From b795a0564d5955c8d4bb2d963bb3900b85d26499 Mon Sep 17 00:00:00 2001 From: "@AlanOrlikoski" <9388572+orlikoski@users.noreply.github.com> Date: Sat, 26 May 2018 21:26:28 -0500 Subject: [PATCH] Skadi 2018.2 # System Changes * Added authenticated reverse proxy to default build * Updated secure networking script to work with Skadi 2018.2 * Updated Digitally signed Skadi build script # Updated CDQR and Plaso * Updated Plaso to 20180524 * Updated CDQR to 4.1.6 * Changed version of ELK to 5.x (Plaso now checks for it) # TimeSketch Stability Improvements * Improved TimeSketch stability by adding Gunicorn to serve it through the reverse proxy * Changed version of ELK to 5.x (TimeSketch works best with 5.x) # Upgrade Support * Created Skadi 2018.1 to Skadi 2018.2 Upgrade script # Other * Updated README.md * Updated and created build tests --- README.md | 13 +- objects/kibana_5.x.json | 769 ++++++++++++++++++++++++++++++++++ scripts/2018.1_to_2018.2.sh | 172 ++++++++ scripts/builds/build_tests.sh | 26 ++ scripts/builds/cleanup.sh | 11 + scripts/secure_network.sh | 86 ++-- scripts/signedbuildskadi.sh | 111 ++++- 7 files changed, 1113 insertions(+), 75 deletions(-) create mode 100644 objects/kibana_5.x.json create mode 100644 scripts/2018.1_to_2018.2.sh create mode 100644 scripts/builds/build_tests.sh create mode 100644 scripts/builds/cleanup.sh diff --git a/README.md b/README.md index 930b6d4..6bade50 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,15 @@ There is a Slack community setup for developers and users of the Skadi ecosystem [Join the Skadi Community Slack](http://skadicommunity.herokuapp.com/) ## Latest Releases!! -[Skadi Server 2018.1](https://drive.google.com/open?id=16DNRbr-uvwi9YrUeWT5HyyVd6O2eKMwe): Headless server ~2GB in size -[Skadi Desktop 2018.1](https://drive.google.com/open?id=1eq9ZVQAS8WUCNDMhQdjP9mFXdn75ekId): Provides Ubuntu's Default Desktop environment: ~3GB in size +[Skadi Server 2018.2](https://drive.google.com/open?id=1hLkFoHIcb9C39aQsGN4i235GZnTHmxm9): Headless server ~2GB in size +[Skadi Desktop 2018.2](https://drive.google.com/open?id=1iIf-bGBwu0xZoZMTOQma8RIppsjMf6iu): Server plus Ubuntu's Default Desktop ~3GB in size + +### Previous Versions +Skadi Server +[Skadi Server 2018.1](https://drive.google.com/open?id=16DNRbr-uvwi9YrUeWT5HyyVd6O2eKMwe) + +Skadi Desktop +[Skadi Desktop 2018.1](https://drive.google.com/open?id=1eq9ZVQAS8WUCNDMhQdjP9mFXdn75ekId) ### Kibana, TimeSketch, Cerebro Included ![](/objects/images/desk_tools.jpg?) @@ -36,7 +43,7 @@ There is a Slack community setup for developers and users of the Skadi ecosystem ## Skadi Add-on Packs Skadi add-on packs are installed on top of the base Skadi VM to provide extra functionality * [Skadi Pack 01: Automation](https://github.com/orlikoski/Skadi/wiki/Skadi-Pack-01:-Automation): Provides two methods of integrating with any Automation tool: gRPC API or using SSH -* [Skadi Pack 02: Secure Networking](https://github.com/orlikoski/Skadi/wiki/Skadi-Pack-02:-Secure-Networking): Installs and configures the firewall as well as an authenticated reverse proxy with valid TLS/SSL certificates +* [Skadi Pack 02: Secure Networking](https://github.com/orlikoski/Skadi/wiki/Skadi-Pack-02:-Secure-Networking): Updates the firewall and authenticated reverse proxy for use in network deployment. Provides instructions for obtaining TLS/SSL certificates ## Included Tools The following tools are combined into one platform that all work together to provide everyone with the ability to collect data, convert the bits and bytes to words and numbers, and analyse the results quickly and easily. All of this enables the ability to rapidly hunt for host based evidence of a malicious activities. diff --git a/objects/kibana_5.x.json b/objects/kibana_5.x.json new file mode 100644 index 0000000..7e438a3 --- /dev/null +++ b/objects/kibana_5.x.json @@ -0,0 +1,769 @@ +[ + { + "_id": "AWOV9XJlylatT0I1Go5E", + "_type": "dashboard", + "_source": { + "title": "Anti-Virus", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":5,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"Anti-Virus\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV91rKylatT0I1IPiJ", + "_type": "dashboard", + "_source": { + "title": "Appcompat", + "hits": 0, + "description": "", + "panelsJSON": "[{\"col\":1,\"id\":\"Appcompat\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":4,\"type\":\"visualization\"}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV-OO1ylatT0I1Jf8A", + "_type": "dashboard", + "_source": { + "title": "Firewall", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":4,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"Firewall\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV_N5CylatT0I1MYuE", + "_type": "dashboard", + "_source": { + "title": "Internet History", + "hits": 0, + "description": "", + "panelsJSON": "[{\"col\":1,\"id\":\"Internet-History\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":4,\"type\":\"visualization\"}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV_XClylatT0I1MoHc", + "_type": "dashboard", + "_source": { + "title": "Linux Items", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":4,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"Linux\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV_vdMylatT0I1NRav", + "_type": "dashboard", + "_source": { + "title": "Parser Details", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":4,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"3184b570-3604-11e8-abe3-892c2e94b163\",\"col\":1,\"row\":1},{\"size_x\":12,\"size_y\":4,\"panelIndex\":2,\"type\":\"visualization\",\"id\":\"Parser-Results\",\"col\":1,\"row\":5}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV_9HtylatT0I1NnqE", + "_type": "dashboard", + "_source": { + "title": "Torrents", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":6,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"dfa77640-35ca-11e8-b33b-ff969cd97ce8\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV_1TyylatT0I1Na8v", + "_type": "dashboard", + "_source": { + "title": "Persistence", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":6,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"Persistence\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOV_iauylatT0I1M7bE", + "_type": "dashboard", + "_source": { + "title": "Mac Items", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":5,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"MAC\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOWArYlylatT0I1QMcN", + "_type": "dashboard", + "_source": { + "title": "Prefetch", + "hits": 0, + "description": "", + "panelsJSON": "[{\"size_x\":12,\"size_y\":4,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"Prefetch\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "AWOWCDIOylatT0I1Umdl", + "_type": "dashboard", + "_source": { + "title": "Windows System and User Information", + "hits": 0, + "description": "", + "panelsJSON": "[{\"col\":7,\"id\":\"User-Information\",\"panelIndex\":1,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":6,\"size_y\":3,\"panelIndex\":2,\"type\":\"visualization\",\"id\":\"AWOWDze0ylatT0I1Z9lC\",\"col\":1,\"row\":1}]", + "optionsJSON": "{\"darkTheme\":false}", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Anti-Virus", + "_type": "search", + "_source": { + "title": "Anti-Virus", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:mcafee_protection* OR parser:symantec_scanlog* OR parser:winfirewall* OR parser:ccleaner*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Mac", + "_type": "search", + "_source": { + "title": "Mac", + "description": "", + "hits": 0, + "columns": [ + "message", + "parser" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:airport* OR parser:apple_id* OR parser:bash* OR parser:bash_history* OR parser:bsm_log* OR parser:cron* OR parser:cups_ipp* OR parser:dockerjson* OR parser:dpkg* OR parser:fsevents* OR parser:google_drive* OR parser:hachoir* OR parser:imessage* OR parser:ipod_device* OR parser:java_idx* OR parser:mac_document_versions* OR parser:mac_keychain* OR parser:mac_securityd* OR parser:mackeeper_cache* OR parser:macosx_bluetooth* OR parser:macosx_install_history* OR parser:mactime* OR parser:macuser* OR parser:macwifi* OR parser:maxos_software_update* OR parser:mcafee_protection* OR parser:olecf* OR parser:openxml* OR parser:pe* OR parser:plist* OR parser:plist_default* OR parser:popularity_contest* OR parser:selinux* OR parser:spotlight* OR parser:sqlite* OR parser:ssh* OR parser:syslog* OR parser:systemd_journal* OR parser:time_machine* OR parser:utmp* OR parser:xchatlog* OR parser:xchatscrollback* OR parser:zeitgeist* OR parser:zsh_extended_history*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Linux", + "_type": "search", + "_source": { + "title": "Linux", + "description": "", + "hits": 0, + "columns": [ + "parser", + "message" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:bash* OR parser:binary_cookies* OR parser:bsm_log* OR parser:cron* OR parser:cups_ipp* OR parser:dockerjson* OR parser:dpkg* OR parser:fsevents* OR parser:google_drive* OR parser:hachoir* OR parser:imessage* OR parser:java_idx* OR parser:olecf* OR parser:openxml* OR parser:pe* OR parser:popularity_contest* OR parser:selinux* OR parser:sqlite* OR parser:ssh OR parser:syslog* OR parser:systemd_journal* OR parser:utmp* OR parser:utmpx* OR parser:xchatlog* OR parser:xchatscrollback* OR parser:zsh_extended_history*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Internet-History", + "_type": "search", + "_source": { + "title": "Internet History", + "description": "", + "hits": 0, + "columns": [ + "message", + "parser" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:bencode* OR parser:binary_cookies* OR parser:chrome_* OR parser:firefox_* OR parser:google_drive* OR parser:java_idx* OR parser:msiecf* OR parser:opera_* OR parser:safari_* OR parser:sqlite* OR parser:windows_typed_urls*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Firewall", + "_type": "search", + "_source": { + "title": "Firewall", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:winfirewall* OR parser:mac_appfirewall_log*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "File-System", + "_type": "search", + "_source": { + "title": "File System", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:filestat OR parser:recycle_bin*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Appcompatcache", + "_type": "search", + "_source": { + "title": "Appcompatcache", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:appcompatcache\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "MFT-Results", + "_type": "search", + "_source": { + "title": "MFT", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"query\":{\"query_string\":{\"query\":\"parser:mft\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "System-Information", + "_type": "search", + "_source": { + "title": "System Information", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:dockerjson* OR parser:dpkg* OR parser:explorer_* OR parser:fsevents* OR parser:mac_keychain* OR parser:mac_securityd* OR parser:mackeeper_cache* OR parser:macosx_bluetooth* OR parser:macosx_install_history* OR parser:mactime* OR parser:macuser* OR parser:macwifi* OR parser:network_drives* OR parser:rplog* OR parser:windows_shutdown* OR parser:windows_timezone* OR parser:windows_usb_devices* OR parser:windows_usbstor_devices* OR parser:windows_version*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Persistence", + "_type": "search", + "_source": { + "title": "Persistence", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"bagmru* OR parser:bencode* OR parser:mrulist* OR parser:msie_zone* OR parser:mstsc_rdp* OR parser:userassist* OR parser:windows_bootwindows_run* OR parser:windows_sam_users* OR parser:windows_services* OR parser:winrar_mru*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Scheduled-Tasks", + "_type": "search", + "_source": { + "title": "Scheduled Tasks", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:winjob* OR parser:windows_task_cache* OR