Skip to content

Instantly share code, notes, and snippets.

View andrewkroh's full-sized avatar

Andrew Kroh andrewkroh

View GitHub Profile
andrewkroh / beats.tls.cue
Last active June 12, 2024 23:25
Cuelang Schema of Beats TLS options
// Beats TLS configuration options.
package tls
$version: "v8.14.0"
#base64String: =~"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$"
#hexSHA256: =~"^[a-fA-F0-9]{64}$"
#pemCerts: =~"^(?:(?:-+BEGIN CERTIFICATE-+\\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END CERTIFICATE-+\\s*))+$"
andrewkroh / filebeat.filestream-evtx_dump.yml
Last active November 1, 2023 01:17
Ingest Windows event logs to Elasticsearch on Linux using evtx_dump and Filebeat
# Consume output from
# evtx_dump --dont-show-record-number -o xml <file.evtx> > /tmp/samples/file.evtx.xml
# See
- type: filestream
id: evtx_dump_xml
- multiline:
andrewkroh / filebeat.udp-cef-extrahop.yml
Last active October 24, 2023 20:41
ExtraHop CEF logging to Filebeat
- host: localhost:9514
id: udp-extrahop-cef-9514
type: udp
- convert:
mode: copy
- { from: "message", to: "event.original" }
andrewkroh / filebeat.cel.yml
Created October 1, 2023 19:32
Filebeat CEL input - ingest complete config file when it changes
- type: cel
id: config-123-watcher
interval: 1m
url: file:///etc/conf.d/foo.conf
program: |
file(state.url).as(content, content.sha256().hex().as(hash, {
andrewkroh / filebeat.journald-kubelet.yml
Last active September 22, 2023 20:29
Filebeat - processing kubelet json logs read from journald
- type: journald
# For
- if:
- kubelet
- regexp.message: '^{'
# 'kubelet' should be mapped as a flattened field in ES because
andrewkroh / beat.yml
Last active March 10, 2023 15:04
Beat script processor to filter out IPv6
- script:
# This uses a Beat script processor to include only ipv4 addresses
# in the host.ip field. This would need to placed after the add_host_metadata
# processor.
# It would be a lot more efficient to have add_host_metadata allow controlling
# what addresses were included because this has to execute for every event.
# References:
andrewkroh / netusergetinfo.go
Last active June 3, 2022 02:04
NetUserGetInfo tester tool for Windows
package main
import (
andrewkroh / winlogbeat.yml
Created May 19, 2022 17:47
Winlogbeat script to log specific event IDs
- name: Security
ignore_older: 1h
- script:
lang: javascript
source: |
var console = require("console");
var ids = {
andrewkroh /
Last active January 17, 2023 20:26
Routing Filebeat data to a Fleet integration data stream

DRAFT: Routing Filebeat data to a Fleet integration data stream

This is an unofficial tutorial that may be useful to users that are in the process of migrating to to Elastic Agent and Fleet. It explains the steps to route some Filebeat data into a data stream managed by a Fleet integration package.

Install the Fleet integration

Installing a Fleet integration sets up all of its data streams and dashboards. There are two methods to install. In these examples we install the Hashicorp Vault 1.3.1 integration.

Use Kibana (easiest)

andrewkroh /
Last active September 1, 2022 21:42
Bash script to dump wireguard peers to JSON
#!/usr/bin/env bash
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at