Skip to content

Instantly share code, notes, and snippets.

Avatar

Andrew Kroh andrewkroh

View GitHub Profile
@andrewkroh
andrewkroh / wireguard-logger.sh
Last active Sep 1, 2022
Bash script to dump wireguard peers to JSON
View wireguard-logger.sh
#!/usr/bin/env bash
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
@andrewkroh
andrewkroh / event1.json
Last active Aug 2, 2022
Winlogbeat - Sysmon Processing for ECS (Elastic Common Schema)
View event1.json
{
"@timestamp": "2019-01-29T19:10:47.538Z",
"beat": {
"hostname": "DESKTOP",
"name": "DESKTOP",
"version": "6.3.2"
},
"event": {
"kind": "event"
},
@andrewkroh
andrewkroh / instructions.md
Last active Jul 26, 2022
Adding event.ingested and lag calculations to Winlogbeat events
View instructions.md

Adding event.ingested and lag calculations to Winlogbeat events

Create an Ingest Pipeline that will add four fields:

  • event.ingested - Time when the event was processed by Elasticsearch.
  • event.lag.read - Time difference in milliseconds between @timestamp and event.created. This measures how long it took for Winlogbeat read the event from the event log (for WEC this includes the delivery time from forwarder to collector).
  • event.lag.ingest - Time difference in milliseconds between event.created and event.ingested. This measures the time between Winlogbeat reading the event (time when it "created" the document) to when it was written to Elasticsearch.
@andrewkroh
andrewkroh / install-go.ps1
Last active Jul 23, 2022
Install Golang using Powershell
View install-go.ps1
# Installs golang on Windows.
#
# # Run script:
# .\install-go.ps1 -version 1.5.3
#
# # Download and run script:
# $env:GOVERSION = '1.5.3'
# iex ((new-object net.webclient).DownloadString('SCRIPT_URL_HERE'))
Param(
[String]$version,
@andrewkroh
andrewkroh / filebeat-to-fleet.md
Last active Jun 28, 2022
Routing Filebeat data to a Fleet integration data stream
View filebeat-to-fleet.md

DRAFT: Routing Filebeat data to a Fleet integration data stream

This is an unofficial tutorial that may be useful to users that are in the process of migrating to to Elastic Agent and Fleet. It explains the steps to route some Filebeat data into a data stream managed by a Fleet integration package.

Install the Fleet integration

Installing a Fleet integration sets up all of its data streams and dashboards. There are two methods to install. In these examples we install the Hashicorp Vault 1.3.1 integration.

Use Kibana (easiest)

@andrewkroh
andrewkroh / netusergetinfo.go
Last active Jun 3, 2022
NetUserGetInfo tester tool for Windows
View netusergetinfo.go
package main
import (
"flag"
"log"
"os/user"
"syscall"
"unsafe"
"golang.org/x/sys/windows"
@andrewkroh
andrewkroh / winlogbeat.yml
Created May 19, 2022
Winlogbeat script to log specific event IDs
View winlogbeat.yml
winlogbeat.event_logs:
- name: Security
ignore_older: 1h
processors:
- script:
lang: javascript
source: |
var console = require("console");
var ids = {
@andrewkroh
andrewkroh / howto.txt
Last active May 17, 2022
Microsoft-Windows-Windows Defender Event Log Message Resources
View howto.txt
800, AntiVirus
801, AntiSpyware
802, Antimalware
803, Full
804, Delta
805, Full Scan
806, Quick Scan
807, Custom Scan
808, Remove
809, Quarantine
@andrewkroh
andrewkroh / elastic-beat-development-101.md
Last active Mar 17, 2022
Elastic Beat Development 101
View elastic-beat-development-101.md

Elastic Beats Development 101

This is a short guide to get up and building Elastic Beats on a new Linux host.

Start a VM

This uses Google Compute Engine (GCE) to start an Ubuntu 20.04 virtual machine. You can use other versions of Linux or different virtualization platforms (or no virtualization), but those are not guaranteed to work with the commands here.

 gcloud auth login
@andrewkroh
andrewkroh / beats-logstash-tls.md
Last active Jan 11, 2022
Using TLS between Beats and Logstash
View beats-logstash-tls.md

Using TLS between Beats and Logstash

Beats to Logstash over TLS

The purpose of this document is to help with configuring and troubleshooting using TLS on the connection between Beats and Logstash.

Configuration

You must configure TLS on both the client and server to make this work. This