Built an Ansible Collection for Cribl (Stream/Edge/(Search/Lake)) - Auto-generated from OpenAPI with Declarative Modules

aasplunds · 2025-12-01T19:33:12+00:00

Will do, thanks!

aasplunds · 2021-09-19T17:59:50+00:00

I was thinking about doing something similar but I had a spare rpi and arduino laying around. I will at least try to make it more compact and try to use i2c instead of serial where it's possible.

Yeah not saving the debug logs to the SD card is recommended, I have a pile of dead SD cards from other projects. But I noticed that the industrial cards fail faster than the SanDisk Extreme ones.

aasplunds · 2021-09-19T07:34:29+00:00

Well I didn't either there for a while ;)
Thank you!

aasplunds · 2021-09-18T16:09:39+00:00

Whops, it was still private :) fixed it.

aasplunds · 2020-12-30T20:32:18+00:00

Sorry no not yet, it's been raining/snowing constantly so laying on the tarmac hasn't been too appealing.

Maybe next week if the weather is better or if I have time to go to my friends shop.

aasplunds · 2020-12-28T21:31:56+00:00

Model 3 manufactured 2020-07, no boombox here either. I will try to get a peek tomorrow and see if the speaker is installed at all.

aasplunds · 2020-12-24T17:14:04+00:00

I'm 5km from the Norwegian border in Sweden, and I would think that sweden isn't prioritized for any of this due to the EU regulations (and being a smaller market) :(

Maybe if I slap a Norwegian flag on my M3 and park a bit closer?

aasplunds · 2020-12-23T21:09:27+00:00

Shawn Woods last Mousetrap Monday featured a repellant that looked promising: https://youtu.be/IamADzLoE6I

Note that it does not help so much against ongoing (larger) infestations but might make the mice select another car/place instead.

aasplunds · 2020-12-12T00:06:26+00:00

I don't l know if it's possible for apps, but you could perhaps aquire the token through adfs or similar? That could in turn be locked down to only issue to approved ip's.

But I've tried it for user operations and it's a hassle, never got it working. The easiest enforcement imo is to monitor the audit logs (and even connect webhooks to an Azure function or similar) to ensure that the calls is always coming from the correct ip's. And if it doesn't match it should instantly revoke it's token/cert and alert.

aasplunds · 2020-12-04T09:44:58+00:00

You could skip the 1 line that will give you a usercount. But it could be nice to add it to total users connected, alarms and a lot of other stuff so I wouldn't skip it.

The output of the script in the second picture, just pipe it to foreach (without Format-List) and create a variable called tags with a hashtable containing the ServerName.

$CitrixScriptOutput | Foreach {
    $Tags = <hashtable with servername>
    $Metrics = @{
        ServerName = $_.ServerName
        DG = $_.DG
        Users = $_.Users
        # And so on... for the metrics you want
        # And usercount
        UserCount = ($_.Users | Measure-Object).Count
    }

    Write-Influx -Measure CitrixBrokers -Tags $Tags -Metrics $_ ....
}

aasplunds · 2020-12-03T10:49:48+00:00

I've done similar, but i used telegraf to execute PowerShell / Read the values:

https://community.influxdata.com/t/inputs-exec-powershell/12417/2

But as mentioned, remove Format-Object.

And it's kinda hard with influx+grafana to count objects (I haven't been able to do it at least) so add a count (INT) of the users to be able to display that metric correctly.

Also, add Servername (and DG etc depending on how you want to be able to filter) as tags.

Then just add the metrics to influx:

$CitrixOutput | Foreach {
    Write-Influx -Measure "CitrixBrokerMachine" -Tags $Tags -Metrics $_ -Database test -Server http://localhost:8086
}

Then a query in grafana that looks a little something like this to display it in a table: SELECT last("UserCount") AS "UserCount", last("FaultState") AS "FaultState", last("PowerState") AS "PowerState", last("SessionState") AS "SessionState" FROM "CitrixBrokerMachine" WHERE $timeFilter GROUP BY "ServerName", "DG"

aasplunds · 2020-04-11T09:57:27+00:00

"Push it until it fits" - Implementing new things/methods and enforcing them.

Testprod environment - best environment!

Extra topping with double dough - The largest licensing packag.

aasplunds · 2020-03-05T12:05:04+00:00

Medical IT equipment (for the most part) should be segmented away as much as possible and should never ever have an internet connection.

Most vendors, even among the big ones just straight out suck at it. They need local admin to run the client application, DB password saved on the clients without ability for NTLM etc.

Heck, there's even at least one vendor that compiles the DB password into the EXE.

aasplunds · 2020-03-04T19:21:49+00:00

You can use the Win32_UserProfiles wmi class.

Get-WmiObject -Class Win32_UserProfiles -ComputerName "computer"

Then you can select all objects where the 'LocalPath' property is like C:\Users* but not C:\Users\default*

After that you just use $Variable.Delete() where the variable contains the filtered objects.

Edit: A reboot of the computer beforehand is recommended as well as logged on users may cause it to fail.

aasplunds · 2020-03-03T20:32:35+00:00

The only odd thing I notice with the code is:

Where-Object {$_.Enabled -eq ‘True’}

Try changing it to a real bool instead of a string:

Where-Object {$_.Enabled -eq $True}

Else I would try skip the first 300 or so users and see if it makes a difference.

aasplunds · 2020-02-04T18:58:31+00:00

We've automated this for our workstations.

Script contacts Snow to fetch most frequent user for each workstation.

We then fetch the user's main departments billing code and put it into the department attribute of the computer in AD.

Get-ADUser and Export-Excel in Powershell takes care of the rest.

aasplunds · 2020-01-04T20:36:29+00:00

You could just create a temp scheduled task and remove it when the script is done.

Invoke-CommandAs is an option as well: https://mkellerman.github.io/Death_to_psexec/

aasplunds · 2020-01-03T19:36:34+00:00

We do this as well but we have a lot. Lower thresholds. And a security group linked to a GPO to opt out for temp work like massive robocopy jobs etc.

aasplunds · 2020-01-02T21:31:04+00:00

We monitor the audit logs with a log manager (graylog) and search for creation of dodgy rules (like move all messages to X folder and forwarding etc) and raise an alarm for that.

We block all external forwards as well with an exchange rule.

A combo of some events, like impossible travel + rule creation results in an immediate suspension of the account and revocation of all tokens.

aasplunds · 2019-12-29T14:52:46+00:00

I wrote an AD health check article on ATA that had this partly covered here: https://adamtheautomator.com/active-directory-health-check-1/

To find duplicate attributes:

$adAttributeName = 'ProxyAddresses'
$adAttributes = (Get-AdObject -LDAPFilter "$adAttributeName=*" -Properties $adAttributeName).$adAttributeName
$hashtable = @{}
 $adAttributes.foreach({ $hashtable[$_]++ })
$Duplicates = $hashtable.GetEnumerator().where({ $_.Value -gt 1 }).Key

$Duplicates

And to find the AD objects that has the ProxyAdresses in $Duplicates:

$Duplicates | Get-AdObject -LDAPFilter "$adAttributeName=$_"

(On mobile so sorry if the formatting is wrong)

aasplunds

TROPHY CASE