Has anyone had any success sending a test message to a beats input to emulate a windows message coming in? (preferably via powershell) Once again my google-fu is failing. Example meta-code:
$> netcat-send-message -message "This is my test message" -server graylogOne:5044
netcat-send-message is not a real command I am making the whole thing up… hoping its a simple command like this.
Ill look into tonight 4 ya,
NOTE: did you know that 500 10TB HDD spinning at 10K rpm sounds like a 747 jet 
True story.
I should have put in there that I am writing a Powershell script to test out windows event_ID’s and their alerts - I just need a command to insert a test event into winlogbeat with the relevant event_id’s.
This was tedious,
Windows does not have netcat BUT I did find this, for testing. I isolated this software just incase it was shady.
Once downloaded you have to navigate to the NCAP folder C:\Program Files (x86)\ncap
and execute something like this
.\ncat.exe -z "This is my test message" -server "8.8.8.8" -p 5044
I couldn’t get it to work.
Next, Telnet
Had to enable it through Add programs and Feature
I was also unable to get this to work. Perhaps you may have better luck
The following PS commands were tried without success.
Then 
PS> net send {username | message
PS> msg 8.8.8.8 message "hello"
Lastly I think maybe something like this
PS> echo ‘First CLI Log Message!’ | nc -N 8.8.8.8 5044
I tried, only way I see that happing is to use a third party app.
I did make some success by using this command and picking it up with a shipper.
PS C:\Users\greg.smith> "This will be written to the text file" | Out-File -FilePath C:\Users\greg.smith\Desktop\helping.txt
I am curious if you do solve this…
Further thoughts … There is an expectation of the server_api_token in the communication… I just don’t know how to express it… First try:
curl -v -H "Authorization: ApiKey " http://:5044/beats -p0 -d ‘{“message”:“Texas Two Steps forward”}’
I am debating just creating a filebeat instance on a test machine and dumping one-liners to be caught in there…if I process each line to include event_ID field and any other relevant information I can adjust the input and pipelines to consider data coming from filebeat as well… It’s not a pretty situation though - I would prefer to create a powershell script that perhaps asks for your API_KEY and a server to shunt messages to for testing. Originally I was creating powershell commands that would actively change AD but that is riskier… better to just push a message into Graylog somehow that looks like a security message from Windows and sets off the alert for testing…
I might have to ask for some developer help… What IS that Beats input expecting to see so it can do it’s magic!?!
I went here to get help about 4 -5 years ago.
https://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG
If your going to do that, use GELF Output on Windows it will create a field called EventID
Example:
Not sure if FileBeat can do that but I know nxlog can. If you decide to go that route I have the config here
I can make it a filebeat on whatever machine I am testing from, then use Powershell to just insert a message line to the text file - that way I can manage powershell permissions across the testing environment and it will come in on the same input–>stream.
Oh gotcha, sorry @tmacgbay
I am having fun putting it together - will post it to Github when it is cleaned up and ready!
Nice 
, I will keep my eye out for it…
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
