- using Ansible command line:
ansible-playbook --connection=local 127.0.0.1 playbook.yml
- using inventory:
127.0.0.1 ansible_connection=local
# IMPORTANT! | |
# This gist has been transformed into a github repo | |
# You can find the most recent version there: | |
# https://github.com/Neo23x0/auditd | |
# ___ ___ __ __ | |
# / | __ ______/ (_) /_____/ / | |
# / /| |/ / / / __ / / __/ __ / | |
# / ___ / /_/ / /_/ / / /_/ /_/ / | |
# /_/ |_\__,_/\__,_/_/\__/\__,_/ |
@echo off | |
:: Author: Ryan Watson | |
:: Twitter: @gentlemanwatson | |
:: Version: 1.0 | |
:: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point | |
:: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/ | |
:: ** IMPORTANT ** | |
:: 1) Create a Sysmon folder with the SYSVOL share on your domain controller | |
:: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in |
#!/bin/bash | |
## This script requires jq | |
if ! [ -x "$(command -v jq)" ]; then | |
echo 'Error: jq is not installed.' >&2 | |
exit 1 | |
fi | |
echo -n "PIA pptp username (xNNNNNNN not pNNNNNNN): " | |
read pia_username |
ansible-playbook --connection=local 127.0.0.1 playbook.yml
127.0.0.1 ansible_connection=local
#!/bin/bash | |
# based on https://github.com/mew2057/CAST/blob/6c7f7d514b7af3c512635ec145aa829c535467dc/csm_big_data/config-scripts/logstashFixupScript.sh | |
# see: https://github.com/elastic/logstash/issues/10755 | |
if [[ $EUID -ne 0 ]]; then | |
echo "This script must be run as root" | |
exit 1 | |
fi |
<# | |
.SYNOPSIS | |
PowerShell loop to read local .evtx files into Elastic's winlogbeat agent. | |
.DESCRIPTION | |
PowerShell loop to read local .evtx files into Elastic's winlogbeat agent. | |
Use winlogbeat.yml to customize your configuration of winlogbeat including output. | |
This script will attempt to use winlogbeat.yml which is ignored in .gitignore but | |
if this file is not found, it will fall back to using the example that will output | |
logs to .\winlogbeat\events.json. Once an EVTX file has been read winlogbeat will |
#Requires -RunAsAdministrator | |
$Path = "HKLM:\Software\Policies\Microsoft\PowerShellCore" | |
## ScriptBlockLogging | |
if (-not (Test-Path $Path\ScriptBlockLogging)) { | |
$null = New-Item $Path\ScriptBlockLogging -Force | |
} | |
Set-ItemProperty -Path $Path\ScriptBlockLogging -Name EnableScriptBlockLogging -Value "1" -Type Dword | |
## ModuleLogging |