23 October 2019

Convert virtual disk to RAW disk image

1- Format VBox
vboxmanage clonemedium  ./disk.raw --format=raw

Now disk.raw can be read by mmls to get partition offset.
mmls disk.raw



2- VMDK

If your mmls support afflib, you can directly process it.
mmls -i afflib vmDisk.vmdk


If yours does not support afflib, you need to convert to raw format using qemu-img
qemu-img convert -f vmdk -O raw vmImage/vm_disk.vmdk vm_disk.raw

Now disk.raw can be read by mmls to get partition offset.
mmls disk.raw



Snapshot:
Lets say the image has 2 snapshot of disk vm_disk.vmdk
File *.vmsd will track this snapshot(mapping snapshot name to the vmdk file). Lets say vmImage.vmsd is as as follow:
.encoding = "UTF-8"
snapshot.lastUID = "2"
snapshot.current = "2"
snapshot0.uid = "1"
snapshot0.filename = "vmImage-Snapshot1.vmsn"
snapshot0.displayName = "asal"
snapshot0.createTimeHigh = "365944"
snapshot0.createTimeLow = "26982807"
snapshot0.numDisks = "1"
snapshot0.disk0.fileName = "vm_disk.vmdk"
snapshot0.disk0.node = "scsi0:0"
snapshot.numSnapshots = "2"
snapshot.mru0.uid = "2"
snapshot1.uid = "2"
snapshot1.filename = "vmImage-Snapshot2.vmsn"
snapshot1.parent = "1"
snapshot1.displayName = "kedua"
snapshot1.createTimeHigh = "365947"
snapshot1.createTimeLow = "170475548"
snapshot1.numDisks = "1"
snapshot1.disk0.fileName = "vm_disk-000001.vmdk"
snapshot1.disk0.node = "scsi0:0"
snapshot.mru1.uid = "1"
This file show the image has 2 snapshot, 'asal' and 'kedua'. 
Snapshot 'asal' point the disk to vm_disk.vmdk. 

Snapshot 'kedua' point the disk to vm_disk-000001.vmdk.

Current state of disk is set in the vmImage.vmx file:
scsi0:0.fileName = "vm_disk-000002.vmdk"

To convert the snapshot disk to raw disk, just pass the any of snapshotXX.diskXX.fileName value(eg: vm_disk-000001.vmdk) to the qemu-img convert as pointed previously.
qemu-img convert -f vmdk -O raw vm_disk-000001.vmdk /tmp/snap_kedua.raw

winlogbeat change index name

For NonCluster

  setup.template.name: 'my-winlogbeat-%{[beat.version]}'
  setup.template.pattern: 'my-winlogbeat-%{[beat.version]}-*'

  output.elasticsearch.index: 'my-winlogbeat-%{[beat.version]}-%{+yyyy.MM}'



Notes: Winlogbeat version 7 when push to CLUSTER will default to 'ilm'(index lifecycle management) 


For Cluster :
  setup.ilm.enabled: auto
  setup.ilm.rollover_alias: "my-winlogbeat"
  setup.ilm.pattern: "{now/d}-000001"




ref: 
1- https://discuss.elastic.co/t/changing-the-index-name-for-winlogbeat-sent-to-elasticsearch/168722/6