parser:cron*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Windows-Event-Logs", + "_type": "search", + "_source": { + "title": "Windows Event Logs", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:winevt*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Prefetch", + "_type": "search", + "_source": { + "title": "Prefetch", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:prefetch\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "Registry", + "_type": "search", + "_source": { + "title": "Registry", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:winreg*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "USNJRNL", + "_type": "search", + "_source": { + "title": "USNJRNL", + "description": "", + "hits": 0, + "columns": [ + "_source" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"parser:usnjrnl*\",\"analyze_wildcard\":true}},\"highlightAll\":true,\"version\":true}" + } + } + }, + { + "_id": "781db980-35ca-11e8-b33b-ff969cd97ce8", + "_type": "search", + "_source": { + "title": "Torrents", + "description": "", + "hits": 0, + "columns": [ + "message" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"parser:bencode*\",\"analyze_wildcard\":true}},\"filter\":[]}" + } + } + }, + { + "_id": "7a9bca50-35f5-11e8-bb5c-418087d19514", + "_type": "search", + "_source": { + "title": "OS Version", + "description": "", + "hits": 0, + "columns": [ + "product_name" + ], + "sort": [ + "datetime", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"parser:windows_version*\",\"analyze_wildcard\":true}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"AWOVz90VaOby_OCrdJKD\",\"type\":\"exists\",\"key\":\"product_name\",\"value\":\"exists\",\"disabled\":false,\"alias\":null},\"exists\":{\"field\":\"product_name\"},\"$state\":{\"store\":\"appState\"}}]}" + } + } + }, + { + "_id": "3184b570-3604-11e8-abe3-892c2e94b163", + "_type": "visualization", + "_source": { + "title": "Parser Graph", + "visState": "{\"title\":\"Parser Graph\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Number of Events\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"parser.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser Information\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" + } + } + }, + { + "_id": "Internet-History", + "_type": "visualization", + "_source": { + "title": "Internet History", + "visState": "{\"title\":\"Internet History\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":10000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Internet History Messages (Up to 1,000 entries shown)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "Internet-History", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Linux", + "_type": "visualization", + "_source": { + "title": "Linux", + "visState": "{\"title\":\"Linux\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Linux Messages (Up to 1,000 entries shown)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Linux", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "MAC", + "_type": "visualization", + "_source": { + "title": "MacOS", + "visState": "{\"title\":\"MacOS\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"MacOS Messages (Up to 1,000 entries shown)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Mac", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Anti-Virus", + "_type": "visualization", + "_source": { + "title": "Anti-Virus", + "visState": "{\"title\":\"Anti-Virus\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Anti-Virus Message (Up to 1,000 entries shown)\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Anti-Virus", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Firewall", + "_type": "visualization", + "_source": { + "title": "Firewall", + "visState": "{\"title\":\"Firewall\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Firewall Messages (Up to 1,000 entries shown)\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Firewall", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Appcompat", + "_type": "visualization", + "_source": { + "title": "Appcompat", + "visState": "{\"title\":\"Appcompat\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Last Modified DateTime\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Appcompat Messages (Up to 1,000 entries shown)\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "Appcompatcache", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "User-Information", + "_type": "visualization", + "_source": { + "title": "User Information", + "visState": "{\"title\":\"User Information\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_sid.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"User SID (Up to 1,000 entries shown)\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Username (if parsed)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}},{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Number of Associated Logs\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" + } + } + }, + { + "_id": "dfa77640-35ca-11e8-b33b-ff969cd97ce8", + "_type": "visualization", + "_source": { + "title": "Torrents", + "visState": "{\"title\":\"Torrents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"2\",\"customLabel\":\"Torrent Messages (Up to 1,000 entries shown)\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "781db980-35ca-11e8-b33b-ff969cd97ce8", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Scheduled-Tasks", + "_type": "visualization", + "_source": { + "title": "Scheduled Tasks", + "visState": "{\"title\":\"Scheduled Tasks\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Scheduled Task Messages (Up to 1,000 entries shown)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Scheduled-Tasks", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Persistence", + "_type": "visualization", + "_source": { + "title": "Persistence", + "visState": "{\"title\":\"Persistence\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Persistence Messages (Up to 1,000 entries