Graylog Extractors for pfSense 2.2 filter logs

Hi all,

I’m trying out Graylog for log collection, aggregation, and analysis. It’s free and pretty damn easy to deploy, available in OVA format.

The first thing I noticed is there seemed to be no extractors for pfSense 2.2’s new log format. Extractors allow you to parse a syslog message and place certain values into ‘fields’ for analysis or use in graphs.

Here’s one I prepared relatively quickly. You can import by:

  1. Click System -> Inputs in the Graylog UI
  2. Click ‘Manage extractors’ next to the relevant input
  3. Click ‘Import extractors’ in the ‘Actions’ menu at the top right of the page
  4. Paste the below script into the window and then click ‘Add extractors to input’

The extractors will parse the following fields out of the pfSense 2.2 filterlog messages:

  • Rule number into pfsense_filter_rulenum
  • Direction into pfsense_filter_direction
  • Ingress interface into pfsense_filter_ingress
  • Action into pfsense_filter_action
  • Protocol into pfsense_filter_proto
  • Source IP into pfsense_filter_sourceip
  • Source Port into pfsense_filter_sourceport
  • Destination IP into pfsense_filter_destip
  • Destination Port into pfsense_filter_destport

Right now they only interpret IPv4 logs, IPv6 log entries don’t get parsed (thanks to the condition regex) as they are formatted differently.

The script is available here, or click ‘Continue Reading’.

Hope this helps!

(more…)

2015-02-27 10_37_36-Remote Desktop Manager Free [APUTIL02]

NetApp & Powershell – Snapshot Report

This post follows on from my last, where I created a script to send an email report when running dedupe operations were detected.

Utilizing the same script, I made some quick modifications to have it send an email report of volume snapshots and their sizes/creation date. Here’s what it looks like.

2015-02-27 10_36_20-NetApp Volume Snapshot Report - Message (HTML)

The syntax for the report is pretty much the same as the last script.

.\NetApp-SnapshotReport.ps1 -Controller controller1,controller2 -Username <user> -Password <pass> -SMTPServer <server> -MailFrom <Email From> -MailTo <Email To>

Download the script here. I currently have it configured as a scheduled task running every morning so we have a daily report of current volume snapshots, and it works well.

Enjoy!

 

2015-01-22 19_14_28-192.168.0.104 - Remote Desktop Connection

Tintri 3.1.1.4 and SCVMM integration – Access Denied

With the release of Tintri OS 3.1.1.4, Tintri introduced their support for SCVMM and Hyper-V integration.

After upgrading to the new release, you’ll be able to add Hyper-V hosts into the Tintri UI settings screen – allowing the Tintri to grab details of running VMs. A SMI-S interface is also available after the upgrade, that you can use with SCVMM to create and manage SMB3 file shares, including setting quotas and applying a storage classification.

As with all new feature releases in the history of everything, there’s some problems. You might find – after configuring your SCVMM install and Hyper-V hosts according to the documentation (available on the support site) – that your hosts don’t have access to the share. You’ll be unable to create new VMs on the new share, or even remove the share through SCVMM.

Here’s how to avoid these problems and get those file shares working.

  1. In the Tintri UI, open ‘Settings’, and open the ‘Management Access’ panel
  2. Remove the entry for your SMI-S Run-As Account group (the one you created while following through the documentation)
  3. Save the settings, and then re-open the ‘Settings’ window
  4. Go back to the ‘Management Access’ panel, and re-add the SMI-S Run-As Account group with Super admin access
  5. Save settings
  6. On a host that has access to your Tintri’s data IP, while logged in as a domain user that has Super admin privileges on the Tintri, open a command prompt or powershell window
  7. Enter the following command, substituting for your share path and Hyper-V host group name:
    2015-01-22 18_26_28-192.168.0.10 - Remote Desktop Connection
  8. Go ahead and try to create a new VM, it should work

Tintri are aware of this and there’s apparently an internal bug ticket for it – hopefully it’s resolved in the next code release.

Hope this helps.

2013-10-19 15.59.01

Repurposing old dumb PCs as thin clients

If you work at a metal refinery, or anywhere that utilises H2S (Hydrogen Sulphide), you might be familiar with this sight.

These computers are old, and dead, owing to their HDDs being corroded by the rotten-egg smelling gas that floats around the refinery they’re located at.

Our goal at this site is to move everyone around the refinery onto Teradici zero clients, and utilize our VMware View instance. Desktops (including apps and data) will be safe and sound in the datacenter, and the users won’t be subjected to losing their desktops and waiting for a replacement.

We purchased 100 Teradici based Zero Clients, and we were left with a lot of old PCs without a working HDD. What were we to do with them? eBay? Donating them somewhere?

