I found all the official documentation to be confusing at best, or straight up misleading and wrong at worst for this issue. Below are the steps that worked for me.
Get your API Key:
Open your SentinelOne dashboard, go to Policy and Settings, API Keys (Under Singularity AI SIEM), click the Add Key button and choose to make a Write Key. Save this key for later.
Install the Fortigate Parser:
At the top of your dashboard, click Marketplace. Find the Fortigate Firewall option and add that to your account (Top level, or you can choose an individual site. Make sure your API key is from the same level)
Install The agent:
1. Download and install the .msi from
https://app.scalyr.com/scalyr-repo/stable/latest/ScalyrAgentInstaller-2.2.16.msi
2. As administrator, open C:\Program Files (x86)\Scalyr\config\agent.json
3. Set the api_key value to the API key you made before
4. Within the Monitors portion of the agent file, put in the following:
monitors: [
{
module: "scalyr_agent.builtin_monitors.syslog_monitor",
protocols: "tcp:601, udp:514",
accept_remote_connections: true,
message_log: "fortinet.log",
parser: "marketplace-fortinetfortigate-latest"
}
]
Configure for SentinelOne:
1. As administrator, create a new file
C:\Program Files (x86)\Scalyr\config\agent.d\settings_server.json with the following contents:
{
scalyr_server: "https://xdr.us1.sentinelone.net"
}
3. Configure firewall to send syslog to the ip/hostname of the server the agent is running on.
(On 7.4 this is under Log and Report, Log Settings, then the Syslog Logging option)
Monday, 11 August 2025
Wednesday, 9 July 2025
Graylog 6.3.1 on Synology DSM 7.2.2
Below is the Docker Compose script to setup Graylog. Copy and paste this then make a new Project with this script. The default password I used was changeme123 but I strongly encourage you to generate your own SHA256 hash and replace the "GRAYLOG_ROOT_PASSWORD_SHA2" field with it.
Once it has been build and is running, you must go into the graylog-1 container and open the log. At the top it should have a randomly generated username and password that is needed for a pre-install configuration page available on port 9000.
Note, for this to work on Synology you MUST have this environmental variable as included below:
opensearch.bootstrap.system_call_filter: false
# For DataNode setup, graylog starts with a preflight UI, this is a change from just using OpenSearch/Elasticsearch.# Please take a look at the README at the top of this repo or the regular docs for more info.
services: # MongoDB: https://hub.docker.com/_/mongo/ mongodb: image: "mongo:7.0.21" restart: "on-failure" networks: - graylog volumes: - "mongodb_data:/data/db" - "mongodb_config:/data/configdb"
# For DataNode setup, graylog starts with a preflight UI, this is a change from just using OpenSearch/Elasticsearch. # Please take a look at the README at the top of this repo or the regular docs for more info. # Graylog Data Node: https://hub.docker.com/r/graylog/graylog-datanode datanode: image: "${DATANODE_IMAGE:-graylog/graylog-datanode:6.3.1}" hostname: "datanode" environment: GRAYLOG_DATANODE_NODE_ID_FILE: "/var/lib/graylog-datanode/node-id" # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value GRAYLOG_DATANODE_PASSWORD_SECRET: "27566328401b278558782c47432b2fc788045d8b87dbd7563b48b3e4d36fbd87" GRAYLOG_DATANODE_MONGODB_URI: "mongodb://mongodb:27017/graylog" opensearch.bootstrap.system_call_filter: false ulimits: memlock: hard: -1 soft: -1 nofile: soft: 65536 hard: 65536 ports: - "8999:8999/tcp" # DataNode API - "9200:9200/tcp" - "9300:9300/tcp" networks: - graylog volumes: - "graylog-datanode:/var/lib/graylog-datanode" restart: "on-failure"
# Graylog: https://hub.docker.com/r/graylog/graylog-enterprise graylog: hostname: "server" image: "${GRAYLOG_IMAGE:-graylog/graylog:6.3.1}" depends_on: mongodb: condition: "service_started" datanode: condition: "service_started" entrypoint: "/usr/bin/tini -- /docker-entrypoint.sh" environment: GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id" # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value GRAYLOG_PASSWORD_SECRET: "27566328401b278558782c47432b2fc788045d8b87dbd7563b48b3e4d36fbd87" GRAYLOG_ROOT_PASSWORD_SHA2: "494a715f7e9b4071aca61bac42ca858a309524e5864f0920030862a4ae7589be" GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000" GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/" GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog" ports: - "5044:5044/tcp" # Beats - "5140:5140/udp" # Syslog - "5140:5140/tcp" # Syslog - "5555:5555/tcp" # RAW TCP - "5555:5555/udp" # RAW UDP - "9000:9000/tcp" # Server API - "12201:12201/tcp" # GELF TCP - "12201:12201/udp" # GELF UDP #- "10000:10000/tcp" # Custom TCP port #- "10000:10000/udp" # Custom UDP port - "13301:13301/tcp" # Forwarder data - "13302:13302/tcp" # Forwarder config networks: - graylog volumes: - "graylog_data:/usr/share/graylog/data/data" restart: "on-failure"
networks: graylog: driver: "bridge"
volumes: mongodb_data: mongodb_config: graylog-datanode: graylog_data:
Monday, 13 January 2025
VCenter Remediation fails with HPE Oneview SPP image
If a VMWare host is failing in remediation after adding the HPE Firmware and Drivers Addon most likely the Smart Update Tools isn't configured correctly.
On the impacted host enable SSH and connect, then run the command:
sut -set mode=AutoDeploy
This might take a minute to run and appear to not be doing anything, just wait. Once complete it should immediately be ready to go.
If SUT isn't installed, make sure the HPE Customization for HPE Servers is installed in the image.
You can verify the current mode by running:
sut -exportconfig
Wednesday, 16 August 2023
Deploy Chocolatey packages with Microsoft Intune
Deploying Chocolatey packages using Intune
Let me start by saying this is currently working with Chocolatey version 2.2.2 in August of 2023.
To deploy chocolatey packages using Intune three scripts are required. Install.ps1, uninstall.ps1, and detection.ps1.
These three scripts along with a pre-compiled .intunewin file are available at this url:
To setup the package follow these steps:
1. Add a new Windows App (Win32)
2. Upload the .intunewin file
3. Change the Name, Description, and add the Publisher. I like to do information on this page, but that is optional.
4. On the Program tab, enter this for the Install Command:
powershell.exe -ExecutionPolicy Bypass -file ./install.ps1 {packagename}
Then enter this for the Uninstall Command:
powershell.exe -ExecutionPolicy Bypass -file ./uninstall.ps1 {packagename}
Your page should look like this:
5. For the Requirements page, I usually just choose 64 Bit and an old build of windows.
6. For the Detection Rules, you need to modify the detection.ps1 script with the name of the package and then upload it here under the "Use a custom detection script" option.
7. For dependencies ideally you would have Chocolatey as a package and add it here, but that is optional.
8. Under assignments choose who will get this package and then you are done!
Enjoy having one click self updating deployments using Intune and Chocolatey!
Friday, 6 September 2019
Veeam Backup Failure after Hyper-V conversion to VMware
Relevant Errors:
Failed to prepare guest for hot backup. Error: VSSControl: -2147212529 Backup job failed.
Discovery phase failed.
Cannot add volumes to the snapshot set.
Cannot add a volume to the snapshot set. Volume name: [\\?\Volume{xxxxxxxxxx}\].
Cannot add volume to the set of volumes that should be shadowed.
VSS error: VSS_E_UNEXPECTED_PROVIDER_ERROR. Code:0x8004230f
This occurs when Guest Processing File System Indexing is enabled on the backup.
The fix for us was that the Hyper-V VSS provider was still installed. To remove this, all you need to do is:
Run the backup again, and this time it should complete. If not, or if that key doesn't exist, then you have an unrelated VSS issue and you can get further info from command prompt with the following command:
vssadmin list writers
Failed to prepare guest for hot backup. Error: VSSControl: -2147212529 Backup job failed.
Discovery phase failed.
Cannot add volumes to the snapshot set.
Cannot add a volume to the snapshot set. Volume name: [\\?\Volume{xxxxxxxxxx}\].
Cannot add volume to the set of volumes that should be shadowed.
VSS error: VSS_E_UNEXPECTED_PROVIDER_ERROR. Code:0x8004230f
This occurs when Guest Processing File System Indexing is enabled on the backup.
The fix for us was that the Hyper-V VSS provider was still installed. To remove this, all you need to do is:
- Open Regedit
- Browse to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\
- Find {74600e39-7dc5-4567-a03b-f091d6c7b092} (If you expand it, the default value is "Hyper-V IC Software Shadow Copy Provider")
- Delete the entirety of the {74600e39-7dc5-4567-a03b-f091d6c7b092} key (NOT the VSS or Providers keys)
- Reboot
Run the backup again, and this time it should complete. If not, or if that key doesn't exist, then you have an unrelated VSS issue and you can get further info from command prompt with the following command:
vssadmin list writers
Wednesday, 4 September 2019
Steps for converting Hyper-V to VMware using VCenter Converter
1)
Install VCenter Converter Standalone
2)
Convert local machine
a) Choose
relevant VCenter server
b) Choose
appropriate VM Folder
c) Choose
appropriate VM Storage
d) Edit
“Data to Copy”, choose advanced, open Destination Layout, and change disks to
Thin
e) Remove
the NIC under networks (Will re-add different type later)
f)
Enable “Synchronize Changes under Advanced
Operations. Uncheck “Perform Final Sync”
3)
Run "BackupNetwork.bat",
verify c:\temp has the network adapter settings dumped.
4)
After the initial sync is complete, when you are
ready to make the cutover right click the job in VCenter Converter and choose
Synchronize.
a) Under
Advanced Options, choose edit and say Perform Final Sync
5)
Immediately
after the final sync is complete, shutdown the Source VM
6)
Power on the VMware VM
7)
Edit the VMware VM and add a network adapter
a) Choose
the VM Network on the appropriate VLAN
b) Change
adapter type to VMXNET3
8)
Let the check disk run
9)
Mount VMware tools and login
10)
Install VMware tools
11)
Configure IP settings on network adapters once
they show up as per the backup
12)
Reboot
13)
Done? Verify services working
14) Uninstall VCenter Converter software
14) Uninstall VCenter Converter software
Optional step: Copy the mac address
from Hyper-V into VMware
The contents of backupnetwork.bat:
mkdir c:\temp
netsh interface ip dump >> c:\temp\NetworkSettings.txt
netsh interface ip dump >> c:\temp\NetworkSettings.txt
Monday, 4 December 2017
Powershell - Wait for process from current user
After much searching online I couldn't find a way to do this without WMI and a bunch of extra work... So I figured this out. Tested and working in Windows 10 at least.
$user = "$env:USERDOMAIN\$env:USERNAME"
$proc = Get-Process -Name notepad -IncludeUserName | where {$_.UserName -eq $user}
Wait-Process -InputObject $proc
That will look for all instances of notepad running under the current user, and wait for all of them to terminate before continuing.
Super useful when waiting for something like msiexec
$user = "$env:USERDOMAIN\$env:USERNAME"
$proc = Get-Process -Name notepad -IncludeUserName | where {$_.UserName -eq $user}
Wait-Process -InputObject $proc
That will look for all instances of notepad running under the current user, and wait for all of them to terminate before continuing.
Super useful when waiting for something like msiexec
Subscribe to:
Posts (Atom)