Versions Compared

Old Version 13

changes.mady.by.user John

Saved on

compared with

New Version 14

changes.mady.by.user John

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
collapsetrue
--2021-07-02 10:47:00--  https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3184 (3.1K) [text/plain]
Saving to: 'onboard_agent.sh'
...
Shell bundle exiting with code 0

Uninstall

Code Block
$ sudo /opt/microsoft/omsagent/bin/uninstall



Query Examples

Code Block
Syslog
| where Facility in ("authpriv","auth")
| extend c = extract( "Accepted\\s(publickey|password|keyboard-interactive/pam)\\sfor ([^\\s]+)",1,SyslogMessage)
| where isnotempty(c)
| count 


Syslog
| where Facility in ("authpriv","auth")
| where SyslogMessage contains "authentication failure "
| count 


// Search in multiple tables 
// Search both Syslog and Event tables for the term "login". 
search in (Syslog, Event) "authentication failure"
| where TimeGenerated > ago(24h) // return records from the last 24 hours

// All Syslog with errors 
// Last 100 Syslog with erros. 
Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| top 100 by TimeGenerated desc


//login errors
Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| where Facility  == "auth"
| where SyslogMessage contains "kex_exchange_identification"

//any auth errors
Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| where Facility  == "auth"
| count

//failed login
Syslog 
| where Facility  == "auth"
| where SyslogMessage contains "Failed password"
| order by EventTime asc  
| count


//failed login with extraction of fields
Syslog
| where Facility  == "auth"
| where SyslogMessage contains "Failed password"
| extend user = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 1, SyslogMessage, typeof(string))  
| extend remoteIp = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 2, SyslogMessage, typeof(string))  
| extend port = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 3, SyslogMessage, typeof(string))  
| extend protocol = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 4, SyslogMessage, typeof(string))  
| order by EventTime asc

...