Graylog REST API – Message Search

Posted on January 8, 2020 by

Now that we have we have created an API token for our new API Reader user, we can query the API and search messages.  Our user currently has “Reader” level permissions.  However Graylog developers state that:

“Universal search requires admin privileges as you have access to all ingested messages with it.  Normal users can use streams: http://docs.graylog.org/en/1.3/pages/streams.html47 – reference link

and

“Reader users are always bound to streams and can only do searches with a filter that limits them to streams they are allowed to view. You could create a stream that matches every message and give the users permissions on that. – reference link

As you may guess, you are probably not going to create a stream for every message. So…what should you do?  Well, I just assigned my api user admin rights and then generated a token. Note, this works with version 2 of Graylog, perhaps version 3 has resolved this issue. More on that to come.

In order to generate a new access token for a user in Graylog, follow these steps depending on your version.

Graylog version 2.x

Open the API Browser and navigate to the Users:User accounts section. Expand the section:graylog-api-token
Then fill out your username and name to generate your token. Example:
graylog-api-token2

Graylog version 3.x

In Graylog version 3.x you can generate a token either from the api or you can now generate a token from the web ui. Follow this link for webui instructions.

 

Posted in Graylog | Tagged , , , | Leave a comment

HPE 3PAR Volume Plugin for Docker – Peer Persistence Replication

Posted on January 21, 2019 by

The following article goes along way in configuring Peer Persistence Replication for the HPE 3PAR Volume Plugin for Docker. However there are several documentation issues that need to be corrected. Use the following as an example for configuring iSCSI based Hosts in your /etc/hpedockerplugin/hpe.conf file:

host_etcd_port_number=<ETCD_PORT_NUMBER>
hpe3par_username=<Source-3PAR-Username>
hpe3par_password=<Source-3PAR-Password>
hpe3par_cpg=<Source-User-CPG>
hpedockerplugin_driver=hpedockerplugin.hpe.hpe_3par_iscsi.HPE3PARISCSIDriver
logging=DEBUG
san_ip=<Source-3PAR-SAN-IP>
san_login=<Source-3PAR-SAN-Username>
san_password=<Source-3PAR-SAN-Password>
host_etcd_ip_address=<IP1>[:PORT1[,IP2[:PORT2]][,IP3[:PORT3]]...]
hpe3par_api_url=https://<Source-Array-IP>:8080/api/v1
hpe3par_iscsi_ips=<ISCSI_IP1>[,ISCSI_IP2,ISCSI_IP3...]
replication_device = backend_id:<Target-Array-Name>,
                     quorum_witness_ip:<Quorum-Witness-IP>,
                     replication_mode:synchronous,
                     cpg_map:<Source-User-CPG>:<Target-User-CPG>,
                     snap_cpg_map:<Source-Snap-CPG>:<Target-Snap-CPG>,
                     hpe3par_api_url:https://<Target-Array-IP>:8080/api/v1,
                     hpe3par_username:<3PAR-Username>,
                     hpe3par_password:<3PAR-Password>,
                     san_ip:<3PAR-SAN-IP>,
                     san_login:<3PAR-SAN-Username>,
                     san_password:<3PAR-SAN-Password>,
                     hpe3par_iscsi_ips:<ISCSI_IP1>[;ISCSI_IP2;ISCSI_IP3...]

There are only a few issues missing commas, and the replication device listed twice. I will be notifying HPE to update their documentation with the above fixes. I Hope this helps anyone seeing this issue.

Posted in Docker, HPE 3PAR | Tagged , , | Leave a comment

Office 365 group admin role

Posted on January 18, 2019 by

You may come across a scenario where you want to script the membership of Office 365 groups.  Unfortunately there is no Office 365 group admin role that you can assign within exchange online. You have to assign global admin permissions to any account that you want to be able to modify Office 365 group memberships. This problem is has a UserVoice page here.

Microsoft has a few powershell commands that you can “supposedly” run to “Find the permissions required to run any Exchange cmdlet”. However when you run these commands on Add-UnifiedGroupLinks and Remove-UnifiedGroupLinks, the role that they specify that you use is: Mail Recipients. So even after assigning the Mail Recipient role to my specified script user account, the commands do not work.  Go Figure MSFT!

Workaround

My only workaround at this point is to simply assign my script user account to be the Office 365 group owner. Once this is done, this user can add and remove group members within exchange online powershell.  Of course this only works in limited scenarios, and still needs an admin to assign ownership permission to the script user.

 

 

Posted in Exchange Online, Office 365 | Leave a comment

Docker Enterprise and HPE 3PAR Volume Plugin 3.0

Posted on January 15, 2019 by

For those of you that might be interested, I was successfully able to configure the HPE 3PAR Volume Plugin 3.0 for Docker Enterprise version 18.09 using Red Hat Enterprise Linux 7.6 hosts.  The HPE 3PAR Volume Plugin quickstart guide for Docker is a good place to start however, there are some issues with the documentation. I have opened up a support case with HPE and will provide them with this information, but until the documentation is updated, the details will be listed here.

HPE 3PAR Volume Plugin Quickstart guide

Step 2 has the incorrect formatting for the multipath.conf file. The squiggly brackets “{” have to follow defaults, devices, and device on the same line. It should look like the following:

Step 2. Configure /etc/multipath.conf

$ vi /etc/multipath.conf

Copy the following into /etc/multipath.conf

defaults{
    polling_interval 10
    max_fds 8192
}

devices{
    device{
        vendor                  "3PARdata"
        product                 "VV"
        no_path_retry           18
        features                "0"
        hardware_handler        "0"
        path_grouping_policy    multibus
        #getuid_callout         "/lib/udev/scsi_id --whitelisted --device=/dev/%n"
        path_selector           "round-robin 0"
        rr_weight               uniform
        rr_min_io_rq            1
        path_checker            tur
        failback                immediate
    }
}

ETCD config

You may notice that I include the restart option “–restart unless-stopped”. This option starts etcd if the host reboots etc. It is also critical in setting up a production environment.
The "-initial-advertise-peer-urls http://${HostIP}:23800" port should be  2380 NOT 23800
The following can be used to launch the supported version of etcd on a single host: 


sudo docker container run -d --restart unless-stopped -v /usr/share/ca-certificates/:/etc/ssl/certs -p 4001:4001 \
-p 2380:2380 -p 2379:2379 \
--name etcd quay.io/coreos/etcd:v2.2.0 \
-name etcd0 \
-advertise-client-urls http://${HostIP}:2379,http://${HostIP}:4001 \
-listen-client-urls http://0.0.0.0:2379,http://0.0.0.0:4001 \
-initial-advertise-peer-urls http://${HostIP}:2380 \
-listen-peer-urls http://0.0.0.0:2380 \
-initial-cluster-token etcd-cluster-1 \
-initial-cluster etcd0=http://${HostIP}:2380 \
-initial-cluster-state new

Plugin Installation Information

RHEL/CentOS

version=3.0

$ docker plugin install --grant-all-permissions --alias hpe --disable store/hpestorage/hpedockervolumeplugin:3.0
$ docker plugin set hpe glibc_libs.source=/lib64 certs.source=/tmp
$ docker plugin enable hpe
  1. Confirm the plugin is successfully installed by
$ docker plugin ls
Posted in Docker, HPE 3PAR, Linux, RHEL7 | Tagged , , , , | Leave a comment

Mac network accounts are unavailable – macOS Sierra, High Sierra

Posted on August 22, 2018 by

Applies to: macOS Sierra, macOS High Sierra, Active Directory 2008 R2 functional level and greater, Windows Security Baselines for Active Directory

Our environment currently consists of Mac computers that are bound to Active Directory. Recently we deployed some new Active Directory 2016 domain controllers within our environment.  These domain controllers also have a Windows Security Baseline applied as a GPO for security purposes. Windows Security Baselines can be found here.

We immediately started to see issues with Mac computers related to the all familiar “Network Accounts are Unavailable” error message at login screen.

NetworkAccountsUnavailable

After extensive troubleshooting, we determined that the problem was with the Windows Security Baselines that were being applied to the domain controllers. And more specifically this setting in particular:

Domain controller: LDAP server signing requirements 
Value =Require signing

Here is the link to the reference article for this security setting.

So by default, the macOS Directory client does not sign and encrypt the LDAP connections that are used to communicate with Active Directory.  The Open Directory client can sign and encrypt LDAP connections with the following configurations:

dsconfigad -packetencrypt ssl

and

/usr/bin/security add-trusted-cert -d -p basic -k /Library/Keychains/System.keychain <path/to/certificate/file>

These commands are defined in the Packet signing and encryption section of the following apple support article:

https://support.apple.com/kb/PH26273?viewlocale=en_US&locale=es_MX

Hope this helps!

Posted in Active Directory, macOS, Security, Windows Security Baselines | Tagged , , , , | 1 Comment

Kemp LoadMaster RESTful API Mangement with Powershell

Posted on May 21, 2018 by

There are several articles explaining how to access and manage the Kemp LoadMaster with the RESTful API. However, there are not very many articles that show you how to connect via Powershell. I attempted to follow several articles, but I kept running into problems.  Primarily the following:

“Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send.”

