Skip to content

Instantly share code, notes, and snippets.


Andrew Kroh andrewkroh

View GitHub Profile
andrewkroh / install-go.ps1
Last active Jan 24, 2022
Install Golang using Powershell
View install-go.ps1
# Installs golang on Windows.
# # Run script:
# .\install-go.ps1 -version 1.5.3
# # Download and run script:
# $env:GOVERSION = '1.5.3'
# iex ((new-object net.webclient).DownloadString('SCRIPT_URL_HERE'))
andrewkroh /
Last active Jan 14, 2022
Elastic Beat Development 101

Elastic Beats Development 101

This is a short guide to get up and building Elastic Beats on a new Linux host.

Start a VM

This uses Google Compute Engine (GCE) to start an Ubuntu 20.04 virtual machine. You can use other versions of Linux or different virtualization platforms (or no virtualization), but those are not guaranteed to work with the commands here.

 gcloud auth login
andrewkroh /
Last active Jan 11, 2022
Using TLS between Beats and Logstash

Using TLS between Beats and Logstash

Beats to Logstash over TLS

The purpose of this document is to help with configuring and troubleshooting using TLS on the connection between Beats and Logstash.


You must configure TLS on both the client and server to make this work. This

andrewkroh / Microsoft-Windows-FileInfoMinifilter.txt
Last active Jan 7, 2022
Microsoft-Windows-FileInfoMinifilter Messages from Windows 2012 Server
View Microsoft-Windows-FileInfoMinifilter.txt
Id : 1
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {, fi:FileNameCreate}
Template : <template xmlns="">
andrewkroh /
Last active Sep 16, 2021
Bash script to dump wireguard peers to JSON
#!/usr/bin/env bash
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
andrewkroh / filebeat-cisco-ios.js
Created Feb 26, 2019
Javascript Processor Example
View filebeat-cisco-ios.js
var processor = require("processor");
var filebeatCisco = (function() {
var parseCiscoHeader = new processor.Dissect({
"tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}",
"field": "log.original",
"target_prefix": "",
var coerceDataTypes = new processor.Transform([
andrewkroh / symantec-endpoint-pipeline.json
Last active Apr 21, 2021
Symantec Endpoint Elasticsearch Ingest Node Pipeline (POC)
View symantec-endpoint-pipeline.json
"description": "Pipeline for parsing Symantec Endpoint logs",
"processors": [
"set": {
"field": "event.original",
"value": "{{{message}}}"
andrewkroh / 46203-dimmer.xml
Last active Jan 6, 2021
Home Assistant 2020.12.2 Patch for GE Jasco jasco_products_unknown_type_4944_id_3235
View 46203-dimmer.xml
<!-- GE(Jasco) 46203 Z-Wave Plus Dimmer Switch -->
<!-- Configuration Parameters - per -->
<Product Revision="1" xmlns="">
<MetaDataItem name="OzwInfoPage"></MetaDataItem>
<MetaDataItem name="ProductPic">images/ge/46203-dimmer.png</MetaDataItem>
<MetaDataItem id="3235" name="ZWProductPage" type="4944"></MetaDataItem>
<MetaDataItem name="Name">In-Wall Smart Dimmer </MetaDataItem>
<MetaDataItem name="ProductManual">;filename=MarketCertificationFiles/3323/14294.46203.ZW3010%20Binder.pdf</MetaDataItem>
<MetaDataItem id="3235" name="FrequencyName" type="4944">U.S. / Canada / Mexico</MetaDataItem>
andrewkroh / citrix-netscaler-pipeline.json
Last active Dec 15, 2020
Citrix Netscaler Elasticsearch Ingest Node Pipeline
View citrix-netscaler-pipeline.json
"description": "Pipeline for parsing Citrix Netscaler logs",
"processors": [
"script": {
"description": "set event.original",
"lang": "painless",
"source": "def event = ctx.event;\nif (event == null) {\n event = [:];\n ctx['event'] = event;\n}\nevent['original'] = ctx.message;\n"
andrewkroh /
Last active Dec 9, 2020
Changing RPM Version and Release with rpmrebuild
yum install rpmrebuild -y
mkdir output
# If your RPMs do not contain all of the tags defined in this preamble
# then use the --change-spec-preamble flag to modify the preamble.
cat /usr/lib/rpmrebuild/rpmrebuild_rpmqf.src
# Change the RPM's release number to 2. Ignore Distribution and URL.
rpmrebuild -p --notest-install \