Ahli Sunnah Wal Jamaah

who is ahlu Sunnah Wal Jamaah

ref: https://www.youtube.com/watch?v=oSYYd4RjKE8

elasticsearch- unassigned shard issue

unassigned shards: 

Shard masih tidak di assign pada mana mana node. maka data dalam shards tak available bila di query.

Sebab:

1- node down
2- free space tiada
3- dalam proses di pindahkan ke node yg lain.(ini utk pastikan bilangan node seimbang dalam semua node)

Diagnos:
- _cat/shards

- _cluster/health

- _cluster/reroute

$ curl -XPOST 'localhost:9200/_cluster/reroute' -H 'Content-Type: application/json' -d '{
    "commands": [{
        "allocate_empty_primary": {
            "index": "test-index",
            "shard": 1,
            "node": "node-1",
            "accept_data_loss": true
        }
    }]
}'
{"acknowledged":true,"state":{"cluster_uuid":"0W8o4rxdSniXsf_grVvxvQ","version":299,"state_uuid":"rHRyobYiSZ2VIOlxep0jxw","master_node":"nIzM4TPDQuS0WDHkSjEN1w","blocks":{}...

allocate_empty_primary  - utk shard primary

allocate_replica - utk shard replika 

 

- _cluster/settings

    cluster.routing.allocation.enable 

    cluster.routing.allocation.node_concurrent


 

 ref: https://www.baeldung.com/ops/elasticsearch-unassigned-shards

Salin MFT file

 Salin guna rawcopy

RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.bin

ref: 

https://www.jaiminton.com/cheatsheet/DFIR/#master-file-table

https://github.com/jschicht/RawCopy

Kibana KQL escape character

Need to escape these characters:
    \():<>"*

with quotes, does not need to escape:
    http.request.referrer: "https://example.com"

 
without quotes, must escape:

    http.request.referrer: https\://example.com

 

This not work as expected because * is interprate as literal *:
    http.request.referrer: "https://example.com*"

Instead use this:
    http.request.referrer: https\://example.com*

File path issue in windows:
Kibana display value as:
    C:\WINDOWS\system32\MRT.exe

But if you check in json, actual value stored in elastic is:
    "c:\\windows\\system32\\mrt.exe"

Thus, to find all files in folder system32(and sub folder) you need to escape the backslash character:
    file.path.caseless : c\:\\\\windows\\\\system32\\\\*

    

To find all files in folder system32(exclude sub folder):
    file.path.caseless : c\:\\\\windows\\\\system32\\\\* and not file.path.caseless : c\:\\\\windows\\\\system32\\\\*\\\\*

ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html

Kibana KQL Wild Card

thefield.caseless: system32*    

    will match system32\\calc.exe (* is wildcard)

thefield: "system32*"

    Not match system32\\calc.exe.(* is literal because it in quotes)

ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html

elastic snapshot on shared folder problem if using sshfs

if you want to set path.repo on mounted dir for elasticsearch snapshot. You probably will get this permission error, even though the dir seems writable by all user.

java.lang.IllegalStateException: Unable to access 'path.repo' (/mnt/remote_snapshot_on_st02/snap_dir) at org.elasticsearch.bootstrap.FilePermissionUtils.addDirectoryPath(FilePermissionUtils.java:66) ~[elasticsearch-8.8.1.jar:?]

This happen because elasticsearh process is own by user elasticsearch. You need to mount the dir using elasticsearch acc. sudo su -u elasticsearch sshfs myacc@10.10.10.10:/data/my_elastic_snapshot_dir/ /mnt/my_snapshot_dir Of course you need to have set path.repo on your elasticsearch.yml path.repo: [/mnt/my_snapshot_dir/the_snapshot_dir_on_remote]

carian string dlm wireshark

1)

2)

 ref: https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures