Skip to content

Instantly share code, notes, and snippets.

View andrewkroh's full-sized avatar

Andrew Kroh andrewkroh

View GitHub Profile
andrewkroh / filebeat.filestream-evtx_dump.yml
Last active November 1, 2023 01:17
Ingest Windows event logs to Elasticsearch on Linux using evtx_dump and Filebeat
View filebeat.filestream-evtx_dump.yml
# Consume output from
# evtx_dump --dont-show-record-number -o xml <file.evtx> > /tmp/samples/file.evtx.xml
# See
- type: filestream
id: evtx_dump_xml
- multiline:
andrewkroh / filebeat.udp-cef-extrahop.yml
Last active October 24, 2023 20:41
ExtraHop CEF logging to Filebeat
View filebeat.udp-cef-extrahop.yml
- host: localhost:9514
id: udp-extrahop-cef-9514
type: udp
- convert:
mode: copy
- { from: "message", to: "event.original" }
andrewkroh / filebeat.cel.yml
Created October 1, 2023 19:32
Filebeat CEL input - ingest complete config file when it changes
View filebeat.cel.yml
- type: cel
id: config-123-watcher
interval: 1m
url: file:///etc/conf.d/foo.conf
program: |
file(state.url).as(content, content.sha256().hex().as(hash, {
andrewkroh / filebeat.journald-kubelet.yml
Last active September 22, 2023 20:29
Filebeat - processing kubelet json logs read from journald
View filebeat.journald-kubelet.yml
- type: journald
# For
- if:
- kubelet
- regexp.message: '^{'
# 'kubelet' should be mapped as a flattened field in ES because
andrewkroh /
Last active August 30, 2023 06:40
Using TLS between Beats and Logstash

Using TLS between Beats and Logstash

Beats to Logstash over TLS

The purpose of this document is to help with configuring and troubleshooting using TLS on the connection between Beats and Logstash.


You must configure TLS on both the client and server to make this work. This

andrewkroh / howto.txt
Last active May 5, 2023 10:07
Microsoft-Windows-Windows Defender Event Log Message Resources
View howto.txt
800, AntiVirus
801, AntiSpyware
802, Antimalware
803, Full
804, Delta
805, Full Scan
806, Quick Scan
807, Custom Scan
808, Remove
809, Quarantine
andrewkroh / beat.yml
Last active March 10, 2023 15:04
Beat script processor to filter out IPv6
View beat.yml
- script:
# This uses a Beat script processor to include only ipv4 addresses
# in the host.ip field. This would need to placed after the add_host_metadata
# processor.
# It would be a lot more efficient to have add_host_metadata allow controlling
# what addresses were included because this has to execute for every event.
# References:
andrewkroh /
Last active March 6, 2023 19:09
Adding event.ingested and lag calculations to Winlogbeat events

Adding event.ingested and lag calculations to Winlogbeat events

Create an Ingest Pipeline that will add four fields:

  • event.ingested - Time when the event was processed by Elasticsearch.
  • - Time difference in milliseconds between @timestamp and event.created. This measures how long it took for Winlogbeat read the event from the event log (for WEC this includes the delivery time from forwarder to collector).
  • event.lag.ingest - Time difference in milliseconds between event.created and event.ingested. This measures the time between Winlogbeat reading the event (time when it "created" the document) to when it was written to Elasticsearch.
andrewkroh /
Last active January 17, 2023 20:26
Routing Filebeat data to a Fleet integration data stream

DRAFT: Routing Filebeat data to a Fleet integration data stream

This is an unofficial tutorial that may be useful to users that are in the process of migrating to to Elastic Agent and Fleet. It explains the steps to route some Filebeat data into a data stream managed by a Fleet integration package.

Install the Fleet integration

Installing a Fleet integration sets up all of its data streams and dashboards. There are two methods to install. In these examples we install the Hashicorp Vault 1.3.1 integration.

Use Kibana (easiest)

andrewkroh / install-go.ps1
Last active November 24, 2022 13:13
Install Golang using Powershell
View install-go.ps1
# Installs golang on Windows.
# # Run script:
# .\install-go.ps1 -version 1.5.3
# # Download and run script:
# $env:GOVERSION = '1.5.3'
# iex ((new-object net.webclient).DownloadString('SCRIPT_URL_HERE'))