shown)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Persistence", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Registry", + "_type": "visualization", + "_source": { + "title": "Registry", + "visState": "{\"title\":\"Registry\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Registry Messages (Up to 1,000 entries shown)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Registry", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "Parser-Results", + "_type": "visualization", + "_source": { + "title": "Parser Results", + "visState": "{\"title\":\"Parser Results\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Number of Records\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Parser Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"AWOVz90VaOby_OCrdJKD\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" + } + } + }, + { + "_id": "Prefetch", + "_type": "visualization", + "_source": { + "title": "Prefetch", + "visState": "{\"title\":\"Prefetch\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Prefetch Messages (Up to 1,000 entries shown)\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "Prefetch", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "File-System", + "_type": "visualization", + "_source": { + "title": "File System", + "visState": "{\"title\":\"File System\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File System Messages (Up to 1,000 entries shown)\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Latest Activity\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"datetime\",\"customLabel\":\"Earliest Activity\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"is_allocated\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"3\",\"customLabel\":\"Is Allocated\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "File-System", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + }, + { + "_id": "AWOWDze0ylatT0I1Z9lC", + "_type": "visualization", + "_source": { + "title": "OS Version", + "visState": "{\"title\":\"OS Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Number or Associated Records\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"product_name.keyword\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"OS Version\"}}],\"listeners\":{}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "7a9bca50-35f5-11e8-bb5c-418087d19514", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + } + } + } +] diff --git a/scripts/2018.1_to_2018.2.sh b/scripts/2018.1_to_2018.2.sh new file mode 100644 index 0000000..4fb7e12 --- /dev/null +++ b/scripts/2018.1_to_2018.2.sh @@ -0,0 +1,172 @@ +#!/bin/bash +echo "Upgrading Skadi 2018.1 to 2018.2" +echo "*********** WARNING ***********" +echo "All data in the ELK will be lost and the data in TimeSketch could be corrupted (due to the loss of Elasticsearch data) due to this upgrade" +echo "Additionally, the `Post Installation` instructions from https://github.com/orlikoski/Skadi/wiki/Installation:-OpenSSL-Signed-Installation-Guide will need to be followed" +echo "If this seems like too much work are will create issues, it may be easier to use the newest version of Skadi and skip the upgrade process" +echo "" +echo "root or sudo privileges are required for this installation" +echo "*********** WARNING ***********" +echo "" +read -n 1 -r -s -p "Press any key to continue... or CTRL+C to exit (nothing has been installed)" +echo "" +echo "" +set -e +# This script converts Skadi 2018.1 to 2018.2 +# NOTE: All of the data in the ELK stack will be lost +sudo cp /etc/elasticsearch/scripts/add_label.groovy /tmp/ +sudo cp /etc/elasticsearch/scripts/toggle_label.groovy /tmp/ + +sudo apt purge elasticsearch kibana logstash -y +sudo rm -rf /var/lib/elasticsearch /etc/elasticsearch /var/lib/kibana +sudo -H pip install --upgrade pip +sudo -H pip2 install --upgrade pip +sudo -H pip2 uninstall elasticsearch -y + +sudo rm /etc/apt/sources.list.d/elastic-* +echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list +sudo apt update && sudo apt dist-upgrade -y +sudo apt autoremove -y + +sudo apt install elasticsearch kibana logstash -y +sudo cp /tmp/add_label.groovy /etc/elasticsearch/scripts/ +sudo cp /tmp/toggle_label.groovy /etc/elasticsearch/scripts/ + +sudo -H pip install --upgrade botocore boto3 gunicorn + +sudo systemctl stop elasticsearch logstash kibana cerebro timesketch +sudo sed -i 's@#server.host\: \"localhost\"@server.host\: \"0.0.0.0\"@g' /etc/kibana/kibana.yml +sudo sed -i 's/#network.host\: 192.168.0.1/network.host\: localhost/g' /etc/elasticsearch/elasticsearch.yml + +# Assign jvm.options to 2GB +# Default Values +# -Xms1g +# -Xmx1g +sudo sed -i "s/-Xms1/-Xms2/g" /etc/elasticsearch/jvm.options +sudo sed -i "s/-Xmx1/-Xmx2/g" /etc/elasticsearch/jvm.options + +timesketch_service="W1VuaXRdCkRlc2NyaXB0aW9uPVRpbWVTa2V0Y2ggU2VydmljZQpBZnRlcj1uZXR3b3JrLnRhcmdldAoKW1NlcnZpY2VdClVzZXI9dGltZXNrZXRjaApHcm91cD10aW1lc2tldGNoCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi9ndW5pY29ybiAtLXdvcmtlcnMgNCAtLWJpbmQgMTI3LjAuMC4xOjUwMDAgdGltZXNrZXRjaC53c2dpIAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0Cg==" +echo $timesketch_service |base64 -d | sudo tee /etc/systemd/system/timesketch.service +sudo systemctl daemon-reload +sudo systemctl restart timesketch + +sudo systemctl restart elasticsearch logstash kibana cerebro timesketch +sudo /bin/systemctl daemon-reload && +sudo /bin/systemctl enable elasticsearch logstash kibana && +sudo /bin/systemctl start elasticsearch logstash kibana + +# Install Networking pack +echo "Now installing secure networking pack" +# Disable IPv6 +echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf +echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf +echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf +sudo sysctl -p + +# Install and configure gunicorn +sudo pip2 install gunicorn +sudo systemctl stop timesketch +timesketch_service="W1VuaXRdCkRlc2NyaXB0aW9uPVRpbWVTa2V0Y2ggU2VydmljZQpBZnRlcj1uZXR3b3JrLnRhcmdldAoKW1NlcnZpY2VdClVzZXI9dGltZXNrZXRjaApHcm91cD10aW1lc2tldGNoCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi9ndW5pY29ybiAtLXdvcmtlcnMgNCAtLWJpbmQgMTI3LjAuMC4xOjUwMDAgdGltZXNrZXRjaC53c2dpCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQK" +echo $timesketch_service |base64 -d | sudo tee /etc/systemd/system/timesketch.service +sudo systemctl daemon-reload +sudo systemctl restart timesketch.service + +# Update Kibana to work with forwarding +sudo systemctl stop kibana +sudo sed -i "s@\#server.basePath: \"\"@server.basePath: \"/kibana\"@g" /etc/kibana/kibana.yml +sudo systemctl start kibana + +# Install Nginx and web utils +sudo apt install nginx apache2-utils -y +sudo ufw allow 'Nginx Full' +sudo ufw allow 'OpenSSH' +sudo ufw --force enable + +# Configure Nginx for Kibana, Cerebro, and TimeSketch +nginx_conf="c2VydmVyIHsKICBsaXN0ZW4gODA7CiAgc2VydmVyX25hbWUgXzsKICBjbGllbnRfbWF4X2JvZHlfc2l6ZSA3NU07CiAgcHJveHlfY29ubmVjdF90aW1lb3V0IDkwMHM7CiAgcHJveHlfcmVhZF90aW1lb3V0IDkwMHM7CiAgcm9vdCAgICAgICAgIC91c3Ivc2hhcmUvbmdpbngvaHRtbDsKICBlcnJvcl9wYWdlIDQwNCAvNDA0Lmh0bWw7CiAgICBsb2NhdGlvbiA9IC80MDQuaHRtbCB7fQogIGVycm9yX3BhZ2UgNTAwIDUwMiA1MDMgNTA0IC81MHguaHRtbDsKICAgIGxvY2F0aW9uID0gLzUweC5odG1sIHt9CgogIGVycm9yX2xvZyAgIC92YXIvbG9nL25naW54L2Vycm9yLmxvZzsKICBhY2Nlc3NfbG9nICAvdmFyL2xvZy9uZ2lueC9hY2Nlc3MubG9nOwoKICBsb2NhdGlvbiAvIHsKICAgIHByb3h5X3Bhc3MgaHR0cDovL2xvY2FsaG9zdDo1MDAwOwogICAgcHJveHlfaHR0cF92ZXJzaW9uIDEuMTsKICAgIHByb3h5X3NldF9oZWFkZXIgVXBncmFkZSAkaHR0cF91cGdyYWRlOwogICAgcHJveHlfc2V0X2hlYWRlciBDb25uZWN0aW9uICd1cGdyYWRlJzsKICAgIHByb3h5X3NldF9oZWFkZXIgSG9zdCAkaG9zdDsKICAgIHByb3h5X2NhY2hlX2J5cGFzcyAkaHR0cF91cGdyYWRlOwogICAgc3ViX2ZpbHRlciAnTG9nb3V0PC9hPicgJ0xvZ291dDwvYT48YnI+Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjojZmZmOyIgaHJlZj0iL2tpYmFuYS8iPktpYmFuYTwvYT4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSB0YXJnZXQ9Il9ibGFuayIgc3R5bGU9ImNvbG9yOiNmZmY7IiBocmVmPSIvY2VyZWJyby8jL292ZXJ2aWV3P2hvc3Q9aHR0cDolMkYlMkZsb2NhbGhvc3Q6OTIwMCI+Q2VyZWJybzwvYT4nOwogICAgc3ViX2ZpbHRlciAnU2lnbiBpbjwvYnV0dG9uPicgJ1NpZ24gaW48L2J1dHRvbj48YnI+PGJyPjxhIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6I2ZmZjsiIGhyZWY9Ii9raWJhbmEvIj5LaWJhbmE8L2E+PGJyPjxhIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6I2ZmZjsiIGhyZWY9Ii9jZXJlYnJvLyMvb3ZlcnZpZXc/aG9zdD1odHRwOiUyRiUyRmxvY2FsaG9zdDo5MjAwIj5DZXJlYnJvPC9hPic7CiAgICBzdWJfZmlsdGVyX29uY2Ugb2ZmOwogIH0KCiAgbG9jYXRpb24gfiBeL2tpYmFuYSguKikkIHsKICAgIHByb3h5X2h0dHBfdmVyc2lvbiAxLjE7CiAgICBwcm94eV9zZXRfaGVhZGVyIFVwZ3JhZGUgJGh0dHBfdXBncmFkZTsKICAgIHByb3h5X3NldF9oZWFkZXIgQ29ubmVjdGlvbiAndXBncmFkZSc7CiAgICBwcm94eV9zZXRfaGVhZGVyIEhvc3QgJGhvc3Q7CiAgICBwcm94eV9jYWNoZV9ieXBhc3MgJGh0dHBfdXBncmFkZTsKICAgIHByb3h5X3Bhc3MgIGh0dHA6Ly9sb2NhbGhvc3Q6NTYwMTsKICAgIHJld3JpdGUgXi9raWJhbmEvKC4qKSQgLyQxIGJyZWFrOwogICAgcmV3cml0ZSBeL2tpYmFuYSQgL2tpYmFuYS87CiAgICBhdXRoX2Jhc2ljICJSZXN0cmljdGVkIENvbnRlbnQiOwogICAgYXV0aF9iYXNpY191c2VyX2ZpbGUgL2V0Yy9uZ2lueC8ua2liYW5hX2F1dGg7CiAgfQoKICBsb2NhdGlvbiAvY2VyZWJyby8gewogICAgcHJveHlfcGFzcyBodHRwOi8vbG9jYWxob3N0OjkwMDAvOwogICAgcHJveHlfc2V0X2hlYWRlciBIb3N0ICRob3N0OwogICAgYXV0aF9iYXNpYyAiUmVzdHJpY3RlZCBDb250ZW50IjsKICAgIGF1dGhfYmFzaWNfdXNlcl9maWxlIC9ldGMvbmdpbngvLmNlcmVicm9fYXV0aDsKICB9Cn0K" + +# Check for and remove old version of nginx setup files +old_configs=("/etc/nginx/sites-available/cerebro" "/etc/nginx/sites-available/kibana" "/etc/nginx/sites-available/timesketch") +for i in "${old_configs[@]}" +do + sudo rm -f -- $i +done + +# Configure default site +echo $nginx_conf |base64 -d |sudo tee /etc/nginx/sites-available/default + +# Add domain name (if changed) and enable basic auth + +# Configure Kibana Credentials +k_user="skadi" +k_pass="skadi" +echo $k_pass | sudo htpasswd -i -c /etc/nginx/.kibana_auth $k_user + +# Configure Cerebro Credentials +c_user="skadi" +c_pass="skadi" +echo $c_pass | sudo htpasswd -i -c /etc/nginx/.cerebro_auth $c_user + +sudo systemctl restart nginx +sudo systemctl enable nginx + +# Install and Configure Letsencrypt +sudo apt update -y +sudo apt install software-properties-common -y +sudo add-apt-repository ppa:certbot/certbot -y +sudo apt update -y +sudo apt install python-certbot-nginx -y + +# Set default number of replicas to 0 (this prevents unassigned shards in default Skadi) +curl -X PUT "localhost:9200/_template/all" -H 'Content-Type: application/json' -d' +{ + "template": "*", + "settings": { + "number_of_replicas": 0 + } +} +' + +# Configure Kibana Credentials +k_user="skadi" +k_pass="skadi" +echo $k_pass | sudo htpasswd -i -c /etc/nginx/.kibana_auth $k_user + +# Configure Cerebro Credentials +c_user="skadi" +c_pass="skadi" +echo $c_pass | sudo htpasswd -i -c /etc/nginx/.cerebro_auth $c_user + +sudo systemctl restart nginx +sudo systemctl enable nginx + +echo "" +echo "" +echo "" +echo "" +echo "The Nginx reverse proxy setup is complete with the following:" +new_domain="`hostname or IP address`" +echo "The following are now being reverse proxied with authentication at: " +echo "" +echo " TimeSketch:" +echo " - 'http://$new_domain'" +echo "" +echo " Kibana:" +echo " - 'http://$new_domain/kibana'" +echo " - Username: $k_user" +echo " - Password: $k_pass" +echo "" +echo " Cerebro" +echo " - 'http://$new_domain/cerebro'" +echo " - Username: $c_user" +echo " - Password: $c_pass" +echo "" +echo "" +echo "WARNING!!! Encryption is not enabled and it is strongly recommended to enable it before using on any type of production network" +echo "" +echo "" +echo "" +echo "" +echo "The upgrade from 2018.1 to 2018.2 has been mostly completed" +echo "All data in the ELK has been lost and the data in TimeSketch could be corrupted (due to the loss of Elasticsearch data) due to this upgrade" +echo "Additionally, the `Post Installation` instructions from https://github.com/orlikoski/Skadi/wiki/Installation:-OpenSSL-Signed-Installation-Guide need to be followed" diff --git a/scripts/builds/build_tests.sh b/scripts/builds/build_tests.sh new file mode 100644 index 0000000..549fd51 --- /dev/null +++ b/scripts/builds/build_tests.sh @@ -0,0 +1,26 @@ +#!