Ghost-hunter/ Docs

Audit mode

Review past investigations from the local audit log.

Every investigation Ghost-hunter runs in active mode appends to ~/.ghosthunter/audit.log. Audit mode replays them.

ghosthunter audit               # list past investigations
ghosthunter audit --id 42       # replay one
ghosthunter audit --since 7d    # last week

Each entry records: timestamp, mode, provider, the full command sequence, hypotheses considered, and the final root-cause report. Nothing is sent over the network.

Rotation

The audit log is plain JSONL. Rotate it with logrotate, ship it to your SIEM, or delete it — Ghost-hunter does not depend on log retention for correctness.

Previous
Demo mode
Next
Google Cloud (GCP)