<?xml version=”1.0″ encoding=”UTF-8″?>
<AnyConnectProfile xmlns=”http://schemas.xmlsoap.org/encoding/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd”>
<ClientInitialization>
<UseStartBeforeLogon UserControllable=”true”>true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable=”false”>true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>true</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable=”true”>false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable=”true”>true</MinimizeOnConnect>
<LocalLanAccess UserControllable=”true”>false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable=”true”>false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable=”false”>true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable=”false”>true
<AutoReconnectBehavior UserControllable=”false”>ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable=”false”>true</AutoUpdate>
<RSASecurIDIntegration UserControllable=”false”>Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable=”false”>Disable
<PPPExclusionServerIP UserControllable=”false”></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable=”false”>false</EnableScripting>
<EnableAutomaticServerSelection UserControllable=”false”>false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
</AnyConnectProfile>
cisco fpr1140 ftd smart license issue
If you got one notification as follow:
Product Instance Failed to Connect – The device “UDI_PID:FPR-1140; UDI_SN:xxxxxxxxxxxx; ” in the virtual account “DEFAULT” has not connected within its renewal period, and may run in a degraded state if it does not connect within the next 1 day. If the device is not going to connect, you can remove it to immediately release the licenses it is consuming.
try login system run command:
root@fw:/home/admin# pmtool restartbyid tomcat
root@fw:/home/admin# pmtool status | grep "tomcat"
then wait a quite long time to the http portal recover to access
powershell apache log filter
Select-String “404” .\localhost_access_log.2024-08-07.txt | % {($_.line.split(‘HTTP’))[1]} | Sort-Object | Get-Unique
gc ‘.\localhost_access_log.2024-08-07.txt’ -Wait
Get-Process | sort {[string]$_.ID}
MFA solution
To setup a multiple factor authentication server, this freeipa is open source solution. And with FreeOTP+ app to second factor:
ipa-server-install
ipa-server-install --setup-dns
You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
client side, first you should set up the dns or hosts file, and then execute the command as below:
yum install freeipa-client
ipa-client-install --mkhomedir
elastic 8.13.2
For setup syslog to accept from netowrk device, the configration of filebeat as below:
filebeat.yml
filebeat.inputs:
- type: syslog
protocol.tcp:
host: "0.0.0.0:5014"
fields:
type: syslog
fields_under_root: true
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["x.x.x.x:10083"]
enabled: true
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
For logstash pipeline setting you should like do this kinds of configuration:
input {
beats {
port => 5044
}
}
filter {
date {
match => [ "@timestamp", "yyyy-MM-dd HH:mm:ss Z" ]
}
mutate {
remove_field => ["@version", "_index", "_source", "ecs"]
}
if [type] == "syslog" {
grok {
match => { "message" => "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:program}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:process_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:message_id})%{SPACE}(?:-|(?
match => { "message" => "(<%{NUMBER:syslog_event_id}>)?%{SYSLOGTIMESTAMP:syslog_timestamp} (%{SYSLOGHOST:syslog_hostname} )?%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:%{GREEDYDATA:syslog_message}" }
match => { "message" => "(<%{NUMBER:syslog_event_id}>)?%{TIMESTAMP_ISO8601:syslog_timestamp} (%{SYSLOGHOST:syslog_hostname} )?%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:%{GREEDYDATA:syslog_message}" }
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_tag => [ "syslog" ]
}
mutate {
add_field => { "[@metadata][target_index]" => "syslog-%{+YYYY.MM.dd}" }
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
if [event][module] == "nginx" {
grok {
match => [ "message" , "%{COMMONAPACHELOG}+%{GREEDYDATA:extra_fields}"]
overwrite => [ "message" ]
}
mutate {
convert => ["response", "integer"]
convert => ["bytes", "integer"]
convert => ["responsetime", "float"]
add_field => { "[@metadata][target_index]" => "nginx-%{+YYYY.MM.dd}" }
}
geoip {
source => "address"
target => "clientgeo"
add_tag => ["nginx-geoip"]
}
}
if [event][module] == "auditd" {
grok {
match => { "message" => "type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch:timestamp}:%{NUMBER:audit_counter}\): pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} ses=%{NUMBER:ses} msg=\'op=%{WORD:operation}:%{WORD:detail_operation} grantors=%{WORD:pam_login},%{WORD:pam_key},%{WORD:pam_limit},%{WORD:pam_system} acct=\"%{WORD:acct_user}\" exe=\"%{GREEDYDATA:exec}\" hostname=%{GREEDYDATA:hostname} addr=%{GREEDYDATA:ipaddr} terminal=%{WORD:terminal} res=%{WORD:result}" }
}
date {
match => [ "audit_epoch", "UNIX_MS" ]
}
mutate {
split => ["host", "."]
add_field => { "hostname" => "%{[host][0]}" }
add_field => { "podName" => "%{[host][1]}" }
add_field => { "ignore" => "%{[host][2]}" }
remove_field => ["ignore", "host"]
add_field => { "[@metadata][target_index]" => "audit-%{+YYYY.MM.dd}" }
}
}
if [container][id] =~ /service/ {
mutate {
add_field => { "[@metadata][target_index]" => "%{[container][id]}-%{+YYYY.MM.dd}" }
}
}
}
output {
elasticsearch {
hosts => ["https://x.x.x.x:9200"]
user => "elastic"
password => "xxxxxxxx"
#data_stream => "true"
#data_stream_dataset => "xxxxxx"
index => "%{[@metadata][target_index]}"
ssl_enabled => "true"
#ssl => true
#ssl_certificate_verification => true
#cacert => "/usr/share/logstash/config/ca.pem"
ssl_verification_mode => "none"
ssl_certificate_authorities => "/usr/share/logstash/config/ca.pem"
ca_trusted_fingerprint => "xxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
group policy remove software installation met error event 108
1. remove the register value
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt\{2c0cf1fc-3ec1-4c9c-87ec-7eee5bea3503}
2. delete the sysvol share related .aas file
\\lookdata.cn\SYSVOL\lookdata.cn\Policies\{EBB86C99-BC22-4FFF-8EF2-6AA3FBC01977}\Machine\Applications