Skip to content

Instantly share code, notes, and snippets.

Avatar

Andrew Kroh andrewkroh

View GitHub Profile
@andrewkroh
andrewkroh / wireguard-logger.sh
Last active Sep 16, 2021
Bash script to dump wireguard peers to JSON
View wireguard-logger.sh
#!/usr/bin/env bash
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
@andrewkroh
andrewkroh / 46203-dimmer.xml
Last active Jan 6, 2021
Home Assistant 2020.12.2 Patch for GE Jasco jasco_products_unknown_type_4944_id_3235
View 46203-dimmer.xml
<!-- GE(Jasco) 46203 Z-Wave Plus Dimmer Switch -->
<!-- Configuration Parameters - per http://products.z-wavealliance.org/products/3323 -->
<Product Revision="1" xmlns="https://github.com/OpenZWave/open-zwave">
<MetaData>
<MetaDataItem name="OzwInfoPage">http://www.openzwave.com/device-database/0063:3235:4944</MetaDataItem>
<MetaDataItem name="ProductPic">images/ge/46203-dimmer.png</MetaDataItem>
<MetaDataItem id="3235" name="ZWProductPage" type="4944">https://products.z-wavealliance.org/products/3323/</MetaDataItem>
<MetaDataItem name="Name">In-Wall Smart Dimmer </MetaDataItem>
<MetaDataItem name="ProductManual">https://products.z-wavealliance.org/ProductManual/File?folder=&amp;filename=MarketCertificationFiles/3323/14294.46203.ZW3010%20Binder.pdf</MetaDataItem>
<MetaDataItem id="3235" name="FrequencyName" type="4944">U.S. / Canada / Mexico</MetaDataItem>
@andrewkroh
andrewkroh / symantec-endpoint-pipeline.json
Last active Apr 21, 2021
Symantec Endpoint Elasticsearch Ingest Node Pipeline (POC)
View symantec-endpoint-pipeline.json
{
"description": "Pipeline for parsing Symantec Endpoint logs",
"processors": [
{
"set": {
"field": "event.original",
"value": "{{{message}}}"
}
},
{
@andrewkroh
andrewkroh / citrix-netscaler-pipeline.json
Last active Dec 15, 2020
Citrix Netscaler Elasticsearch Ingest Node Pipeline
View citrix-netscaler-pipeline.json
{
"description": "Pipeline for parsing Citrix Netscaler logs",
"processors": [
{
"script": {
"description": "set event.original",
"lang": "painless",
"source": "def event = ctx.event;\nif (event == null) {\n event = [:];\n ctx['event'] = event;\n}\nevent['original'] = ctx.message;\n"
}
},
@andrewkroh
andrewkroh / instructions.md
Last active Oct 30, 2020
Adding event.ingested and lag calculations to Winlogbeat events
View instructions.md

Adding event.ingested and lag calculations to Winlogbeat events

Create an Ingest Pipeline that will add four fields:

  • event.ingested - Time when the event was processed by Elasticsearch.
  • event.lag.read - Time difference in milliseconds between @timestamp and event.created. This measures how long it took for Winlogbeat read the event from the event log (for WEC this includes the delivery time from forwarder to collector).
  • event.lag.ingest - Time difference in milliseconds between event.created and event.ingested. This measures the time between Winlogbeat reading the event (time when it "created" the document) to when it was written to Elasticsearch.
@andrewkroh
andrewkroh / functions
Created Sep 22, 2020
RHEL 6 /etc/rc.d/init.d/functions from initscripts-9.03.61-1.el6.centos.x86_64
View functions
# -*-Shell-script-*-
#
# functions This file contains functions to be used by most or all
# shell scripts in the /etc/init.d directory.
#
TEXTDOMAIN=initscripts
# Make sure umask is sane
umask 022
@andrewkroh
andrewkroh / howto.txt
Last active Sep 22, 2020
Microsoft-Windows-Windows Defender Event Log Message Resources
View howto.txt
800, AntiVirus
801, AntiSpyware
802, Antimalware
803, Full
804, Delta
805, Full Scan
806, Quick Scan
807, Custom Scan
808, Remove
809, Quarantine
@andrewkroh
andrewkroh / vault.hcl
Created Sep 3, 2020
Journalbeat and Hashicorp Vault
View vault.hcl
journalbeat.inputs:
id: vault.service
include_matches:
- systemd.unit=vault.service
processors:
- add_fields:
target: event
fields:
module: vault
dataset: vault.log
@andrewkroh
andrewkroh / access.log
Created May 5, 2020
Filebeat Squid Proxy Access Log Parsing
View access.log
1348870236.160 0 192.168.0.35 TCP_DENIED/403 3293 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870236.273 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870236.386 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870236.499 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870237.550 0 192.168.0.35 TCP_DENIED/403 3269 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.4.6/misc/AcrobatUpd946_all_incr.msp - NONE/- text/html
1348870274.248 59875 192.168.0.35 TCP_MISS/503 0 CONNECT client84.dropbox.com:443 - DIRECT/- -
1348870284.249 59872 192.168.0.35 TCP_MISS/503 0 CONNECT client62.dropbox.com:443 - DIRECT/- -
1348870
@andrewkroh
andrewkroh / domain_rank_enrichment_pipeline.json
Last active Oct 11, 2019
Elasticsearch Ingest Node Enrich Processor Example - Top 1M Domain Ranks
View domain_rank_enrichment_pipeline.json
PUT /_ingest/pipeline/domain_rank_enrichment
{
"description" : "Enriching domains with rank.",
"processors" : [
{
"enrich" : {
"policy_name": "dns-domain-top1m-rank",
"field" : "dns.question.name",
"target_field": "_temp"
}