Graylog 6.3.1 on Synology DSM 7.2.2

Below is the Docker Compose script to setup Graylog. Copy and paste this then make a new Project with this script. The default password I used was changeme123 but I strongly encourage you to generate your own SHA256 hash and replace the "GRAYLOG_ROOT_PASSWORD_SHA2" field with it. 

 Once it has been build and is running, you must go into the graylog-1 container and open the log. At the top it should have a randomly generated username and password that is needed for a pre-install configuration page available on port 9000. 

 Note, for this to work on Synology you MUST have this environmental variable as included below:

opensearch.bootstrap.system_call_filter: false

 

# For DataNode setup, graylog starts with a preflight UI, this is a change from just using OpenSearch/Elasticsearch.
# Please take a look at the README at the top of this repo or the regular docs for more info.
services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongodb:
    image: "mongo:7.0.21"  
    restart: "on-failure"
    networks:
      - graylog
    volumes:
      - "mongodb_data:/data/db"
      - "mongodb_config:/data/configdb"  
  # For DataNode setup, graylog starts with a preflight UI, this is a change from just using OpenSearch/Elasticsearch.
  # Please take a look at the README at the top of this repo or the regular docs for more info.
  # Graylog Data Node: https://hub.docker.com/r/graylog/graylog-datanode
  datanode:
    image: "${DATANODE_IMAGE:-graylog/graylog-datanode:6.3.1}"
    hostname: "datanode"
    environment:
      GRAYLOG_DATANODE_NODE_ID_FILE: "/var/lib/graylog-datanode/node-id"
      # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
      GRAYLOG_DATANODE_PASSWORD_SECRET: "27566328401b278558782c47432b2fc788045d8b87dbd7563b48b3e4d36fbd87"
      GRAYLOG_DATANODE_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      opensearch.bootstrap.system_call_filter: false
    ulimits:
      memlock:
        hard: -1
        soft: -1
      nofile:
        soft: 65536
        hard: 65536
    ports:
      - "8999:8999/tcp"   # DataNode API
      - "9200:9200/tcp"
      - "9300:9300/tcp"
    networks:
      - graylog  
    volumes:
      - "graylog-datanode:/var/lib/graylog-datanode"
    restart: "on-failure"
  # Graylog: https://hub.docker.com/r/graylog/graylog-enterprise
  graylog:
    hostname: "server"
    image: "${GRAYLOG_IMAGE:-graylog/graylog:6.3.1}"
    depends_on:
      mongodb:
        condition: "service_started"
      datanode:
        condition: "service_started"
    entrypoint: "/usr/bin/tini --  /docker-entrypoint.sh"
    environment:
      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id"
      # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
      GRAYLOG_PASSWORD_SECRET: "27566328401b278558782c47432b2fc788045d8b87dbd7563b48b3e4d36fbd87"
      GRAYLOG_ROOT_PASSWORD_SHA2: "494a715f7e9b4071aca61bac42ca858a309524e5864f0920030862a4ae7589be"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
    ports:
    - "5044:5044/tcp"   # Beats
    - "5140:5140/udp"   # Syslog
    - "5140:5140/tcp"   # Syslog
    - "5555:5555/tcp"   # RAW TCP
    - "5555:5555/udp"   # RAW UDP
    - "9000:9000/tcp"   # Server API
    - "12201:12201/tcp" # GELF TCP
    - "12201:12201/udp" # GELF UDP
    #- "10000:10000/tcp" # Custom TCP port
    #- "10000:10000/udp" # Custom UDP port
    - "13301:13301/tcp" # Forwarder data
    - "13302:13302/tcp" # Forwarder config
    networks:
      - graylog
    volumes:
      - "graylog_data:/usr/share/graylog/data/data"
    restart: "on-failure"
networks:
  graylog:
    driver: "bridge"
volumes:
  mongodb_data:
  mongodb_config:
  graylog-datanode:
  graylog_data:
 
 
 

VCenter Remediation fails with HPE Oneview SPP image

 If a VMWare host is failing in remediation after adding the HPE Firmware and Drivers Addon most likely the Smart Update Tools isn't configured correctly. 

On the impacted host enable SSH and connect, then run the command:

sut -set mode=AutoDeploy

 

This might take a minute to run and appear to not be doing anything, just wait. Once complete it should immediately be ready to go. 

 If SUT isn't installed, make sure the HPE Customization for HPE Servers is installed in the image. 

You can verify the current mode by running:

sut -exportconfig

 

Deploy Chocolatey packages with Microsoft Intune

 Deploying Chocolatey packages using Intune

Let me start by saying this is currently working with Chocolatey version 2.2.2 in August of 2023.

To deploy chocolatey packages using Intune three scripts are required. Install.ps1, uninstall.ps1, and detection.ps1. 

These three scripts along with a pre-compiled .intunewin file are available at this url:

ChocoPackages/Intune Deployments (github.com)

To setup the package follow these steps:

1. Add a new Windows App (Win32)

2. Upload the .intunewin file

3. Change the Name, Description, and add the Publisher. I like to do information on this page, but that is optional. 

4. On the Program tab, enter this for the Install Command:

powershell.exe -ExecutionPolicy Bypass -file ./install.ps1 {packagename} 

 Then enter this for the Uninstall Command:

powershell.exe -ExecutionPolicy Bypass -file ./uninstall.ps1 {packagename}

Your page should look like this:

5. For the Requirements page, I usually just choose 64 Bit and an old build of windows. 

6. For the Detection Rules, you need to modify the detection.ps1 script with the name of the package and then upload it here under the "Use a custom detection script" option.

7. For dependencies ideally you would have Chocolatey as a package and add it here, but that is optional. 

8. Under assignments choose who will get this package and then you are done!

Enjoy having one click self updating deployments using Intune and Chocolatey!

Veeam Backup Failure after Hyper-V conversion to VMware

Relevant Errors:
 
Failed to prepare guest for hot backup. Error: VSSControl: -2147212529 Backup job failed.
Discovery phase failed.
Cannot add volumes to the snapshot set.
Cannot add a volume to the snapshot set. Volume name: [\\?\Volume{xxxxxxxxxx}\].
Cannot add volume to the set of volumes that should be shadowed.
VSS error: VSS_E_UNEXPECTED_PROVIDER_ERROR. Code:0x8004230f



This occurs when Guest Processing File System Indexing is enabled on the backup.

The fix for us was that the Hyper-V VSS provider was still installed. To remove this, all you need to do is:

1. Open Regedit
2. Browse to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\
3.  Find {74600e39-7dc5-4567-a03b-f091d6c7b092} (If you expand it, the default value is "Hyper-V IC Software Shadow Copy Provider")
4. Delete the entirety of the {74600e39-7dc5-4567-a03b-f091d6c7b092} key (NOT the VSS or Providers keys)
5. Reboot

Run the backup again, and this time it should complete. If not, or if that key doesn't exist, then you have an unrelated VSS issue and you can get further info from command prompt with the following command:
vssadmin list  writers

Steps for converting Hyper-V to VMware using VCenter Converter

1)      Install VCenter Converter Standalone

2)      Convert local machine

            a)       Choose relevant VCenter server

            b)      Choose appropriate VM Folder

            c)       Choose appropriate VM Storage

            d)      Edit “Data to Copy”, choose advanced, open Destination Layout, and change disks to Thin

            e)      Remove the NIC under networks (Will re-add different type later)

            f)        Enable “Synchronize Changes under Advanced Operations. Uncheck “Perform Final Sync”

3)      Run "BackupNetwork.bat", verify c:\temp has the network adapter settings dumped.

4)      After the initial sync is complete, when you are ready to make the cutover right click the job in VCenter Converter and choose Synchronize.

            a)       Under Advanced Options, choose edit and say Perform Final Sync

5)      Immediately after the final sync is complete, shutdown the Source VM

6)      Power on the VMware VM

7)      Edit the VMware VM and add a network adapter

           a)       Choose the VM Network on the appropriate VLAN

           b)      Change adapter type to VMXNET3

8)      Let the check disk run

9)      Mount VMware tools and login

10)   Install VMware tools

11)   Configure IP settings on network adapters once they show up as per the backup

12)   Reboot

13)   Done? Verify services working
14) Uninstall VCenter Converter software

Optional step: Copy the mac address from Hyper-V into VMware

The contents of backupnetwork.bat:

mkdir c:\temp
netsh interface ip dump >> c:\temp\NetworkSettings.txt

Powershell - Wait for process from current user

After much searching online I couldn't find a way to do this without WMI and a bunch of extra work... So I figured this out. Tested and working in Windows 10 at least.

$user = "$env:USERDOMAIN\$env:USERNAME"
$proc = Get-Process -Name notepad -IncludeUserName | where {$_.UserName -eq $user}
Wait-Process -InputObject $proc


That will look for all instances of notepad running under the current user, and wait for all of them to terminate before continuing.

Super useful when waiting for something like msiexec

Citrix VDA memory Cache - Enabled on non PVS or MCS server

Apparently a known issue, for me encountered in 7.12 with no fix as of 7.15

To resolve, either boot into a recovery environment (Or load the filesystem offline to another machine) and load the System registry hive into reg edit.

Make the following changes:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet00x\Services\CtxMcsWbc  startup to 4 (For both 001 and 002)

Additionally (Again in both):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet00x\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318} Delete ctxMscWbc from upper filters

Then unload the hive from regedit, and reboot the machine. You should now have a once more persistent filesystem.