Thought it might be worthwhile sharing a short bit of SQL we used recently in an MFA deployment project.
The objective was to obtain a list of users that had been logging into a Horizon View 6 VDI deployment so that they could be targeted for MFA provisioning.
It appears this is quite a simple matter if the Events DB functionality is enabled. All that needs to be done is to select distinct for any ‘BROKER_USERLOGGEDIN’ entries where the ‘ClientIPAddress’ value matches something other than your internal IP ranges.
You can find the SQL to do this below. It’s been tested with Horizon 6 and 7. Enjoy!
I’m trying out Graylog for log collection, aggregation, and analysis. It’s free and pretty damn easy to deploy, available in OVA format.
The first thing I noticed is there seemed to be no extractors for pfSense 2.2’s new log format. Extractors allow you to parse a syslog message and place certain values into ‘fields’ for analysis or use in graphs.
Here’s one I prepared relatively quickly. You can import by:
Click System -> Inputs in the Graylog UI
Click ‘Manage extractors’ next to the relevant input
Click ‘Import extractors’ in the ‘Actions’ menu at the top right of the page
Paste the below script into the window and then click ‘Add extractors to input’
The extractors will parse the following fields out of the pfSense 2.2 filterlog messages:
Rule number into pfsense_filter_rulenum
Direction into pfsense_filter_direction
Ingress interface into pfsense_filter_ingress
Action into pfsense_filter_action
Protocol into pfsense_filter_proto
Source IP into pfsense_filter_sourceip
Source Port into pfsense_filter_sourceport
Destination IP into pfsense_filter_destip
Destination Port into pfsense_filter_destport
Right now they only interpret IPv4 logs, IPv6 log entries don’t get parsed (thanks to the condition regex) as they are formatted differently.
Recently ran across a misbehaving NetApp where it’s deduplication process would be triggered on a Saturday morning, and still be running come the Monday. It wouldn’t happen on every scheduled run, but when it did, it hurt storage performance significantly. We’re working on the usual tasks, there’s a lot of misaligned data on the volume. But in the meantime, I used the NetApp Data ONTAP PowerShell Module to create a little script that will shoot an email if it detects a running SIS process.
Configure it as a scheduled task on a system that has the DataONTAP powershell module installed. Here’s an example of the command line parameters: