Skip to content

Instantly share code, notes, and snippets.

View jorritfolmer's full-sized avatar

Jorrit Folmer jorritfolmer

47 followers · 0 following
View GitHub Profile
@jorritfolmer
jorritfolmer / elastic-lab-podman.md
Created November 30, 2025 11:19
Running a lab with Elasticsearch, Kibana, Fleet and Elastic Package Registry containers

0. Prep container host

This HOWTO assumes Red Hat Enterprise Linux 9.x or 10.x with Podman. Even though this is a lab, the assumptions are that the skeleton could be scaled to something in production without major reconstructions, hence the reason for the elaborate TLS incantations that could easily be replaced by requesting certificates to be signed by another Root CA.

Download containers

@jorritfolmer
jorritfolmer / memtest64.efi.md
Last active August 13, 2024 15:54
Adding memtest86+ v7 to Red Hat Enterprise Linux 9 Grub2 UEFI menu

How to add memtest86+ to the UEFI grub2 boot menu in Red Hat Enterprise Linux 9

The two methods below can be used to boot Memtest86+ from the grub2 boot loader on Red Hat Enterprise Linux 9. This is convenient when a system is located in a datacenter instead of on your desk, and has a remote console like e.g. iLO. Unfortunately the most recent Memtest86+ v7 cannot currently detect correctable ECC errors, so the only hint is very low performance in the memtest interface like the elapsed timer not updating every second. In that case EDAC errors filling up /var/log/messages are a more reliable indicator.

Using the EFI filesystem and a /etc/grub.d config file

  1. Download the Binary Files (.bin/.efi) from https://www.memtest.org
  2. Create a new directory /boot/efi/EFI/tools/
@jorritfolmer
jorritfolmer / com.example.tmpwatch.plist
Created September 24, 2023 08:56
Launchd plist for tmpwatch via Brew on macOS
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.tmpwatch</string>
<key>ProgramArguments</key>
<array>
<string>/opt/homebrew/sbin/tmpwatch</string>
<string>--mtime</string>
@jorritfolmer
jorritfolmer / rsyslog-server.md
Created December 5, 2022 13:12
Syslog server for Splunk

Generic syslog building block

The rsyslog config below realises a reusable building block to onboard syslog data, for example into Splunk. It assumes an on-prem enterprise environment and uses the file system as a buffer/queue to decouple syslog senders from a receiver like Splunk Universal Forwarder (UF). This way you can restart Splunk UF without any data loss.

The following four configuration files ensure:

  • Reception of syslog into one log file for every source IP address.
  • Fitness for a high volume syslog setup by having rsyslog NOT throttle
  • Least privilege for Splunk UF by having rsyslog create files with appropriate umask and group
  • Retention of all log files for 1 day to prevent availability issues from "disk full" scenarios
@jorritfolmer
jorritfolmer / securonix-rin-installation.md
Last active December 21, 2021 15:53
Securonix RIN installation

Securonix RIN installation

Prerequisites

You need at least 8 GB of RAM for the installation to succeed. If not, the installer will give you weird errors. See below for the difference in output between a successful and unsuccessful installation.

Replace a1redacted-abcd` with your own tenant name and code.

Preparation

@jorritfolmer
jorritfolmer / mounting-azure-blob-storage-defender-telemetry-blobfuse.md
Last active October 5, 2021 13:26
Mounting Defender for Endpoint Telemetry Azure Blob Storage in Linux using blobfuse

Mounting Defender for Endpoint Telemetry data on Linux

Defender Telemetry data can be persisted in Azure Blob Storage. This results in datetimestamped directories containing JSON files.

Why?

So you can easily Splunk, gzip or jq some of your telemetry data

How?

@jorritfolmer
jorritfolmer / offline_windows_lab_from_scratch.md
Last active December 30, 2021 09:18
Installing an offline lab with Windows Server 2019 AD, Windows 10 Pro and Office from scratch
@jorritfolmer
jorritfolmer / mitre-edr-evals-carbanak-fin7-to-splunk.md
Last active January 23, 2022 11:31
Onboarding MITRE EDR evaluations round 3 (Carbanak+FIN7) into Splunk

MITRE EDR evaluations round 3

For easier Splunking use the steps and Python script below.

Download MITRE EDR json files

wget https://attackevals.mitre-engenuity.org/downloadable_JSON/AhnLab_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Bitdefender_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CheckPoint_Results.json
@jorritfolmer
jorritfolmer / pelican-tailwind-css.md
Last active August 4, 2025 07:46
Pelican with Tailwind CSS

How to use Tailwind CSS with Pelican

These steps show how to install Tailwind CSS in a Pelican project, purge and minify it so you don't have to reference a 3+ MB CSS file but only several kB.

  1. virtualenv venv
  2. . venv/bin/activate
  3. pip install nodeenv
  4. nodeenv env
  5. . env/bin/activate
  6. npm install postcss postcss-cli autoprefixer tailwindcss purgecss cssnano
@jorritfolmer
jorritfolmer / gist:c421749cd1520b8e2425bd80dc7f25de
Created February 16, 2021 09:09
Regex to parse AWS Route53 DNS logging in Splunk via CloudWatch logs

AWS Route53 DNS logging via CloudWatch Logs

^\S+ \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+Z \S+ (?<query>\S+) (?<record_type>\S+) (?<reply_code>\S+) (?<transport>\w+) (?<dest>\S+) (?<src>\S+) (?<vendor_edns_client_subnet>\S+)