Collecting Console Log Files

AIR Console log files

AIR Console categorizes and stores the log files under three separate files as listed below:

Binalyze.AIR.Console.log
Binalyze.AIR.Console.UI.log
Binalyze.AIR.Console.API.log
Binalyze.AIR.Console.Migration.log

The log files generated by the AIR Console are stored in the directory listed below.

/opt/binalyze-air/volumes/app/binalyze-air/logs/

Downloading the AIR Console Logs and log files

Investigators and analysts can download AIR Console log files either by using AIR Console user interface or by connecting the console machines directly.

Method 1: By using Linux machine console commands

Log in directly or connect remotely to the AIR Console machine with SSH
Browse to the folder /opt/binalyze-air/volumes/app/binalyze-air/logs/
Download the files by using SCP or view the contents of the files with tail, cat, or other CLI tools.

Method 2: By using the user interface

Click on Settings in the primary menu.
In the section titled Logging, a log level can be selected.
Click the Download Log Files button to generate a compressed zip file containing the log archive.

What’s Included in the Log Archive

When you download log files via the user interface, the archive includes:

Console Log Files:

Binalyze.AIR.Console.log
Binalyze.AIR.Console.UI.log
Binalyze.AIR.Console.API.log
Binalyze.AIR.Console.Migration.log

PostgreSQL Database Diagnostics (available from v5.11):

The log archive now automatically includes PostgreSQL database logs and predefined diagnostic query outputs. This enhancement enables security teams and system administrators to diagnose investigation performance or data ingestion issues without requiring system-level access or engineering assistance.

Log file name format (example):

postgresql-2026-02-22.log

Log directories:

Single-tier AIR Console Server: /opt/binalyze-air/volumes/data-master/binalyze-air/log/postgresql
Two-tier Database Server: /opt/binalyze-air-db/volumes/data-master/binalyze-air/log/postgresql

The PostgreSQL diagnostics help identify issues related to:

Evidence storage and retrieval
Query performance bottlenecks
Data ingestion reliability
Analysis processing delays

By providing standardized diagnostic data, analysts can more quickly correlate anomalies between data ingestion and investigation results, facilitating faster triage of system-level evidence management issues during active incident response workflows.

Tornado container logs:

The Tornado container is responsible for the following features:

Acquire Evidence from Disk Image
File Explorer
Repository Explorer
Server-side DRONE (re-analyze)

AIR Console logs already include the Tornado container logs.

Tornado logs are located on the AIR Console server:

Log file name: tornado_linux_amd64.log.txt
Log directory: /opt/binalyze-air/volumes/tornado/data

The log level of the AIR Console can be adjusted according to your needs. For example, if an issue occurs in the AIR Console, the log level can be changed to Debug or HTTP to explore the issue better. The log levels can be configured from the same page where the log files are downloaded.

The log levels are explained below:

Debug: Debugging logs are used for troubleshooting and debugging purposes. When activated, it generates a large number of detailed log records. This may impact the system’s performance and consume excessive disk space. Therefore, this level should be used carefully and only until the problem is resolved. Then it should be pulled back to the info level. Debug level covers both HTTP and info levels.

HTTP: HTTP logs are used for troubleshooting purposes. When it is activated, it generates HTTP requests in addition to standard logging. HTTP level covers the info level.

Info: Default required log level.