Muridin

28 October 2024

elasticsearch- unassigned shard issue

unassigned shards:

Shard masih tidak di assign pada mana mana node. maka data dalam shards tak available bila di query.

Sebab:

1- node down
2- free space tiada
3- dalam proses di pindahkan ke node yg lain.(ini utk pastikan bilangan node seimbang dalam semua node)

Diagnos:
- _cat/shards

- _cluster/health

- _cluster/reroute

$ curl -XPOST 'localhost:9200/_cluster/reroute' -H 'Content-Type: application/json' -d '{
    "commands": [{
        "allocate_empty_primary": {
            "index": "test-index",
            "shard": 1,
            "node": "node-1",
            "accept_data_loss": true
        }
    }]
}'
{"acknowledged":true,"state":{"cluster_uuid":"0W8o4rxdSniXsf_grVvxvQ","version":299,"state_uuid":"rHRyobYiSZ2VIOlxep0jxw","master_node":"nIzM4TPDQuS0WDHkSjEN1w","blocks":{}...

allocate_empty_primary - utk shard primary

allocate_replica - utk shard replika

- _cluster/settings

cluster.routing.allocation.enable

cluster.routing.allocation.node_concurrent

ref: https://www.baeldung.com/ops/elasticsearch-unassigned-shards

13 February 2024

Salin MFT file

Salin guna rawcopy

RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.bin

ref:

https://www.jaiminton.com/cheatsheet/DFIR/#master-file-table

https://github.com/jschicht/RawCopy

17 January 2024

Kibana KQL escape character

Need to escape these characters:
\():<>"*

with quotes, does not need to escape:
http.request.referrer: "https://example.com"

without quotes, must escape:

http.request.referrer: https\://example.com

This not work as expected because * is interprate as literal *:
http.request.referrer: "https://example.com*"

Instead use this:
http.request.referrer: https\://example.com*

File path issue in windows:
Kibana display value as:
C:\WINDOWS\system32\MRT.exe

But if you check in json, actual value stored in elastic is:
"c:\\windows\\system32\\mrt.exe"

Thus, to find all files in folder system32(and sub folder) you need to escape the backslash character:
file.path.caseless : c\:\\\\windows\\\\system32\\\\*

To find all files in folder system32(exclude sub folder):
file.path.caseless : c\:\\\\windows\\\\system32\\\\* and not file.path.caseless : c\:\\\\windows\\\\system32\\\\*\\\\*

ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html

Kibana KQL Wild Card

thefield.caseless: system32*

will match system32\\calc.exe (* is wildcard)

thefield: "system32*"

Not match system32\\calc.exe.(* is literal because it in quotes)

ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html

20 September 2023

elastic snapshot on shared folder problem if using sshfs

if you want to set path.repo on mounted dir for elasticsearch snapshot. You probably will get this permission error, even though the dir seems writable by all user.

java.lang.IllegalStateException: Unable to access 'path.repo' (/mnt/remote_snapshot_on_st02/snap_dir) at org.elasticsearch.bootstrap.FilePermissionUtils.addDirectoryPath(FilePermissionUtils.java:66) ~[elasticsearch-8.8.1.jar:?]

This happen because elasticsearh process is own by user elasticsearch. You need to mount the dir using elasticsearch acc. sudo su -u elasticsearch sshfs myacc@10.10.10.10:/data/my_elastic_snapshot_dir/ /mnt/my_snapshot_dir Of course you need to have set path.repo on your elasticsearch.yml path.repo: [/mnt/my_snapshot_dir/the_snapshot_dir_on_remote]

17 October 2022

carian string dlm wireshark

ref: https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures

30 September 2022

Sejarah ip yg pernah pc ubuntu anda pegang

history of ip has been assign to your pc

Ada 2 command yg boleh senaraikan IP yg pc anda dapat dari DHCP.

1) sudo cat /var/log/syslog | grep -Ei 'dhcp' | grep ip_address

2) sudo journalctl | grep -Ei 'dhcp' | grep ip_address