The kill-two-birds-with-one-stone solution was Stratodesk’s “NoTouch” suite, something that caught my eye at VMworld last month. NoTouch OS is a relatively small linux distro that provides clients for most of the major hosted-desktop systems (like VMware View, Citrix, Microsoft RDSH, etc) and gives you the ability to repurpose dated PCs as thin clients.

NoTouch OS is managed through their NoTouch Center software, which they supply as a standalone install, or a virtual appliance. Through it you can group your endpoints and apply settings at any level. You could have a group of endpoints that connect to your VDI system for your employees, and a group of endpoints that provide nothing but a web browser pointing to your timesheet system for contractors to use. It’s very flexible and packed with functionality.

The Stratodesk Virtual Appliance also gives you a PXE boot server, and this is what we’re using for our PC-sans-HDDs. Just import the NoTouch OS image through the virtual appliance’s web interface, configure some boot options, pop some options into your DHCP servers, and away you go.

We’ve got 25 of these endpoints running throughout the plant, and user feedback is good. We had a couple of issues with managing multimonitor modes and auto-assigning endpoints to groups, and their support was both quick and extremely helpful. I had a response within the first couple hours, and they had solved the issues within 6 hours. On a Saturday. At night. And before we even purchased a license!

The PCoIP client built into NoTouch desktop is the official Linux VMware Horizon View client, and NoTouch lets you configure it however you want. Note that with Horizon View 5.3 you’ll be able to do RTAV through the Linux client, allowing you to use your USB webcams through a NoTouch endpoint. This gives it an advantage over the Teradici Zero Clients, as they’re yet to support RTAV (though sources tell me they are working on it).

They offer a free trial that allows you to manage 2 endpoints, I highly recommend giving it a try before you go and purchase any more zero clients. Licensing works out to around $46 per endpoint (retail) including a year of maintenance, and you can purchase licenses either through a vendor or direct.

Here’s a quick video demonstrating PXE booting a PC with no HDD into the NoTouch OS.

I’m finding it hard to justify purchasing more Zero Clients. Feel free to comment below with arguments for/against PC repurposing software like this! I’d love to hear your opinion.

Migrating a View VM between hosts fails at 63%

I had a strange issue come up when trying to vMotion some VMs in our View cluster.

When attempting a vMotion of our Windows 7 VMs, the vMotion would stop at around 63% and spit out the error “Source detected that destination failed to resume”

In the target VM’s vmware.log file I saw the following:

2013-05-16T03:58:16.591Z| vmx| MsgQuestion: msg.svga.checkpoint.gpufeaturecheck.fail3 reply=0
2013-05-16T03:58:16.591Z| vmx| Progress 101% (none)
2013-05-16T03:58:16.591Z| vmx| MigrateSetStateFinished: type=2 new state=11
2013-05-16T03:58:16.591Z| vmx| MigrateSetState: Transitioning from state 10 to 11.
2013-05-16T03:58:16.591Z| vmx| Migrate_SetFailure: Failed to resume on destination.

In this case, the problem occurred due to 3D support being enabled directly on the VM through vSphere, rather than using the pool options on the View Connection Server. Note that while the VM is powered on, VM settings will not show that 3D is enabled – you can only test that this is the case by viewing the VMX or viewing the VM settings when it is powered off.

I solved this problem by changing the pool options to enable 3D and I then waited for View Composer to update the VMs, I didn’t even have to power down the VMs. After View Composer does it’s thing, the VMs will vMotion without a hitch.

Environment:

  • ESXi 5.0
  • View Agent 5.1
  • View Connection Server 5.2
  • VM Hardware Version 8
  • Windows 7 guest OS

Hope this helps!

Mailarchiver 6, the upgrade, and the broken next button…

First thing I see in the morning is an email from GFI saying “YOU HAVE A FREE UPGRADE ZOMG!”. Mailarchiver 6 is out, and it boasts quite a few new features, none of which are documented yet – they still only have the MA5 manual up on their site.

I download the update, schedule an outage (it’s not really used by anyone apart from us, the IT department), and start the upgrade. I get to the ‘You need to update your auditing database by doing this chant/sacrifice:’ part, and the next button proceeds to do sweet f–k all. The installer doesn’t lock up, I can still click back, just not next. How’s that for an error message?

The error, in fact, is that MA5 needs to be upgraded with the latest updates before you can upgrade.

If you’ve come across this issue, here’s the link to the file you’ll need to install in order to progress any further: http://kbase.gfi.com/showarticle.asp?id=KBID003336

Now all I need is some documentation on the new features. It appears that an outlook plugin they’ve made (which I can’t find) allows users to mount their archive in their outlook. If this also allows them to move things to the archive, say, old emails from their 20gb+ worth of PSTs, then this will save admins a lot of time. I’ll find out when I get time.

– NM