Everything that I did could not solve this problem. I found several articles stating that I would need to tell powershell to ignore certificate problems or force powershell to use TLS 1.2 before calling the invoke-restmethod cmdlet.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

However, this did not work for me at all!  The problem is related to the invoke-restmethod and invoke-webrequest cmdlets run in their own runspace.

Follow this procedure!

Powershell code to connect to the Kemp Loadmaster and list the virtual services

$pass = Get-Content "c:\scripts\KempPassword.txt" | ConvertTo-SecureString
$User = "YourKempUserAccount"
$MyCredential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $pass>
$kempurl = "https://kempLB.constoso.com"
$uri = $kempurl+"/access/listvs"
[string]$response = Invoke-RestMethod $uri -Credential $MyCredential

 

In the example above, I am using a encrypted password that was saved in a KempPassword.txt file. You can generate this password by executing:

"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString

The Kemp LoadMaster will return an xml response that will need to be parsed as required. Here are two websites that I used to parse the xml in powershell:

https://www.petri.com/search-xml-files-powershell-using-select-xml

and

http://www.itprotoday.com/management-mobility/getting-started-rest-and-powershell

 

Previous Articles on the Kemp API and Powershell (did not work for me)

Kemp’s API and Powershell documentation

https://support.kemptechnologies.com/hc/en-us/articles/203863435-RESTful-API

https://support.kemptechnologies.com/hc/en-us/articles/203756799-RESTful-API-Programmer-Guide

https://support.kemptechnologies.com/hc/en-us/articles/203863385-PowerShell

 

 

Posted in API Programming, Kemp LoadMaster, Powershell | Tagged , | Leave a comment

Graylog REST API – Creating User Token with Powershell

Posted on January 31, 2018 by

In order to access the Graylog REST api you need to do the folllowing:

  1. Create a new user within the User UI
  2. Temporarily assign the user the Admin role (Permission needed to create a token) , or use the REST API to assign the users:tokenlist, users:tokencreate, and users:tokenremovepermissions at this link.
  3. Using powershell, execute the following commands
#The exact username and password for the new user created
$username="myuser"
$password="mypassword"
$hash= [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($username):$($password)"));
#Define your server uri. Note: myuser is name of my new user and mytoken is the name of new token
$uri = 'https://yourgraylogserver.company.com:12900/api/users/myuser/tokens/mytoken?pretty=true'
#Create the token, and save the response into the $token variable
$token = Invoke-RestMethod -Uri $uri -Method POST -Headers @{"Content-Type"="application/json";"Authorization" = "Basic $hash"}
#Now output the token and save it
$token

3. Now that you have created the token, remove the Admin role from the the User UI for your api user.

 

Posted in Graylog, Powershell | Tagged | Leave a comment

Office 365 Address list Recipients Missing

Posted on September 29, 2017 by

In my organization we rely heavily on Address Lists within Exchange Online. For several years people have been able to find other people within the organization by accessing the Address book within Outlook or OWA, select the department and find the person that they are looking for.

We have accomplished this by simply creating an address structure that looks similar to the following:

"\Departments" -Addresslist under the root that does not contain any recipients
"\Departments\Department1"
"\Departments\Department2"
etc

All of our Department address lists have a recipient filter similar to the following:

RecipientFilter: MemberOfGroup -eq 'CN=department,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR04A092,DC=PROD,DC=OUTLOOK,DC=COM'

 

Then one day we noticed that all of our Address Lists no longer contained any recipients!

I contacted Microsoft and spent nearly 1 1/2 days on the phone with no resolution. After analyzing my addresslists, I noticed a discrepancy between the RecipientFilter and the LdapRecipientFilter.  It has now appeared that Microsoft moved all of my Distribution groups to a new location within their Azure AD domain infrastructure.  They did update the RecipientFilter for all of my addresslists to point to the new DistinguishedName of my Distribution Groups , but somehow this did not prevent them from breaking.

AddressListIssue

Resolution

The resolution for me was to completely remove all of our custom address lists and re-create them.  Even though the RecipientFilter was correct, the LdapRecipientFilter was not correct.  And you cannot set the LdapRecipientFilter using the set-addresslist cmdlet.

#Remove all custom address lists under Departments
Get-AddressList "\Departments\*" | Remove-AddressList -Recursive

Once all the addresslists had been removed, I simply recreated them using an existing powershell script that is scheduled to run nightly. This powershell script checks for new on-premise distribution groups (mail-enabled security groups, synced with Azure AD), and then creates an address list if it doesn’t already exist.

