote-logs SFTP receiver was previously enabled, hunt up and hunt restart will restore it automatically.
Importing Zeek Logs¶
Use hunt import to load Zeek logs into a named database:
| Flag | Description |
|---|---|
-l, --logs <dir> |
Directory containing Zeek logs (required) |
-d, --database <name> |
Target database name, alphanumeric and underscores only (required) |
--rebuild |
Delete the existing database before importing |
The --rebuild flag is useful when you need to reimport logs after changing configuration such as internal subnet definitions. It removes the existing database and performs a fresh import.
Viewing Service Logs¶
hunt logs # Show logs from all services
hunt logs api # Show logs from the API service only
hunt logs clickhouse --tail 50 -f # Follow the last 50 lines of database logs
Available service names: api, clickhouse, syslog-ng, frontend, remote-logs
Standard Docker Compose log flags are supported: --tail, --since, --until, and -f (follow).
Managing the Remote Logs Receiver¶
The remote-logs service is the SFTP receiver that accepts Zeek logs from remote sensors. It runs as an optional Docker Compose profile.
hunt remote-logs up -d # Start the SFTP receiver
hunt remote-logs status # Check receiver status
hunt remote-logs restart # Restart the receiver
hunt remote-logs down # Stop the receiver
Note
The remote-logs service requires at least one SSH public key in /etc/AC-Hunter/sftp/public_keys/ before it can start. See Zeek Log Transport for setup details.
Applying Configuration Changes¶
AC-Hunter's main configuration file is /etc/AC-Hunter/config.hjson. To apply changes:
hunt load-config # Apply the persisted config at /etc/AC-Hunter/config.hjson
hunt load-config /path/to/custom-config.hjson # Apply a one-time config (does not persist across upgrades)
To preserve a custom configuration across upgrades, copy it to /etc/AC-Hunter/config.hjson and then run hunt load-config.
A reference copy of the default configuration is available at /etc/AC-Hunter/config.hjson.default.
Tip
After modifying any configuration file, run hunt restart to apply changes. For config.hjson specifically, use hunt load-config followed by hunt restart.
Resetting a User Password¶
If a user is locked out of the web interface:
hunt reset-password --email="[email protected]"
Checking the Installed Version¶
Monitoring Disk Usage¶
AC-Hunter stores data in Docker volumes and on the host filesystem. Over time, Zeek logs and the ClickHouse database can consume significant disk space. Regular monitoring helps avoid service disruptions.
Key Directories to Monitor¶
| Path | Contents | Notes |
|---|---|---|
/opt/zeek/remotelogs/ |
Zeek logs received via SFTP | Grows continuously as sensors ship logs |
/opt/zeek/logs/ |
Locally generated Zeek logs | Only present if Zeek runs on the same host |
/var/tmp/ach_zeek_logs/ |
Staging area for log imports | Temporary; cleaned after import |
/var/log/AC-Hunter/ |
Application logs | Rotated daily, cleaned by cron |
Docker volume ac_clickhouse_persistent |
ClickHouse database | Grows with each import |
Checking Disk Usage¶
# Overall filesystem usage
df -h
# Size of Zeek remote logs
du -sh /opt/zeek/remotelogs/
# Size of application logs
du -sh /var/log/AC-Hunter/
# Docker volume usage
docker system df -v
Deleting Old Zeek Logs¶
Once Zeek logs have been imported into AC-Hunter, the raw log files on disk are no longer needed for analysis. You can safely remove logs older than a chosen threshold to free space:
# Delete imported Zeek logs older than 30 days
find /opt/zeek/remotelogs/ -type f -mtime +30 -delete
# Preview what would be deleted (dry run)
find /opt/zeek/remotelogs/ -type f -mtime +30 -print
Warning
Only delete Zeek logs that have already been imported. If you delete logs before import, that data will be permanently lost. Verify your databases contain the expected time ranges before cleaning up.
Adjust the -mtime value to match your retention policy. For example, -mtime +90 targets files older than 90 days.
