Hey Team,

I have a quick question about where the GRR-server stores the remote files it downloads from clients.

What path are these files stored in and are they purged after x amount of days? Or is that an option that needs to be set?

Thanks for the help!

The pulled files are split into blobs, which are then stored in the MySQL database. Refer to client_paths, client_path_hash_entries, hash_blob_references, and blobs database tables.

Purging files after some time is not supported at the moment.

any documentation for GRR mysql database schema / tables or in other words, what is the best option if someone want to connect Splunk / ELK to DB for further analytics

@arimb00r I would recommend using the API instead of reading the data directly from the database. Have a look at https://github.com/log2timeline/dftimewolf it uses the GRR API to automate collection and further analysis.

For context a previous approach we tried https://www.youtube.com/watch?v=JciAp0uB7AY

@arimb00r: You are in luck. In this very moment I am working on a Splunk OutputPlugin that sends flow/hunt results to Splunk. It will be open-sourced in the next weeks. Until then, you could use our Python API.