The final step was to  “Tickle” each mailbox and mailuser as described in several articles.

https://gallery.technet.microsoft.com/PowerShell-Script-to-e33ffc0e

I hope this helps anyone with this problem. Let me know if you came across this problem and what you may have done to fix it. Thanks!

Posted in Exchange Online, Office 365 | Tagged , , | Leave a comment

Installing Cachet on Red Hat Enterprise Linux 7 (RHEL)

Posted on February 15, 2017 by

Below is my attempt at documenting the steps that I performed to successfully install Cachet on RHEL 7.  I had to use not only the official installation guide from Cachet, but several other guides provided by people who have successfully installed it on Ubuntu and Centos. Here for reference are the guides I used to install Cachet:

Install and Configure MariaDB

yum install mariadb
systemctl enable mariadb
systemctl start mariadb
#Secure the MariaDB installation and set root password
mysql_secure_installation
#Create cachet database
mysql -e "create database cachet"
#Create cachet user
mysql -e "create user 'cachet'@'localhost' identified by 'CACHET_USER_PASSWORD'"
mysql -e "grant all privileges on cachet.* to 'cachet'@'localhost'"
mysql -e "flush privileges"

Configure Additional Repositories

Enable ‘optional’ repository (rhel-7-server-optional-rpms) and the ‘extras’ repository (rhel-7-server-extras-rpms).

Do this by modifying the /etc/yum.repos.d/redhat.repo file

Look for the [rhel-7-server-optional-rpms] and [rhel-7-server-extras-rpms] sections

modify the enabled = 0 to enabled = 1 for both repositories

Install the Extra Packages for Enterprise Linux

Now install EPEL by running

yum install epel-release

Install the Remi Repository for PHP packages that are not available  with the default system repositories.

rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

Install the Cachet package dependencies

yum --enablerepo=remi,remi-php56 install php-fpm php-common php-mcrypt php-mbstring php-apcu php-xml php-pdo php-intl php-mysql php-cli php-gd git

PHP configuration

#verify installed php version(s)
rpm -qa | grep -i php
#Enable php-fpm to run at startup
systemctl enable php-fpm
#Start php-fpm
systemctl start php-fpm

By default php-fpm will listen to 127.0.0.1:9000. The listen directive “127.0.0.1:9000” will be used in the apache virtualhost config detailed below.  If you want to change this default port, modify the following file:

vi /etc/php-fpm.d/www.conf

Install Composer

curl -sS https://getcomposer.org/installer | php -- --install-dir=/bin --filename=composer

Install Cachet

Clone the Cachet Repository

cd /var/www/
git clone https://github.com/cachethq/Cachet.git
cd Cachet/
git tag -l
git checkout v2.3.9
cp -v .env.example .env

Modify the Cachet configuration file to look like the following

[user@myserver Cachet]# cat .env
APP_ENV=local
APP_DEBUG=false
APP_URL=http://myserver.mydomain.com
APP_KEY=base64:myAPPKEY448574944755NotReal383857kdhf=

DB_DRIVER=mysql
DB_HOST=127.0.0.1
DB_DATABASE=cachet
DB_USERNAME=cachet
DB_PASSWORD=myDBpassword

CACHE_DRIVER=apc
SESSION_DRIVER=apc
QUEUE_DRIVER=database

MAIL_DRIVER=smtp
MAIL_HOST=mymailserver.mydomain.com
MAIL_PORT=25
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ADDRESS=myserver@mydomain.com

Set apache user:group permissions for Cachet

chown -R apache:apache /var/www/Cachet/

Compose the site

cd /var/www/Cachet
composer install --no-dev -o

Generate a Application Key used for encryption

php artisan key:generate

Run the installer that seeds the database

php artisan app:install

Configuring Apache

Install and configure Apache service

yum install httpd
systemctl enable httpd
systemctl start httpd

Create a virtualhost configuration file called vhost.conf within the /etc/httpd/conf.d/ directory. It should look like the following:

[user@myserver Cachet]# cat /etc/httpd/conf.d/vhost.conf
<VirtualHost *:80>
    ServerName myserver.mydomain.com
    ServerAlias myserver.mydomain.com
    DocumentRoot "/var/www/Cachet/public"
    <Directory "/var/www/Cachet/public">
        Require all granted
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
<FilesMatch \.php$>
            SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</VirtualHost>

Notice the <FilesMatch \.php$> directive. This was required in order to get php working within apache. Otherwise, you will get an error page when navigating to the cachet dashboard page.