/bin/bash +set -e +plaso_files=( "cfreds.plaso" "macos.plaso" "ubuntu.plaso" "victimpc.plaso" "winxp.plaso" ) +zip_files=( "lr.zip" ) + + +for i in "${plaso_files[@]}" +do + set -x + cdqr.py --plaso_db $i Results_ts_$i --es_ts test_$i + cdqr.py --plaso_db $i Results_kb_$i --es_kb test_$i + set +x +done + +for i in "${zip_files[@]}" +do + set -x + cdqr.py -z -p datt --max_cpu $i Results_ts_datt_$i + cdqr.py -z -p lin $i Results_ts_lin_$i + cdqr.py -z -p mac $i Results_ts_mac_$i + cdqr.py -z -p win --max_cpu $i Results_ts_win_$i + cdqr.py -z --max_cpu $i Results_ts_default_$i + set +x +done + +echo "All tests complete" diff --git a/scripts/builds/cleanup.sh b/scripts/builds/cleanup.sh new file mode 100644 index 0000000..8ffea82 --- /dev/null +++ b/scripts/builds/cleanup.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +# Remove all snapshots prior to these steps +# Zero out disk +dd if=/dev/zero of=/EMPTY bs=1M ;rm -f /EMPTY + +# Remove history +sudo rm /root/.bash_history;touch /root/.bash_history +rm .bash_history;touch .bash_history;history -c + +# Once complete run the following on the host OS to compress the image +# "C:\Program Files (x86)\VMware\VMware Workstation\vmware-vdiskmanager.exe" -k diff --git a/scripts/secure_network.sh b/scripts/secure_network.sh index 207cac4..031116d 100644 --- a/scripts/secure_network.sh +++ b/scripts/secure_network.sh @@ -1,13 +1,14 @@ #!/bin/bash echo "Installing Skadi Pack: Secure Networking" echo "This installation will do the following:" -echo " - Disable IPv6" -echo " - Install and configure Nginx reverse proxy for TimeSketch, Kibana, and Cerebro websites" +echo " - Update the Nginx reverse proxy for TimeSketch, Kibana, and Cerebro websites" echo " - Install and configure all prerequisits to install valid TLS/SSL certificates from Letsencrypt" -echo " - Provide single command required to enable TLS/SSL encryption on all three websites" +echo " - Change the default passwords for TimeSketch, Kibana and Cerebro (created dynamically at run time)" +echo " - Enable TLS/SSL encryption using Letsencrypt" echo "" -echo "In order to continue a hostname needs to provided and the Kibana, Cerebro, and TimeSketch websites will be setup as sub-domains" -echo "This can be left blank for local use." +echo "In order to continue a publicly accessable FQDN (such as 'mydomain.com') is required" +echo "The Kibana, Cerebro, and TimeSketch websites will be configured to use that FQDN" +echo "This cannot be left blank for the TLS certificates to work" echo "" echo "" echo "Example Domain: 'mydomain.com'" @@ -24,60 +25,31 @@ echo "All usernames and passwords are made dynamically at run time" echo "These are displayed at the end of the script (record them for use)" echo "" echo "*********** WARNING ***********" +echo "This script was built and tested to work on Skadi 2018.2" +echo "It is not possible to predict the results of using it on any other platform" echo "root or sudo privileges are required for this installation" echo "*********** WARNING ***********" echo "" read -n 1 -r -s -p "Press any key to continue... or CTRL+C to exit (nothing has been installed)" echo "" echo "" -# Disable IPv6 -echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf -echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf -echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf -sudo sysctl -p # Ask for and validate domain name to use echo "" echo "" -read -p "Please enter the hostname name to use (leave blank if not using a FQDN or routable hostname): " new_domain +read -p "Please enter the FQDN, IP address, or routable hostname to use (cannot be blank): " new_domain if [ -z "$new_domain" ]; then - echo "Warning: Domain entered was Null or empty" - echo "Using '_' for server name which will listen to all incoming requests" - echo "The server name can be changed later in /etc/nginx/sites-available/default" + echo "Warning: Hostname entered was Null or empty" + echo "This is required. Exiting" + exit fi -# Install gunicorn -sudo pip2 install gunicorn - -# Update Kibana to work with forwarding -sudo systemctl stop kibana -sudo sed -i "s@\#server.basePath: \"\"@server.basePath: \"/kibana\"@g" /etc/kibana/kibana.yml -sudo systemctl start kibana - -# Install Nginx and web utils -sudo apt install nginx apache2-utils -y -sudo ufw allow 'Nginx Full' -sudo ufw allow 'OpenSSH' -sudo ufw --force enable - -# Configure Nginx for Kibana, Cerebro, and TimeSketch -nginx_conf="c2VydmVyIHsKICBsaXN0ZW4gODA7CiAgc2VydmVyX25hbWUgXzsKICBjbGllbnRfbWF4X2JvZHlfc2l6ZSA3NU07CiAgcHJveHlfY29ubmVjdF90aW1lb3V0IDkwMHM7CiAgcHJveHlfcmVhZF90aW1lb3V0IDkwMHM7CiAgcm9vdCAgICAgICAgIC91c3Ivc2hhcmUvbmdpbngvaHRtbDsKICBlcnJvcl9wYWdlIDQwNCAvNDA0Lmh0bWw7CiAgICBsb2NhdGlvbiA9IC80MDQuaHRtbCB7fQogIGVycm9yX3BhZ2UgNTAwIDUwMiA1MDMgNTA0IC81MHguaHRtbDsKICAgIGxvY2F0aW9uID0gLzUweC5odG1sIHt9CgogIGVycm9yX2xvZyAgIC92YXIvbG9nL25naW54L2Vycm9yLmxvZzsKICBhY2Nlc3NfbG9nICAvdmFyL2xvZy9uZ2lueC9hY2Nlc3MubG9nOwoKICBsb2NhdGlvbiAvIHsKICAgIHByb3h5X3Bhc3MgaHR0cDovL2xvY2FsaG9zdDo1MDAwOwogICAgcHJveHlfaHR0cF92ZXJzaW9uIDEuMTsKICAgIHByb3h5X3NldF9oZWFkZXIgVXBncmFkZSAkaHR0cF91cGdyYWRlOwogICAgcHJveHlfc2V0X2hlYWRlciBDb25uZWN0aW9uICd1cGdyYWRlJzsKICAgIHByb3h5X3NldF9oZWFkZXIgSG9zdCAkaG9zdDsKICAgIHByb3h5X2NhY2hlX2J5cGFzcyAkaHR0cF91cGdyYWRlOwogICAgc3ViX2ZpbHRlciAnTG9nb3V0PC9hPicgJ0xvZ291dDwvYT48YnI+Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjojZmZmOyIgaHJlZj0iL2tpYmFuYS8iPktpYmFuYTwvYT4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSB0YXJnZXQ9Il9ibGFuayIgc3R5bGU9ImNvbG9yOiNmZmY7IiBocmVmPSIvY2VyZWJyby8jL292ZXJ2aWV3P2hvc3Q9aHR0cDolMkYlMkZsb2NhbGhvc3Q6OTIwMCI+Q2VyZWJybzwvYT4nOwogICAgc3ViX2ZpbHRlciAnU2lnbiBpbjwvYnV0dG9uPicgJ1NpZ24gaW48L2J1dHRvbj48YnI+PGJyPjxhIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6I2ZmZjsiIGhyZWY9Ii9raWJhbmEvIj5LaWJhbmE8L2E+PGJyPjxhIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6I2ZmZjsiIGhyZWY9Ii9jZXJlYnJvLyMvb3ZlcnZpZXc/aG9zdD1odHRwOiUyRiUyRmxvY2FsaG9zdDo5MjAwIj5DZXJlYnJvPC9hPic7CiAgICBzdWJfZmlsdGVyX29uY2Ugb2ZmOwogIH0KCiAgbG9jYXRpb24gfiBeL2tpYmFuYSguKikkIHsKICAgIHByb3h5X2h0dHBfdmVyc2lvbiAxLjE7CiAgICBwcm94eV9zZXRfaGVhZGVyIFVwZ3JhZGUgJGh0dHBfdXBncmFkZTsKICAgIHByb3h5X3NldF9oZWFkZXIgQ29ubmVjdGlvbiAndXBncmFkZSc7CiAgICBwcm94eV9zZXRfaGVhZGVyIEhvc3QgJGhvc3Q7CiAgICBwcm94eV9jYWNoZV9ieXBhc3MgJGh0dHBfdXBncmFkZTsKICAgIHByb3h5X3Bhc3MgIGh0dHA6Ly9sb2NhbGhvc3Q6NTYwMTsKICAgIHJld3JpdGUgXi9raWJhbmEvKC4qKSQgLyQxIGJyZWFrOwogICAgcmV3cml0ZSBeL2tpYmFuYSQgL2tpYmFuYS87CiAgICBhdXRoX2Jhc2ljICJSZXN0cmljdGVkIENvbnRlbnQiOwogICAgYXV0aF9iYXNpY191c2VyX2ZpbGUgL2V0Yy9uZ2lueC8ua2liYW5hX2F1dGg7CiAgfQoKICBsb2NhdGlvbiAvY2VyZWJyby8gewogICAgcHJveHlfcGFzcyBodHRwOi8vbG9jYWxob3N0OjkwMDAvOwogICAgcHJveHlfc2V0X2hlYWRlciBIb3N0ICRob3N0OwogICAgYXV0aF9iYXNpYyAiUmVzdHJpY3RlZCBDb250ZW50IjsKICAgIGF1dGhfYmFzaWNfdXNlcl9maWxlIC9ldGMvbmdpbngvLmNlcmVicm9fYXV0aDsKICB9Cn0K" - -# Check for and remove old version of nginx setup files -old_configs=("/etc/nginx/sites-available/cerebro" "/etc/nginx/sites-available/kibana" "/etc/nginx/sites-available/timesketch") -for i in "${old_configs[@]}" -do - sudo rm -f -- $i -done - -# Configure default site -echo $nginx_conf |base64 -d |sudo tee /etc/nginx/sites-available/default # Add domain name (if changed) and enable basic auth if [[ ! -z "$new_domain" ]]; then - echo "Replacing default server name '_' with '$new_domain'" - sudo sed -i "s/_\;/$new_domain\;/g" /etc/nginx/sites-available/default + echo "Replacing existing server name with '$new_domain'" + sudo sed -i "s/server_name .*\;/server_name $new_domain\;/g" /etc/nginx/sites-available/default fi # Configure Kibana Credentials @@ -99,20 +71,16 @@ sudo apt install software-properties-common -y sudo add-apt-repository ppa:certbot/certbot -y sudo apt update -y sudo apt install python-certbot-nginx -y +sudo apt autoremove -y echo "" echo "" echo "" echo "" echo "" -echo "Nginx reverse proxy setup is complete with the following:" -if [[ ! -z "$new_domain" ]]; then - echo "Domain: '$new_domain'" -else - echo "Domain: " - new_domain="exampledomain.com" -fi -echo "The following are now being reverse proxied with authentication at: " +echo "Nginx reverse proxy update is complete with the following:" +echo "Hostname: '$new_domain'" +echo "The following are reverse proxied with authentication: " echo "" echo " TimeSketch:" echo " - 'http://$new_domain'" @@ -128,9 +96,19 @@ echo " - Username: $c_user" echo " - Password: $c_pass" echo "" echo "" -echo "WARNING!!! Encryption is not enabled and it is strongly recommended to enable it" echo "" echo "" -echo "Letsencrypt is installed and able to encrypt these sites if a valid, internet routable FQDN is used. It is not enabled by default" -echo "To start the Letsencrypt setup process type the following and follow the installation prompts:" -echo "sudo certbot --nginx" +echo "*********** WARNING ***********" +echo "The next step requires a publicly accessable FQDN with working DNS" +echo "If there is an issue with the FQDN, IP address, or routable hostname please stop now" +echo " - This can be changed in '/etc/nginx/sites-available/default'" +echo " - Change the line that start with 'server_name' to the correct name before continuing" +echo "" +echo "If there are any issues it is best to stop now and, when it is configured corrctly, run 'sudo certbot --nginx' manually" +echo "*********** WARNING ***********" +echo "" +echo "" +read -n 1 -r -s -p "If it is configured correctly; Press any key to continue... or CTRL+C to exit" +echo "" +echo "" +sudo certbot --nginx diff --git a/scripts/signedbuildskadi.sh b/scripts/signedbuildskadi.sh index 6b47021..f65ab30 100644 --- a/scripts/signedbuildskadi.sh +++ b/scripts/signedbuildskadi.sh @@ -44,7 +44,7 @@ sudo sed -i "s/$oldhostname/$newhostname/g" /etc/hosts >/dev/null 2>&1 echo skadi |sudo tee /etc/hostname >/dev/null 2>&1 sudo systemctl restart systemd-logind.service >/dev/null 2>&1 -# Install dependancies: +# Install dependancies: sudo sed -i 's/deb cdrom/#deb cdrom/g' /etc/apt/sources.list sudo apt update -y sudo apt dist-upgrade -y @@ -72,7 +72,7 @@ sudo apt install mono-devel -y #Install and Configure Elasticsearch wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - -echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list +echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list sudo add-apt-repository ppa:webupd8team/java -y sudo apt update -y sudo apt dist-upgrade -y @@ -123,8 +123,8 @@ sudo systemctl enable neo4j sudo apt install kibana logstash -y sudo sed -i 's@#server.host\: \"localhost\"@server.host\: \"0.0.0.0\"@g' /etc/kibana/kibana.yml sudo systemctl daemon-reload -sudo systemctl restart kibana -sudo systemctl enable kibana +sudo systemctl restart kibana +sudo systemctl enable kibana # Configure Celery celery_service="W1VuaXRdCkRlc2NyaXB0aW9uPUNlbGVyeSBTZXJ2aWNlCkFmdGVyPW5ldHdvcmsudGFyZ2V0CgpbU2VydmljZV0KVHlwZT1mb3JraW5nClVzZXI9Y2VsZXJ5Ckdyb3VwPWNlbGVyeQpQSURGaWxlPS9vcHQvY2VsZXJ5L2NlbGVyeS5waWRsb2NrCgpFeGVjU3RhcnQ9L3Vzci9sb2NhbC9iaW4vY2VsZXJ5IG11bHRpIHN0YXJ0IHNpbmdsZS13b3JrZXIgLUEgdGltZXNrZXRjaC5saWIudGFza3Mgd29ya2VyIC0tbG9nbGV2ZWw9aW5mbyAtLWxvZ2ZpbGU9L3Zhci9sb2cvY2VsZXJ5X3dvcmtlciAtLXBpZGZpbGU9L29wdC9jZWxlcnkvY2VsZXJ5LnBpZGxvY2sKRXhlY1N0b3A9L3Vzci9sb2NhbC9iaW4vY2VsZXJ5IG11bHRpIHN0b3B3YWl0IHNpbmdsZS13b3JrZXIgLS1waWRmaWxlPS9vcHQvY2VsZXJ5L2NlbGVyeS5waWRsb2NrIC0tbG9nZmlsZT0vdmFyL2xvZy9jZWxlcnlfd29ya2VyCkV4ZWNSZWxvYWQ9L3Vzci9sb2NhbC9iaW4vY2VsZXJ5IG11bHRpIHJlc3RhcnQgc2luZ2xlLXdvcmtlciAtLXBpZGZpbGU9L29wdC9jZWxlcnkvY2VsZXJ5LnBpZGxvY2sgLS1sb2dmaWxlPS92YXIvbG9nL2NlbGVyeV93b3JrZXIKCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQK" @@ -172,7 +172,7 @@ sudo sed -i "s@NEO4J_PASSWORD = u''@NEO4J_PASSWORD = u'$neo4jpassword'@g" /etc/t timesketchpassword=$(openssl rand -base64 32) -timesketchuser="cdqr_$(openssl rand -base64 3)" +timesketchuser="skadi_$(openssl rand -base64 3)" tsctl add_user -u "$timesketchuser" -p "$timesketchpassword" timesketch_service="W1VuaXRdCkRlc2NyaXB0aW9uPVRpbWVTa2V0Y2ggU2VydmljZQpBZnRlcj1uZXR3b3JrLnRhcmdldAoKW1NlcnZpY2VdClVzZXI9dGltZXNrZXRjaApHcm91cD10aW1lc2tldGNoCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi90c2N0bCBydW5zZXJ2ZXIgLWggMC4wLjAuMCAtcCA1MDAwIC0tdGhyZWFkZWQgLS1wYXNzdGhyb3VnaC1lcnJvcnMgCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQK" @@ -252,6 +252,94 @@ rm /tmp/CyLR.zip echo "" echo "" +# Disable IPv6 +echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf +echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf +echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf +sudo sysctl -p + +# Install and configure gunicorn +sudo pip2 install gunicorn +sudo systemctl stop timesketch +timesketch_service="W1VuaXRdCkRlc2NyaXB0aW9uPVRpbWVTa2V0Y2ggU2VydmljZQpBZnRlcj1uZXR3b3JrLnRhcmdldAoKW1NlcnZpY2VdClVzZXI9dGltZXNrZXRjaApHcm91cD10aW1lc2tldGNoCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi9ndW5pY29ybiAtLXdvcmtlcnMgNCAtLWJpbmQgMTI3LjAuMC4xOjUwMDAgdGltZXNrZXRjaC53c2dpCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQK" +echo $timesketch_service |base64 -d | sudo tee /etc/systemd/system/timesketch.service +sudo systemctl daemon-reload +sudo systemctl restart timesketch.service + +# Update Kibana to work with forwarding +sudo systemctl stop kibana +sudo sed -i "s@\#server.basePath: \"\"@server.basePath: \"/kibana\"@g" /etc/kibana/kibana.yml +sudo systemctl start kibana + +# Install Nginx and web utils +sudo apt install nginx apache2-utils -y +sudo ufw allow 'Nginx Full' +sudo ufw allow 'OpenSSH' +sudo ufw --force enable + +# Configure Nginx for Kibana, Cerebro, and TimeSketch +nginx_conf="c2VydmVyIHsKICBsaXN0ZW4gODA7CiAgc2VydmVyX25hbWUgXzsKICBjbGllbnRfbWF4X2JvZHlfc2l6ZSA3NU07CiAgcHJveHlfY29ubmVjdF90aW1lb3V0IDkwMHM7CiAgcHJveHlfcmVhZF90aW1lb3V0IDkwMHM7CiAgcm9vdCAgICAgICAgIC91c3Ivc2hhcmUvbmdpbngvaHRtbDsKICBlcnJvcl9wYWdlIDQwNCAvNDA0Lmh0bWw7CiAgICBsb2NhdGlvbiA9IC80MDQuaHRtbCB7fQogIGVycm9yX3BhZ2UgNTAwIDUwMiA1MDMgNTA0IC81MHguaHRtbDsKICAgIGxvY2F0aW9uID0gLzUweC5odG1sIHt9CgogIGVycm9yX2xvZyAgIC92YXIvbG9nL25naW54L2Vycm9yLmxvZzsKICBhY2Nlc3NfbG9nICAvdmFyL2xvZy9uZ2lueC9hY2Nlc3MubG9nOwoKICBsb2NhdGlvbiAvIHsKICAgIHByb3h5X3Bhc3MgaHR0cDovL2xvY2FsaG9zdDo1MDAwOwogICAgcHJveHlfaHR0cF92ZXJzaW9uIDEuMTsKICAgIHByb3h5X3NldF9oZWFkZXIgVXBncmFkZSAkaHR0cF91cGdyYWRlOwogICAgcHJveHlfc2V0X2hlYWRlciBDb25uZWN0aW9uICd1cGdyYWRlJzsKICAgIHByb3h5X3NldF9oZWFkZXIgSG9zdCAkaG9zdDsKICAgIHByb3h5X2NhY2hlX2J5cGFzcyAkaHR0cF91cGdyYWRlOwogICAgc3ViX2ZpbHRlciAnTG9nb3V0PC9hPicgJ0xvZ291dDwvYT48YnI+Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjojZmZmOyIgaHJlZj0iL2tpYmFuYS8iPktpYmFuYTwvYT4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSB0YXJnZXQ9Il9ibGFuayIgc3R5bGU9ImNvbG9yOiNmZmY7IiBocmVmPSIvY2VyZWJyby8jL292ZXJ2aWV3P2hvc3Q9aHR0cDolMkYlMkZsb2NhbGhvc3Q6OTIwMCI+Q2VyZWJybzwvYT4nOwogICAgc3ViX2ZpbHRlciAnU2lnbiBpbjwvYnV0dG9uPicgJ1NpZ24gaW48L2J1dHRvbj48YnI+PGJyPjxhIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6I2ZmZjsiIGhyZWY9Ii9raWJhbmEvIj5LaWJhbmE8L2E+PGJyPjxhIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6I2ZmZjsiIGhyZWY9Ii9jZXJlYnJvLyMvb3ZlcnZpZXc/aG9zdD1odHRwOiUyRiUyRmxvY2FsaG9zdDo5MjAwIj5DZXJlYnJvPC9hPic7CiAgICBzdWJfZmlsdGVyX29uY2Ugb2ZmOwogIH0KCiAgbG9jYXRpb24gfiBeL2tpYmFuYSguKikkIHsKICAgIHByb3h5X2h0dHBfdmVyc2lvbiAxLjE7CiAgICBwcm94eV9zZXRfaGVhZGVyIFVwZ3JhZGUgJGh0dHBfdXBncmFkZTsKICAgIHByb3h5X3NldF9oZWFkZXIgQ29ubmVjdGlvbiAndXBncmFkZSc7CiAgICBwcm94eV9zZXRfaGVhZGVyIEhvc3QgJGhvc3Q7CiAgICBwcm94eV9jYWNoZV9ieXBhc3MgJGh0dHBfdXBncmFkZTsKICAgIHByb3h5X3Bhc3MgIGh0dHA6Ly9sb2NhbGhvc3Q6NTYwMTsKICAgIHJld3JpdGUgXi9raWJhbmEvKC4qKSQgLyQxIGJyZWFrOwogICAgcmV3cml0ZSBeL2tpYmFuYSQgL2tpYmFuYS87CiAgICBhdXRoX2Jhc2ljICJSZXN0cmljdGVkIENvbnRlbnQiOwogICAgYXV0aF9iYXNpY191c2VyX2ZpbGUgL2V0Yy9uZ2lueC8ua2liYW5hX2F1dGg7CiAgfQoKICBsb2NhdGlvbiAvY2VyZWJyby8gewogICAgcHJveHlfcGFzcyBodHRwOi8vbG9jYWxob3N0OjkwMDAvOwogICAgcHJveHlfc2V0X2hlYWRlciBIb3N0ICRob3N0OwogICAgYXV0aF9iYXNpYyAiUmVzdHJpY3RlZCBDb250ZW50IjsKICAgIGF1dGhfYmFzaWNfdXNlcl9maWxlIC9ldGMvbmdpbngvLmNlcmVicm9fYXV0aDsKICB9Cn0K" + + +# Configure default site +echo $nginx_conf |base64 -d |sudo tee /etc/nginx/sites-available/default + +# Configure Kibana Credentials +k_user="kibuser_$(openssl rand -base64 3)" +k_pass=$(openssl rand -base64 32) +echo $k_pass | sudo htpasswd -i -c /etc/nginx/.kibana_auth $k_user + +# Configure Cerebro Credentials +c_user="ceruser_$(openssl rand -base64 3)" +c_pass=$(openssl rand -base64 32) +echo $c_pass | sudo htpasswd -i -c /etc/nginx/.cerebro_auth $c_user + +sudo systemctl restart nginx +sudo systemctl enable nginx + +# Install and Configure Letsencrypt +sudo apt update -y +sudo apt install software-properties-common -y +sudo add-apt-repository ppa:certbot/certbot -y +sudo apt update -y +sudo apt install python-certbot-nginx -y + +new_domain="Hostname or IP Address" +echo "" +echo "" +echo "" +echo "" +echo "" +echo "Nginx reverse proxy setup is complete with the following:" +echo "Hostname: '$new_domain'" +echo "The following are now being reverse proxied with authentication at: " +echo "" +echo " TimeSketch:" +echo " - 'http://$new_domain'" +echo " - Username: $timesketchuser" +echo " - Password: $timesketchpassword" +echo "" +echo " Kibana:" +echo " - 'http://$new_domain/kibana'" +echo " - Username: $k_user" +echo " - Password: $k_pass" +echo "" +echo " Cerebro" +echo " - 'http://$new_domain/cerebro'" +echo " - Username: $c_user" +echo " - Password: $c_pass" +echo "" +echo "" +echo "" +echo "" + +echo "" +echo "Logstash and automation_grpc are installed but not enabled by default" +echo "To enable run the following commands" +echo " sudo systemctl restart logstash automation_grpc_service" +echo " sudo systemctl enable logstash automation_grpc_service" +echo "" +echo "" clear echo "Installed Software Version Checks (Where it is supported)" /usr/bin/log2timeline.py --version @@ -283,17 +371,4 @@ for item in "${services[@]}" do echo " $item service is: $(systemctl is-active $item)" done - -echo "" -echo "Logstash and automation_grpc are installed but not enabled by default" -echo "To enable run the following commands" -echo " sudo systemctl restart logstash automation_grpc_service" -echo " sudo systemctl enable logstash automation_grpc_service" -echo "" -echo "" -echo "TimeSketch Initial User Information (reset with 'tsctl add_user -u $timesketchuser -p ')" -echo "Username: $timesketchuser" -echo "Password: $timesketchpassword" exec bash - -