- Remove PEM password from certificate
- Change any Wazuh password
- Get VM info from Azure hosts
- Search Wazuh json logs
- Create exception rules on NAXSI WAF
- Deleting Elasticsearch indexes
- Test redis with curl
- Windows 11
- Suricata monitoring
- LDAP
Table of contents generated with markdown-toc
openssl pkcs12 -in cert.pfx -nocerts -out private.key
openssl rsa -in futurestudio_with_pass.key -out futurestudio.key
- Access your master node and navigate to the python3 console:
root@wazuh-master:/# /var/ossec/framework/python/bin/python3
- Once in the python3 console, import the update_user framework function and use it with the user_id and a new password. In this case, the user_id is 1 for the “wazuh” user.
>>> from wazuh.security import update_user >>> update_user(user_id="1", password="NewPassword1!").render()
- If the process was successful, you will receive the following output: {'data': {'affected_items': [{'id': 1, 'username': 'wazuh', 'allow_run_as': True, 'roles': [1]}], 'total_affected_items': 1, 'total_failed_items': 0, 'failed_items': []}, 'message': 'User was
Original post: https://groups.google.com/g/wazuh/c/zxhdkmSkclE
Linux (you can use "jq" to filter json, but maybe not every machine has it installed...
curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | sed -n -e 's/^.*vmSize\"\:\"//p' | sed 's/".*//'
Windows
((Invoke-WebRequest -Headers @{ 'Metadata' = 'true'} -URI http://169.254.169.254/metadata/instance?api-version=2021-02-01).Content | ConvertFromJson).compute.vmSize
Zabbix system.run item
system.run[powershell.exe -NoProfile -ExecutionPolicy Bypass "((Invoke-WebRequest -UseBasicParsing -Headers @{ 'Metadata' = 'true'} -URI http://169.254.169.254/metadata/instance?api-version=2021-02-01).Content | ConvertFrom-Json).compute.vmSize",wait]
cat ossec-alerts-25.json | jq -r -c 'select(.agent.ip=="16.50.20.14")' > filtered.json
- Reset log file contents
:> /var/log/nginx/site.com-error.log
- Monitor the log file and test the application
tail -f /var/log/nginx/site.com-error.log
- Execute nx_util.py to generate exception rules
nx_util.py -o -p 1 -l /var/log/nginx/site.com-error.log
or
nx_util.py -o -p 1 -l /var/log/nginx/site.com-error.log >> /etc/nginx/naxsi_rules/site.rules
- Include rules in the site rules file referenced in nginx_site.conf and adjust accordingly
vim /etc/nginx/conf.d/site.com.conf
vim /etc/nginx/naxsi_rules/site.rules
https://www.ibm.com/docs/en/cloud-private/3.1.2?topic=logging-manually-removing-log-indices
Execute the steps logged into Kibana.
- List indexes Kibana-->Dev Tools. On the left panel, add a line to list indexes
GET /_cat/indices?v
Click on the green play button to execute the API call. You'll be presented a index list on the right side, there will be allocation status as well.
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open logstash-2019.02.05 nbkLRGXqQ6enWMbLeYIO1w 5 1 932127 0 571.8mb 571.8mb
- Delete indexes
Note: Never remove these indexes:
- searchguard
- .kibana They are essential to the system.
Identify the indexes you want to delete.
You can use "*" to delete a range, let's say all June indexes.
DELETE /{your index name}
DELETE /security-auditlog-2022.05*
DELETE /wazuh-alerts-4.x-2022.06*
(printf "AUTH <password>\r\nPING\r\nQUIT\r\n";) | nc localhost 6379
[Environment]::SetEnvironmentVariable("PATH", $Env:PATH + ";C:\Users\user\Scripts", [EnvironmentVariableTarget]::Machine)
tail -f /var/log/suricata/eve.json | jq -r -c 'select(.event_type=="alert")'
ldapsearch -H ldap://172.7.6.5 -x -W -D "user@domain.local" -b "dc=domain,dc=local" "(sAMAccountName=user)"
LDAPTLS_REQCERT=never ldapsearch -Z -H ldap://172.5.6.7 -x -W -D "user@domain.local" -b "dc=domain,dc=local" "(sAMAccountName=user)"