-
Notifications
You must be signed in to change notification settings - Fork 6
/
HelpIndexDescription.txt
92 lines (60 loc) · 3.12 KB
/
HelpIndexDescription.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# PSGraylog
## Description
A Powershell Module for Graylog3 generated from it's swagger api data.
PoC-stage so a lot is going to change! Also a majority of the cmdlets is untested so take that into consideration.
But everything I've tried so far has worked.
Also, the code is not cleaned up yet and so far it's just a PoC.
But there's a lot of content already in the [docs!](docs/en-us/PSGraylog.md)
### Why not use Auto Rest?
Wanted to learn how to generate functions with Powershell code for another future project.
## Install
``` powershell
Invoke-RestMethod https://github.com/AlexAsplund/PSGraylog/releases/download/0.0.3/PSGraylog-0.0.3.zip -OutFile .\PSGraylog-0.0.3.zip
Expand-Archive -Path .\PSGraylog-0.0.3.zip -DestinationPath <your module dir>
```
## Usage
### Url and credentials
Easiest way is to use `Set-GLApiConfig` and your regular graylog credentials. This will set the global variables `GLApiUrl` and `GLCredential`
``` Powershell
$MyCreds = Get-Credential
# Set global variables
Set-GLApiConfig -ApiUrl 'https://graylog.contoso.com/api' -Credential $MyCreds
```
You can also use a token:
``` Powershell
# This creates a credential object with "abcdefgh12345" as username and "token" as password.
$TokenCredential = Convert-GlTokenToCredential -Token abcdefgh12345
# Set global variables
Set-GLApiConfig -ApiUrl 'https://graylog.contoso.com/api' -Credential $TokenCredential
```
### Examples
Some rudimentary documentation is included in most cmdlets: `Get-Help Get-GLCluster`
All the `Get-GL*`-commands are pretty straight forward. And if parameters are needed they're pretty self explaining.
On my todo-list is to use the type information and such from the swagger data and refine it even more.
#### Do a simple search with `Find-GLSearchRelativeSearchRelative`
Remember that this by default only returns the first 150 messages. So here we're going to fetch the first 2000 from the last hour (3600s)
``` Powershell
$Result = Find-GLSearchRelativeSearchRelative -Query "winlogbeat_winlog_event_data_TargetUserName:waldo" -Range 3600 -Limit 2000
$Result.messages
```
#### Set and Post commands with a `-Body` parameters
The Body parameter must be a `[PSCustomObject]`
Right now the documentation on how to structure the body-object is available in your api-docs (http://your-graylog/api/api-docs)
##### `Set`-method example with `Update-GLStreamAlertConditions`
First of, we need to get the `StreamId` and `ConditionId` (done quickly using `Get-GLAlertConditionsAll`)
``` Powershell
$StreamId = "0000000000000001"
$ConditionId = "4cb87ce0-eaba-4b3f-ada4-a7610c4be28f"
# Object to update the AlertCondition with
$UpdateObject = [PSCustomObject]@{
title = 'My Test Condition'
type = 'messagecount'
parameters = [PSCustomObject]@{
query = "winlogbeat_winlog_event_data_SubjectUserName:hacker"
}
}
# Update the AlertCondition
Update-GLStreamAlertConditions -StreamId $StreamId -ConditionId $ConditionId -Body $UpdateObject
# *Returns the AlertConditionObject*
```
This should be pretty universal for all Update/Set/New commands with the body parameter.