Removing Old Databases¶
If you no longer need an older analysis database, you can remove it to reclaim ClickHouse storage. Navigate to Settings → Database in the AC-Hunter web interface, select the database you want to remove, and delete it.
Warning
Dropping a database is irreversible. Double-check the database name before confirming deletion.
Automatic Log Cleanup¶
AC-Hunter includes a cron job that automatically cleans up old application logs:
- Schedule: Daily at 3:00 AM
- Behavior: Deletes files in
/var/log/older than 90 days - Configuration file:
/etc/AC-Hunter/logger-cron
This covers AC-Hunter's own application logs (not Zeek data logs). Zeek log retention must be managed separately as described above.
Service Architecture¶
AC-Hunter runs as a set of Docker containers managed by Docker Compose. Understanding the services helps with troubleshooting and monitoring.
| Container | Service | Purpose | Ports |
|---|---|---|---|
hunt_web |
frontend | Nginx web interface | 80, 443 |
hunt_api |
api | AC-Hunter API middleware | 3000 (internal) |
hunt_db |
clickhouse | ClickHouse analytical database | 8123, 9000 (internal) |
hunt_logger |
syslog-ng | Log collection and rotation | 5514/UDP, 6601/TCP |
remote_logs |
remote-logs | SFTP receiver for Zeek logs (optional) | 2222 |
To check the status of all containers:
Threat Intelligence Feeds¶
AC-Hunter can match connections against known malicious IPs and domains using threat intelligence feeds. There are two types: online (dynamic) feeds fetched from URLs, and offline (static) feeds stored as local files.
Offline (Static) Feeds¶
Place plain-text files in the /etc/AC-Hunter/threat_intel_feeds/ directory. Each file should contain one IP address or FQDN per line:
Files in this directory are read during log import and matched against connection data.
Online (Dynamic) Feeds¶
Online feeds are configured in /etc/AC-Hunter/config.hjson under the threat_intel section:
threat_intel: {
online_feeds: ["https://feodotracker.abuse.ch/downloads/ipblocklist.txt"],
custom_feeds_directory: "/etc/rita/threat_intel_feeds"
}
To add a feed, append its URL to the online_feeds array. Each URL must point to a plain-text list with one IP or domain per line.
After modifying config.hjson, apply the changes:
Note
Threat intel matches are applied at import time. If you add a new feed and want it applied to existing data, reimport the relevant database with hunt import --rebuild.
Configuration File Reference¶
| File | Purpose |
|---|---|
/etc/AC-Hunter/config.hjson |
Main AC-Hunter configuration (persists across upgrades) |
/etc/AC-Hunter/tls/ |
SSL/TLS certificates for HTTPS |
/etc/AC-Hunter/sftp/ |
SFTP host keys and authorized public keys |
/etc/AC-Hunter/threat_intel_feeds/ |
Offline threat intelligence feed data |
Routine Maintenance Checklist¶
Use this checklist for regular upkeep of your AC-Hunter server:
- Monitor disk usage: Check
/opt/zeek/remotelogs/and Docker volumes weekly - Clean up old Zeek logs: Remove imported logs beyond your retention window
- Review application logs: Check
hunt logsfor errors or warnings - Verify sensor connectivity: Confirm
hunt remote-logs statusshows the receiver is running - Keep AC-Hunter updated: Apply upgrades when new versions are released
- Review user accounts: Audit users periodically via
Settings → User Managementin the web interface - Validate backups: Ensure
/etc/AC-Hunter/configuration files are included in your backup strategy - Check TLS certificates: Monitor certificate expiration if using custom certificates
Uninstalling AC-Hunter¶
If you need to completely remove AC-Hunter from a server, an uninstall script is included in the installation bundle:
This removes Docker containers, volumes, networks, images, and the following directories:
/etc/AC-Hunter/opt/AC-Hunter/var/log/AC-Hunter/var/tmp/ach_zeek_logs
Note
Transferred Zeek logs in /opt/zeek/remotelogs/ are not removed by the uninstall script, preserving your raw log data.