I also modified the /etc/httpd/conf/httpd.conf file and included the DirectoryIndex index.php option.

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

Test Cachet Status Page

navigate to the following address in your browser: http://yourcachetserver.yourdomain.com

You should be redirected to the /setup page

Congratulations!!

Other useful links

EPEL

Install PHP and Apache on Red Hat

 

Posted in Cachet, Linux, PHP, RHEL7 | 3 Comments

Duo Authentication Proxy Configuration

Posted on January 3, 2017 by

The DUO authentication proxy is a quick and easy way for a business to start to test 2FA with certain important applications. A lot of software doesn’t have 2FA built in, but does offer some LDAP user/group authentication. Software such as HPE Oneview, HPE c7000/3000 chassis, HPE SSMC, Graylog, etc offer only simple ldap authentication. The use of the DUO authentication proxy enables all of these applications to utilize 2FA for authentication if the application offers you the ability to increase the ldap timeout to 60 seconds. Some applications allow you to modify their ldap timeout value, but others do not.  Graylog for example does allow you to modify the ldap timeout value, but the new version works with DUO using the default configuration.

The duo authentication proxy for the most part is pretty easy to setup. However, as soon as you start adding certificates, troubleshooting issues start to become a problem.  The good thing is that general troubleshooting is not that difficult if you enable debug logging within the authproxy.cfg file.

  1. Create a free DUO account by going to: https://signup.duo.com/
  2. Install the latest version of the authentication proxy by using the following guide:https://duo.com/docs/authproxy_reference

Use Case Scenario: LDAPS Authentication Proxy

I currently have a load balanced ldaps service that points to each of my Active Directory Domain Controllers. All of my ldap applications point to this load balanced service for their configuration.I started testing the DUO auth proxy by running the service without certificates to start, to test the configuration, and then if certain applications worked with 2FA, certificates would then be added later.  A sample configuration of my DUO auth ldap proxy service is as follows:

The Duo Authentication Proxy configuration file is named authproxy.cfg, and located in the ‘conf’ subdirectory of the proxy installation.

[main]
debug=true

[ad_client]
host=ldaps.contoso.com
service_account_username=duo_authentication_proxy
service_account_password_protected=myserviceaccountpassword
search_dn=OU=users,DC=contoso,DC=com
transport=ldaps
ssl_ca_certs_file=conf\myldapscert-SHA2.cer
port=636
ssl_verify_hostname=true
timeout=60

[ldap_server_auto]
ikey=myikey
skey=myskey
api_host=api-myapihost.duosecurity.com
failmode=safe
client=ad_client
port=636

Now you may notice a few things:

  1. I encrypted the service_account_password
  2. I have included my ssl_ca_certs_file for the ad_client section
  3. the ikey and skey keys are generated when you add the DUO ldap auth proxy application within the DUO admin interface.

In order to get the ssl_ca_certs file working properly, I had to add the entire certificate chain the my .cer file. The certificates I use contains 2 intermediate and 1 root ca certificate. I simply copied the entire certificate chain and pasted the chain above my public certificate in top down order. Before figuring out this certificate chain problem, the duo auth proxy service would fail to start.

Once I tested a few applications with my new DUO auth proxy, I decided to go ahead and add my own certificate to the Duo Auth Proxy and enable ssl connections.  My configuration is below.

ldaps configuration

[main]
debug=true

[ad_client]
host=ldaps.contoso.com
service_account_username=duo_authentication_proxy
service_account_password_protected=myserviceaccountpassword
search_dn=OU=users,DC=contoso,DC=com
transport=ldaps
ssl_ca_certs_file=conf\myldapscert-SHA2.cer
port=636
ssl_verify_hostname=true
timeout=60

[ldap_server_auto]
ikey=myikey
skey=myskey
api_host=api-myapihost.duosecurity.com
failmode=safe
client=ad_client
ssl_port=636
ssl_key_path=duoauthproxy.contoso.com.key
ssl_cert_path=duoauthproxy.contoso.com.cer

In order to get the ssl working properly, I had to add the entire certificate chain the my .cer file. The certificates I use contains 2 intermediate and 1 root ca certificate. I simply copied the entire certificate chain and pasted the chain below my public certificate. It might have been possible to add these certificates to the default http_ca_certs_file.Before figuring out this certificate chain problem, the duo auth proxy service would fail to start.

Good luck configuring your authentication proxy service, and I hope this helps anyone who might need help in the configuration.

Posted in Duo 2FA, ldaps | Leave a comment