Skip to content

Instantly share code, notes, and snippets.

View packetuser's full-sized avatar

packetuser

View GitHub Profile
@packetuser
packetuser / gist:f4100f27a940938d789143f1bb5746cd
Created August 31, 2023 15:39
metricbeat log
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.604Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/metricbeat] Config path: [/etc/metricbeat] Data path: [/var/lib/metricbeat] Logs path: [/var/log/metricbeat]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.605Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: db63bce8-398f-4389-915a-8e77b7eca9bf","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.610Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":125},"message":"Syscall filter successfully installed","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.610Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"metricbeat","system_info":{"beat":{"path":{"con
@packetuser
packetuser / gist:422461f6d336aca764f0921cc08d131c
Created August 30, 2023 17:01
sudo filebeat -e -d "*" -3
{"log.level":"info","@timestamp":"2023-08-30T16:56:12.780Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.780Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":870},"message":"Beat metadata path: /var/lib/filebeat/meta.json","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T16:56:12.780Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.785Z","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"filebeat","ecs.version
@packetuser
packetuser / gist:efc494b9dc3cb47a50f6dea715ea9822
Created August 30, 2023 16:51
filebeat -e -d "*" -2
{"log.level":"info","@timestamp":"2023-08-30T16:41:52.425Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:41:52.425Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":870},"message":"Beat metadata path: /var/lib/filebeat/meta.json","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T16:41:52.425Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:41:52.432Z","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"filebeat","ecs.version
@packetuser
packetuser / gist:5b253b89494e17ab89d8bc04fc6b1732
Created August 30, 2023 16:45
filebeat -e -d "*"
{"log.level":"info","@timestamp":"2023-08-30T16:41:52.425Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:41:52.425Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":870},"message":"Beat metadata path: /var/lib/filebeat/meta.json","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T16:41:52.425Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:41:52.432Z","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"filebeat","ecs.version
@packetuser
packetuser / gist:d27a7c57219aa54b712fef698ce74ce3
Created August 30, 2023 15:50
Filebeat -e
~$ sudo filebeat -e
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.907Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.907Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.912Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":125},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.912Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{
@packetuser
packetuser / gist:517122e1dfd9604deaff79ca15cd590b
Created August 30, 2023 14:28
syslog | grep filebeat
Aug 30 12:36:36 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:36:36.486Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":175747072}}}},"cpu":{"system":{"ticks":727160,"time":{"ms":640}},"total":{"ticks":10709890,"time":{"ms":9620},"value":10709890},"user":{"ticks":9982730,"time":{"ms":8980}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":31},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":55920113},"version":"8.9.1"},"memstats":{"gc_next":125759528,"memory_alloc":93990456,"memory_total":635123006592,"rss":227827712},"runtime":{"goroutines":310}},"filebeat":{"events":{"active":1209,"added":21952,"done":21992},"harvester":{"open_files":19,"running":19,"started":2}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":22599,"active":0,"batches":457
@packetuser
packetuser / gist:311b5c608a962a988813a59d13f342f6
Created August 17, 2023 20:07
Full filebeat error
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.688Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.688Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.697Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":125},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.697Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/fileb
@packetuser
packetuser / gist:d5832ab282013291d495ccfce1154046
Created August 17, 2023 18:11
/etc/filebeat/modules.d/zeek.yml
# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-zeek.html
- module: zeek
capture_loss:
enabled: true
var.paths: ["/mnt/Bro/current/capture_loss.log"]
connection:
enabled: true
var.paths: ["/mnt/Bro/current/conn.log"]
@packetuser
packetuser / gist:69473877186cd7e0b0ac78b430a15063
Created August 17, 2023 18:07
/etc/filebeat/filebeat.yml
###################### Filebeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
# For more available modules and options, please see the filebeat.reference.yml sample
@packetuser
packetuser / gist:677d6d6e95b4b61fe3178346f98e4f1a
Created August 17, 2023 17:47
Filebeat error message
Exiting: Failed to start crawler: creating module reloader failed: loading configs: 1 error: invalid config: yaml: line 5: mapping values are not allowed in this context