Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- winlogbeat [2025/03/28 13:29]
jango
+++ winlogbeat [2025/04/16 11:34] (aktuell)
jango
@@ Zeile 1: / Zeile 1: @@
 Winlogbeat ist ein Tool um [[Windows]] Eventlogs aufzubereiten und in einen [[Elasticsearch]]bzw. [[Opensearch]]  Index zu speichern. Das Tool erstellt den Index von selbst.
-  * DC01
+<code bash>
-  * AUDIT
+# jq
-  * GBI016
-  * EX01
-<code>
 curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source | "\(.agent.name)"'
+# jq
+curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source["@timestamp"]'
-curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source["@timestamp"]'
+# Liste alle Agents
+curl -X GET "https://localhost:9200/winlogbeat-*/_search" -H "Content-Type: application/json" -d '{ "size":0, "aggs":{ "unique_hosts":{ "terms":{ "field": "host.name", "size":10000}}}}' -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure
 </code>
 <box red>Damit Winlogbeat auf den Security Log zugreifen kann muss Winlogbeat als Admin gestartet sein! Außerdem wird **alles in UTC** geloggt (von Windows)!</box>
+=====Installation=====
 Im Installationsordner von Winlogbeat findet sich ein ps1 Script.
@@ Zeile 104: / Zeile 105: @@
       when.not.contains.tags: forwarded
   - add_cloud_metadata: ~
+</code>
+=====Windows Deployment=====
+Not good
+<code powershell>
+#$servers = Get-ADComputer -Filter * | Where-Object { $_.Name -like "*-SRV-AUDIT*" } | Select-Object -ExpandProperty Name
+$servers = @(
+    "vie-srv-fs03",
+    "vie-srv-fs04"
+)
+foreach ($server in $servers) {
+    # If the service is running, stop it so we can overwrite files
+    $status = (Get-Service Winlogbeat -ComputerName $server).Status
+    if($status -like "running") {
+        Write-Host "[info] Winlogbeat is running on $server - stopping service"
+        $r = (Get-Service Winlogbeat -ComputerName $server).Stop()
+    } else {
+        Write-Host "[info] Winlogbeat is NOT running on $server"
+    }
+    Invoke-Command -ComputerName $server -ErrorAction Continue -ScriptBlock {
+        # Copy new files
+        $source = "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*"
+        $destination = "C:\Program Files\Winlogbeat\"
+        $xcopyArgs = "`"$source`" `"$destination`" /y /s /e"
+        Start-Process -FilePath "xcopy.exe" -ArgumentList $xcopyArgs -NoNewWindow -Wait
+        $scriptPath = "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1"
+        if (Test-Path $scriptPath) {
+            # Execute install script
+            powershell.exe -ExecutionPolicy Bypass -File $scriptPath
+            # Start service
+            Start-Service winlogbeat
+            # Set startup type to automatic
+            Set-Service winlogbeat -StartUpType Auto
+            # Check status
+        } else {
+            Write-Host "[error] Install script not found: $scriptPath"
+        }
+        $status = (Get-Service winlogbeat).Status
+        Write-Output "[info] Status after install: $status"
+    }
+}
+</code>
+Good
+<code powershell>
+#
+# Last run stopped at vie-srv-admin01 (not finished)
+#
+<#
+$servers = Get-ADComputer -Filter * -Properties * | Where-Object {
+    $_.Name -like "*-SRV-*"
+    -and $_.OperatingSystem -like "Windows*"
+    -and $_.DistinguishedName -notlike "*Löschen*"
+} | Select-Object -ExpandProperty Name
+#>
+$servers = @(
+    "vie-srv-sign01"
+)
+$logfile = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_log.txt"
+$online = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_servers_online.txt"
+$offline = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_servers_offline.txt"
+#$servers = @("vie-t-srv-audit")
+foreach ($server in $servers) {
+    # If the service is running, stop it so we can overwrite files
+    $status = (Get-Service -Name Winlogbeat -ComputerName $server).Status
+    if($status -like "running") {
+        Write-Output "[info] Winlogbeat is running on $server"
+        $r = (Get-Service Winlogbeat -ComputerName $server).Stop()
+        Write-Output "[info] Winlogbeat service stopped successfully"
+    } else {
+        Write-Output "[info] Winlogbeat is NOT running on $server"
+    }
+    $session = New-PSSession -ComputerName $server
+    Copy-Item -Path "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*" -Destination "C:\Program files\Winlogbeat" -ToSession $session -Recurse -Force
+    try {
+        Invoke-Command -ComputerName $server -ErrorAction Stop -ScriptBlock {
+            Param($srv)
+            #whoami
+            # Copy new files
+            <#
+            Write-Output "[info] Copying new files.."
+            $source = "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*"
+            $destination = "C:\Program Files\Winlogbeat\"
+            $xcopyArgs = "`"$source`" `"$destination`" /y /s /e"
+            $output = cmd /c "xcopy `"$source`" `"$destination`" /y /s /e"
+            #Start-Process -FilePath "xcopy.exe" -ArgumentList $xcopyArgs -NoNewWindow -Wait
+            Write-Output "[info] Files successfully copied"
+            #>
+            $scriptPath = "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1"
+            if (Test-Path $scriptPath) {
+                # Execute install script
+                powershell.exe -ExecutionPolicy Bypass -File $scriptPath
+                # Start service
+                Start-Service winlogbeat
+                # Set startup type to automatic
+                Set-Service winlogbeat -StartUpType Auto
+                # Check status
+                Write-Output "[info] Install script executed"
+            } else {
+                Write-Output "[error] Install script not found: $scriptPath"
+            }
+            $status = (Get-Service winlogbeat).Status
+            Write-Output "[info] Status after install: $status"
+            #Write-Output "[info] Remotely connected to $srv "
+        } -ArgumentList $server
+        #$stat >> $online
+    } catch {
+        $connection = Test-Connection -ComputerName $server -Count 1 -Quiet
+        # Wenn der Server nicht erreichbar ist, schreibe es ins Log
+        if (-not $connection) {
+            Write-Output "[info] Could NOT connect remotely to $server" >> $offline
+        } else {
+            Write-Output "[info] Could NOT connect remotely to $server but its reachable by ping" >> $offline
+        }
+    }
+}
 </code>

MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge