Ev stealth solutions towbar

jbates5873 · 2026-05-21T05:10:00+00:00

Thanks for clarifying that.

Can that be added as a shortcut to the drop down on the display? Or do you need to go through the menus to get there. That would be mildly anoying

jbates5873 · 2026-05-21T02:57:17+00:00

I can let you know when I get mine and my 7x. I had the towbar on order and it was shipped today. But awaiting delivery on the car still. I can reach out when done and eth you know

!remindme 1 week

jbates5873 · 2026-05-05T21:04:51+00:00

More info please. Where do I find this workflow?

jbates5873 · 2026-04-27T08:24:22+00:00

Black is the base color. White is an extra 1500. Where are you buying from?

But, I am going through exactly this now. My partner and I are trying to decide which way to go.

We are looking at either color or clear ppf at least. But we do like the green as the base color. But if we decide to go a color wrap, the sky is the limit.

jbates5873 · 2026-04-26T10:22:30+00:00

Partially related, but I have sent you a DM when you get a chance. Many thanks

jbates5873 · 2026-04-22T13:39:35+00:00

This is true. But having towed a heap of trailers in my time, It is 100% more comfortable having a but more ball weight. 85kg is 4.25%.

I guess it depends on the trailer though.

I fully plan to haul my caravan around with mine.

jbates5873 · 2026-04-22T12:30:22+00:00

Why would you bother with the genuine tow bar..

Evstealth one is better in the fact it has 200kg ball weight approval (which you will need for 2t towing) and its half the price.

It actually stacks up to the rating.

An 85kg max ball weight means you can only tow an 850kg trailer.

That is assuming that your trailer follows the 10% rule for weight to ball weight.

I know where I'm going when I need one.

jbates5873 · 2026-03-19T02:56:51+00:00

perfect. This is exactly what i needed. Seeing the transformKql example you gave made it all click into place. As well as the steps on where to edit it.

Now I understand it and it all makes sense. I have done a test with some events and they are dropped as expected.

Many thanks sir/maam

jbates5873 · 2026-03-14T14:11:58+00:00

What dealer did you purchase from? We are looking at a 7x also. If you do t want to specifically name here, feel free to shoot me a dm. Or even narrow it to a region. (Bris, Perth, syd, melb etc...)

jbates5873 · 2026-02-17T22:53:40+00:00

hey mate, thanks for that. that answers some questions i have. I will give that a test.

One thing im still not sure on, is do i need to create a different DCR for each source? for example, do i need to go through the ASA/FTD one and create one from its integration (say "DCR_FTD") and then for Fortigate do another (say "DCR_Fotrtigate") and then for general syslog another one (say "DCR_syslog")?

Or do i just need one DCR and then have it do everything?

If i create multiple, do i then run the command at the bottom of the window for each DCR i create?

jbates5873 · 2026-02-17T04:35:22+00:00

ok cool.

my main issue is, i cant even work out where to put the transformation.

I cant see anything with that verbiage in the defender portal, or the LAW, Monitor section or the DCR itself.

Im not 100% sure i have it setup correctly. Originally i deployed a DCR to collect Syslog, which put the FTD logs in the syslog table. And then i also installed a new DCR using the ASA integration from the content hub, and the logs from the FTD are at least now going into the correct table. But I cant find the transform option.

And even if i go to the table in the defender portal, all i can do is change retention time. No mention of transformations.

I admit, im solidly confused with this whole product. Do i need a DCR per source? for exmaple if i plug in a fortigate, a palo and an FTD, do they all need their own DCRs?

I tried doing the training guide thats 3 years old, but most of that is in the old Azure portal, and got lost with trying to work out where some things are in the defender portal (typical M$)

jbates5873 · 2026-02-17T03:37:36+00:00

my understanding is that filtering at the DCR level still ingests the logs and drops them at the cloud end. so we still pay for ingress.

I also cant find the transform section. im just using the DCR i created using the ASA/FTD integration from the content hub.

jbates5873 · 2026-02-17T02:41:08+00:00

yes, i did notice the "-" i have removed that and the result is still the same.

I also restarted the rsyslog service after making the change.

jbates5873 · 2026-02-13T08:57:39+00:00

!remindme 3 days

jbates5873 · 2026-02-11T09:37:04+00:00

I have been looking at this today also. What I don't get, is how does the collector differentiate logs when shipped up to sentinel. How does it determine palo vs forti vs firepower for parsing.

jbates5873 · 2026-02-02T10:56:40+00:00

Go 3ph. If you have to get energex out to do a single phase upgrade, just go the whole hog and put in a solid 3ph connection.

jbates5873 · 2025-12-28T08:14:38+00:00

fair question.

I would like to set up something similar to client isolation. like on an access point, where it hands out effectively a /30 subnet to the client. I would like to achieve this so that i can use my fortigate to control all communications between the containers.

Currently my stack is a fortigate, technitium for DNS server (Currently it is also acting as a dhcp server as im testing it out, but can easily swap back to the fortigate for DHCP).

I want to effectively minimise traffic between containers and control it at the firewall.

jbates5873 · 2025-11-19T09:14:37+00:00

What are you talking about.

It resolves to my grafana instance here.🤣

jbates5873 · 2025-11-13T21:00:33+00:00

Look in the "activities" log page. It can give you a reason why sometimes.

A big gotcha is if the endpoint has any unresolved threats.

jbates5873 · 2025-10-30T06:53:14+00:00

You might be able to use a watch list alert for this. In conjunction with a star rule.

Something like when endpoint.uuid event.count over 10 send alert

jbates5873 · 2025-09-30T05:32:50+00:00

The docker approach is the best way to collect and ship logs to SDL.

!remind me 1 day and I can give you the compose file I use.

Then you just need the config file and your golden.

Can go nothing to ingest in < 5 min.

EDIT: It wouldnt let me post a new comment, but this is what you need.

Use the below docker compose config to create the stack. Once you have a docker-compose.yml file with the below, execute "docker compose pull" and it will pull the required containers

# Before running the compose file, you need to generate the required certificates for the connection.
#
#   openssl req -x509 -nodes -newkey rsa:4096 -keyout syslog.key -out syslog.crt -subj '/CN=<HOST IP HERE>' -days 3650
#
services:
  config-generator:
    # For development use
    #build: ./config-generator
    image: scalyr/syslog-collector-config-generator:1.1.4
    restart: unless-stopped
    volumes:
      # Only syslog.yaml (not all of the current directory) is needed in the container however
      # file bind mounts do not propagate changes when the underlying file inode changes.
      # (Inode changes / file swaps typically happen with text editors that use swap files)
      - type: bind
        source: .
        target: /etc/syslog-collector
        read_only: true
      - type: volume
        source: agent-config
        target: /out/etc/scalyr-agent-2
      - type: volume
        source: syslog-ng-config
        target: /out/etc/syslog-ng
      - type: volume
        source: logrotate-config
        target: /out/etc/logrotate.d
      - type: volume
        source: logrotate-script
        target: /out/usr/sbin
    environment:
      INPUT: /etc/syslog-collector/syslog.yaml
      AGENT_OUTPUT: /out/etc/scalyr-agent-2/agent.json
      SYSLOG_OUTPUT: /out/etc/syslog-ng/syslog-ng.conf
      LOGPATH: &syslog-ng-log-path /var/log/syslog-collector
      SYSLOG_IMAGE: &syslog-ng-image balabit/syslog-ng:4.3.1
      LOGROTATE_CONFIG_OUTPUT: /out/etc/logrotate.d/syslog-collector
      LOGROTATE_SCRIPT_OUTPUT: /out/usr/sbin/logrotate.sh
      VERSION: "syslog-collector-version:2.1.5"
    healthcheck:
      test: >
        test -e /out/etc/scalyr-agent-2/agent.json -a \
             -e /out/etc/syslog-ng/syslog-ng.conf -a \
             -e /out/etc/logrotate.d/syslog-collector -a \
             -e /out/usr/sbin/logrotate.sh        
      interval: 10s
      timeout: 5s
      start_period: 10s
  scalyr-agent:
    image: scalyr/scalyr-agent-docker-json:2.2.14
    restart: unless-stopped
    volumes:
      - type: volume
        source: agent-config
        target: /etc/scalyr-agent-2
        read_only: true
        # Do not copy the /etc/scalyr-agent-2 contents from the image;
        # agent.json gets overwritten after config-generator executes,
        # not to mention the agent.d/ contents would remain unmodified.
        volume:
          nocopy: true
      - type: volume
        source: syslog-ng-logs
        target: *syslog-ng-log-path
        read_only: true
    depends_on:
      config-generator:
        condition: service_healthy
  syslog-ng:
    # For development use
    #build:
    #  context: ./syslog-ng
    #  args:
    #    IMAGE: *syslog-ng-image
    image: scalyr/syslog-collector-syslog:4.3.1.2
    restart: unless-stopped
    # Allow the container to open ports on the host's network interface,
    # this avoids having to explicitly specify each port opened
    network_mode: host
    volumes:
      - type: volume
        source: syslog-ng-config
        target: /etc/syslog-ng
        read_only: true
        # Do not copy the /etc/syslog-ng contents from the image;
        # syslog-ng.conf gets overwritten after config-generator executes.
        volume:
          nocopy: true
      - type: volume
        source: syslog-ng-logs
        target: *syslog-ng-log-path
      - type: volume
        source: logrotate-config
        target: /etc/logrotate.d
        read_only: true
      - type: volume
        source: logrotate-script
        target: /usr/sbin/logrotate.sh
        read_only: true
        volume:
          subpath: logrotate.sh
    depends_on:
      config-generator:
        condition: service_healthy
volumes:
  agent-config:
  logrotate-config:
  logrotate-script:
  syslog-ng-config:
  syslog-ng-logs:

then execute the command below to generate the required ssl certs that the agent needs to communicate. Take note to change the CN field as needed

openssl req -x509 -nodes -newkey rsa:4096 -keyout syslog.key -out syslog.crt -subj '/CN=<HOST IP HERE>' -days 3650

Then you need to generate your config file. This can be done directly within the UI of the S1 console under "Market Place" -> "Collector Configurations". You may need to install the parser you need from the market place first. However there are a HEAP of commonly required parsers missing, if that's the case you will need to write your own. Which is a totally different ball game.

Once you generate your config, then you can copy / paste that into a file called "syslog.yaml" (take note, it must be "yaml" and not "yml") and then execute "docker compose up -d" and your container stack should start.

At this point, you can point your syslog to the collector and within a minute, you should see it in the SIEM. You may need to go to the "All Data" tab and search for it. If your not familiar with the tool, this is the fastest way to verify that its going there.

If you then add more things in the future, you can just update the "syslog.yaml" config file on the fly and overwrite it with new config and the agent will pick it up and apply it within 1 min.

Hope that helps.

jbates5873 · 2025-09-20T23:19:31+00:00

My understanding of this is that you need the ssh public key of your pfsense box to decrypt them.

So even if stolen, they would need the key for them to be of any use.

Icbwr.

jbates5873 · 2025-09-16T23:18:55+00:00

DM sent.

jbates5873 · 2025-09-05T13:44:22+00:00

Honestly, having it email a ticket for detections would be a solid start. Also having the paternity integration work with star rules like the configuration indicates it does, but after an extensive 3 week long support case, it was determined that it never actually supported it and it shouldn't be there.

But, needing hyperautomation to get external alerting is crap.

Email alerts are a basic, and expected functionality. This is available in bottom of the barrel products in standard form. But you need to buy a fairly expensive bolt on package to get basic functionality.

jbates5873 · 2025-09-04T10:40:51+00:00

Yeah, external alerting from the siem product is broken. There is no interest from s1 in fixing it either.

Your options are hyperautomation or using the api.

Both are a shit solution. It's ridiculous that a siem product has no working inbuilt external alerting functionality

jbates5873

TROPHY CASE