Skip to content

Instantly share code, notes, and snippets.

Avatar

Andrew Kroh andrewkroh

View GitHub Profile
@andrewkroh
andrewkroh / beat.yml
Last active March 10, 2023 15:04
Beat script processor to filter out IPv6
View beat.yml
processors:
- script:
# This uses a Beat script processor to include only ipv4 addresses
# in the host.ip field. This would need to placed after the add_host_metadata
# processor.
#
# It would be a lot more efficient to have add_host_metadata allow controlling
# what addresses were included because this has to execute for every event.
#
# References:
@andrewkroh
andrewkroh / netusergetinfo.go
Last active June 3, 2022 02:04
NetUserGetInfo tester tool for Windows
View netusergetinfo.go
package main
import (
"flag"
"log"
"os/user"
"syscall"
"unsafe"
"golang.org/x/sys/windows"
@andrewkroh
andrewkroh / winlogbeat.yml
Created May 19, 2022 17:47
Winlogbeat script to log specific event IDs
View winlogbeat.yml
winlogbeat.event_logs:
- name: Security
ignore_older: 1h
processors:
- script:
lang: javascript
source: |
var console = require("console");
var ids = {
@andrewkroh
andrewkroh / filebeat-to-fleet.md
Last active January 17, 2023 20:26
Routing Filebeat data to a Fleet integration data stream
View filebeat-to-fleet.md

DRAFT: Routing Filebeat data to a Fleet integration data stream

This is an unofficial tutorial that may be useful to users that are in the process of migrating to to Elastic Agent and Fleet. It explains the steps to route some Filebeat data into a data stream managed by a Fleet integration package.

Install the Fleet integration

Installing a Fleet integration sets up all of its data streams and dashboards. There are two methods to install. In these examples we install the Hashicorp Vault 1.3.1 integration.

Use Kibana (easiest)

@andrewkroh
andrewkroh / wireguard-logger.sh
Last active September 1, 2022 21:42
Bash script to dump wireguard peers to JSON
View wireguard-logger.sh
#!/usr/bin/env bash
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
@andrewkroh
andrewkroh / 46203-dimmer.xml
Last active January 6, 2021 00:15
Home Assistant 2020.12.2 Patch for GE Jasco jasco_products_unknown_type_4944_id_3235
View 46203-dimmer.xml
<!-- GE(Jasco) 46203 Z-Wave Plus Dimmer Switch -->
<!-- Configuration Parameters - per http://products.z-wavealliance.org/products/3323 -->
<Product Revision="1" xmlns="https://github.com/OpenZWave/open-zwave">
<MetaData>
<MetaDataItem name="OzwInfoPage">http://www.openzwave.com/device-database/0063:3235:4944</MetaDataItem>
<MetaDataItem name="ProductPic">images/ge/46203-dimmer.png</MetaDataItem>
<MetaDataItem id="3235" name="ZWProductPage" type="4944">https://products.z-wavealliance.org/products/3323/</MetaDataItem>
<MetaDataItem name="Name">In-Wall Smart Dimmer </MetaDataItem>
<MetaDataItem name="ProductManual">https://products.z-wavealliance.org/ProductManual/File?folder=&amp;filename=MarketCertificationFiles/3323/14294.46203.ZW3010%20Binder.pdf</MetaDataItem>
<MetaDataItem id="3235" name="FrequencyName" type="4944">U.S. / Canada / Mexico</MetaDataItem>
@andrewkroh
andrewkroh / symantec-endpoint-pipeline.json
Last active April 21, 2021 16:15
Symantec Endpoint Elasticsearch Ingest Node Pipeline (POC)
View symantec-endpoint-pipeline.json
{
"description": "Pipeline for parsing Symantec Endpoint logs",
"processors": [
{
"set": {
"field": "event.original",
"value": "{{{message}}}"
}
},
{
@andrewkroh
andrewkroh / citrix-netscaler-pipeline.json
Last active December 15, 2020 14:12
Citrix Netscaler Elasticsearch Ingest Node Pipeline
View citrix-netscaler-pipeline.json
{
"description": "Pipeline for parsing Citrix Netscaler logs",
"processors": [
{
"script": {
"description": "set event.original",
"lang": "painless",
"source": "def event = ctx.event;\nif (event == null) {\n event = [:];\n ctx['event'] = event;\n}\nevent['original'] = ctx.message;\n"
}
},
@andrewkroh
andrewkroh / instructions.md
Last active March 6, 2023 19:09
Adding event.ingested and lag calculations to Winlogbeat events
View instructions.md

Adding event.ingested and lag calculations to Winlogbeat events

Create an Ingest Pipeline that will add four fields:

  • event.ingested - Time when the event was processed by Elasticsearch.
  • event.lag.read - Time difference in milliseconds between @timestamp and event.created. This measures how long it took for Winlogbeat read the event from the event log (for WEC this includes the delivery time from forwarder to collector).
  • event.lag.ingest - Time difference in milliseconds between event.created and event.ingested. This measures the time between Winlogbeat reading the event (time when it "created" the document) to when it was written to Elasticsearch.
@andrewkroh
andrewkroh / functions
Created September 22, 2020 16:46
RHEL 6 /etc/rc.d/init.d/functions from initscripts-9.03.61-1.el6.centos.x86_64
View functions
# -*-Shell-script-*-
#
# functions This file contains functions to be used by most or all
# shell scripts in the /etc/init.d directory.
#
TEXTDOMAIN=initscripts
# Make sure umask is sane
umask 022