Event log contents by email on an event log trigger


Scenario: You need to get an alert email for specific events occurred on the critical / production server.

Solution:

Step 1:

Identify the event which you need to trigger

2

 

 

 

 

Step 2: Go to Task scheduler and select the Event viewer tasks & create a new task.

11

 

 

 

 

 

Step 3:  Name the task and select “Run whether user logged on or not” & “Run with highest privilges”

12

 

 

 

 

 

 

Step 4: Go to triggers and select the option begin the task “On an Event” & select the option as per screenshot

13

 

 

 

 

Step5:

Go to actions and need to perform two actions

  1. Query a script which will create a copy of the required event in text and make an action in the scheduler.

Script to run : save the below as Query.cmd

del %temp%\Logonfailure.txt

wevtutil query-events Security /rd:true /format:text /q:”Event[System[(EventID=4625)]]” > %temp%\Logonfailure.txt

14

 

 

 

 

 

 

2. Create another action for sending email with the required recipient and attachment of the query log

15

 

 

 

 

 

 

Output will be

1

 

 

 

 

 

 

 

SQUID TRANSPARENT PROXY FOR HTTP / HTTPS


The following are the steps involved for installing squid proxy as a transparent mode and various troubleshooting which I undergone during the installation.

 

Infrastructure:

Vkarthi_IT_Squid

 

 

 

 

 

 

 

 

The following are the prerequisite in RHEL 6.7 before installing squid are

  1. Disable selinux by #vim /etc/selinux/config
  2. Enable IPforward=1 in /etc/sysctl.conf
  3. Enable EPEL repo

a. #cd /root/

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

(http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm)

b. #rpm -Uvh epel-release-6.8.noarch.rpm

c. Create squid repo by the following syntax

d. #cd /etc/yum.repos.d

e. #vi  SQUID.repo

   Enter or insert the following text in the squid.repo file

[squid]

name=Squid repo for CentOS Linux – $basearch

#IL mirror

baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/

failovermethod=priority

enabled=1

gpgcheck=0

4. Do #yum update

 Installation of SQUID

#yum install perl-Crypt-OpenSSL-X509 (We need to install this application successful else https site will not work).

#yum install -y squid

Install squid helper from the url: http://www1.ngtech.co.il/repo/centos/6/x86_64/squid-helpers-3.5.19-1.el6.x86_64.rpm

# wget http://www1.ngtech.co.il/repo/centos/6/x86_64/squid-helpers-3.5.19-1.el6.x86_64.rpm

# yum install -y squid-helpers-3.5.19-1.el6.x86_64.rpm

Now we initialize SQUID ssl_db directory, in the following syntax

#/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db

Assign ownership for squid

#chown -R squid.squid /var/lib/ssl_db

Edit squid.conf file in /etc/squid/squid.conf and the configuration

Define your local source network by

acl localnet src 192.168.201.0/24

Enable and define the ports in squid.conf file

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow all

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump generate-host-certificates=on

dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc

/squid/ssl_cert/myca.pem

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

Generate Certificate for SQUID using OpenSSL

go to SQUID directory, create the certificate folder and generate the keys:

#mkdir /etc/squid/ssl_cert

#chown -R squid.squid /etc/squid/ssl_cert

#cd /etc/squid/ssl_cert

Generate ssl certificate by the following syntax

#openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem

For Windows clients the key :

#openssl x509 -in myca.pem -outform DER -out myca.der

Now enable squid on all run levels and start the squid service

#chkconfig squid on

#/etc/init.d/squid start

Redirect / Accept HTTP and HTTPS traffic from router/Firewall to Proxy

#iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 –dport 80 -j DNAT –to 192.168.201.250:3128

#iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 –dport 443 -j DNAT –to 192.168.201.250:3129

Save the IPtables configuration

#/etc/ini.d/iptables save

On Windows Client Configuration

We need to copy the /etc/squid/ssl_cert/myca.der file to our

Windows clients

For Internet Explorer :

Tools -> Internet Options -> Content -> Certificates Click on

Import , select myca.der file , make sure that you import to

Root Trusted Certificates

For Mozilla Firefox :

Tools-> Options-> Advanced -> Certificates – > View Certificates

Import

(x) Trust this CA to identify websites

(x) Trust this CA to identify email users

(x) Trust this CA to identify software developers

Click OK you are done.

NOTE : If the main certificate expires for SQUID , and you generate

a new one , don’t forget to delete the old certificates ,

/var/lib/ssl_db/certs also empty the file /var/lib/ssl_db/index.txt, and set the number inside the file /var/lib/ssl_db/size to 0

In our infrastructure the bind service not required for name resolution.

Analysis:

To my experience squid with transparent proxy for http and https is successful with the squid version 3.5.19 and the lower version of squid seems to be some bugs.

Below are the bugs which we come across with the older versions of squid in the /var/log/squid/access.log

1301567341.317 23434 192.168.100.165 TCP_MISS/200 957 POST http://by2msg3010710.by2.gateway.edg…y/gateway.dll? – DIRECT/64.4.34.80 text/html
1301567341.896 531 192.168.100.165 TCP_MISS/200 1056 POST http://by2msg3010710.by2.gateway.edg…y/gateway.dll? – DIRECT/64.4.34.80 text/html
1301567344.042 770 192.168.100.155 TCP_MISS/200 1117 POST http://www.facebook.com/ajax/chat/buddy_list.php? – DIRECT/69.63.190.18 application/x-javascript
1301567347.991 414 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567351.115 494 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567352.986 412 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567354.288 555 192.168.100.150 TCP_MISS/200 6079 GET http://www.google.com.sa/ – DIRECT/209.85.147.104 text/html
1301567354.516 37 192.168.100.150 TCP_MISS/302 683 GET http://www.google.com.sa/gen_204? – DIRECT/209.85.147.104 text/html
1301567354.773 254 192.168.100.150 TCP_MISS/204 367 GET http://www.google.com.sa/gen_204? – DIRECT/209.85.147.104 text/html
1301567354.842 161 192.168.100.150 TCP_MISS/302 856 GET http://www.google.com.sa/csi? – DIRECT/209.85.147.106 text/html
1301567355.165 320 192.168.100.150 TCP_MISS/204 413 GET http://www.google.com.sa/csi? – DIRECT/209.85.147.106 text/html
1301567355.234 456 192.168.100.150 TCP_MISS/204 322 GET http://clients1.google.com.sa/generate_204 – DIRECT/74.125.230.163 text/html

RESET NTFS PERMISSION – GUI


When we do data migration from one server to another server we will use fast copy or robocopy to get the same ACL in the target server or storage.

Some times the ACL will not get inherited to the sub folders or files, even when we try to do reset permission in the advanced tab in the security menu.

The following is the syntax to reset the folder permission in command mode.

icacls “Folder path\*” /T  /L  /Q /C /RESET

or you can download the GUI tool which will do the NTFS permission reset (i.e.) the permission will be applied to the sub folders and files successfully.

Url: https://www.dropbox.com/s/ipblchbgrzz4587/ResetPermission.zip?dl=0

 

 

 

Disk Consolidation Needed – Unable to access file since it is locked


If any backup running on your VM it will create a snapshot and after completion the snapshot will get removed. Sometimes it requires disk consolidation for the VM.

When we try to do disk consolidation of the VMDKs manually by right clicking on the VM and selecting Snapshot –> Consolidate.

However the consolidate operation may fail again, if the issue which caused the snapshot deletion operation to fail disk consolidation previously has not been cleared and shows an error “Unable to access file since it is locked”

VM-Consolidation1

 

 

VM-Consolidation-error1

 

I manually tried the scenarios like create another snapshot by switching off the VM and delete the snapshot manually for consolidation of VM disk and remove the VM from inventory and reregister the VM in the Vcenter which is also weird.

 

Solution:-

  1. From the VM summary identified the ESXI and do SSH login.

2. Ran the command “vmkfstools -D /vmfs/volumes/yourvolume/yourVM/yourlockedVM.vmdk

3. I could see the owner of the vmdk file which had the lock with MAC address ending “008ed

# vmkfstools -D /vmfs/volumes/VM_BLOCK_LUN0_VNX5200/VM server Folder/VM-

flat.vmdk

Lock [type 10c00001 offset 49518592 v 15, hb offset 3276800

gen 9, mode 1, owner 561795d7-66ffccd8-782c-b82a72d008ed mtime 797087

num 0 gblnum 0 gblgen 0 gblbrk 0]

Addr <4, 54, 3>, gen 4, links 1, type reg, flags 0, uid 0, gid 0, mode 600

len 107374182400, nb 102400 tbz 44371, cow 0, newSinceEpoch 102400, zla 3, bs 1048576

 

  1.  This is the ESXi server which has the lock on the VMDK file.
  2.  Next locate which ESXi host has a network adaptor with that MAC address.

 

  1.  Once confirmed I placed the host in maintenance mode, DRS vMotioned all VMs to another host in the cluster and restarted the hostd service or restart the server.

Syntax: #/etc/init.d/hostd restart

7. After restarting the host I can able to do consolidation of disk successfully and also storage migration.

“The VMRC console has disconnected…attempting to reconnect”


Error: “The VMRC console has disconnected…attempting to reconnect” unable to do open console for the VM.

vmrcconsoleissue

 

 

 

 

 

 

 

 

Solution:

  1. Exit your vsphere client
  2. Open your Task Manager (many ways to do this)
    1. Ctrl-Alt-Del -> Choose “Start Task Manager”
    2. Start -> Run -> Cmd and type “taskmgr.exe”
      or
    3. Right-click the clock, in the pop up menu choose “Start Task Manager”
  3. Look for any vmware-vmrc.exe process(es). Select it, then click “End Process”
  4. Restart vsphere client

 

vmrcconsoleissue-vmware-vmrc-taskmgr

Trust Relationship Across forest in Active directory


Hi,

I hereby enclosing the procedure in step by step pdf format for implementing trust relationship across forest in Active directory…

Thanks

Trust relationship – Two different Forest

Citrix XenApp failed to connect to the Data Store


Recently ran in to an error where I couldn’t connect to any XenApp server using the AppCenter and I was getting the following errors within the system event log.

Event ID 3989
Citrix XenApp failed to connect to the Data Store. ODBC error while connecting to the database: 28000 -> [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Event ID 3632
The server running Citrix XenApp failed to connect to the data store. Invalid database user name or password. Please make sure they are correct. If not, use DSMAINT CONFIG to change them.  Error: IMA_RESULT_ACCESS_DENIED  Indirect: 0  Server:   DSN file: C:\Program Files (x86)\Citrix\Independent Management Architecture\mf20.dsn
Solution:

To get round this issue (Not use the domain admin account!!!) run the following DSMAINT command and set the correct password for the administrator account.

DSMAINT CONFIG /user:domain\administrator /pwd:password