Thursday, August 22, 2013

Cisco's Archive Command

I find the archive command to be very useful, not just for extracting files, but for creating copies of the IOS on one device (to copy to other devices.) You can copy single files over tftp, of course, but what do you do about a directory, with all the binaries and HTML files?


archive /create myarchive.tar name_of_directory_in_flash

So, I may do a 

dir flash:

and find something like


c1140-k9w7-mx.124-25d.JA

I'd create an archive called c1140-k9w7-mx.124-25d.JA.tar by doing this:

archive /create c1140-k9w7-mx.124-25d.JA.tar c1140-k9w7-mx.124-25d.JA

I can then do a

copy flash:c1140-k9w7-mx.124-25d.JA.tar tftp://my.ip.address.of.tftp.server/c1140-k9w7-mx.124-25d.JA.tar


Monday, August 12, 2013

VMware ESXi: Recovering from Accidental Changes to the Ethernet Address/VM uuid

I recently ran into an issue that presented itself in two forms:


Scenario 1: Moving a VM from Workstation to ESXi - MAC/uuid change

    In case 1, a VM was migrated from a VMware Workstation format to an ESXi 5.1 server. The conversion was done using VMware converter. When you use converter, you are not given the option to "move" the VM. The uuid and mac addresses for the interfaces are automatically regenerated. I figured I could just paste the old MAC address into the ethernet configuration on ESXi by using the manual setting. However, I discovered that VMware reserves the MAC addresses starting with 00:0c for auto generation and the VM would not start correctly in ESXi.

The solution is modify the .vmx file for the VM on the ESXi server. I'd recommend copying the vmx file to an alternate name (i.e., cp myVM.vmx myVM.vmx.backup.) Do these changes at your own risk:


1. Shut down the VM

2. SSH to the ESXi server and find the vmx file in question (somewhere in /vmfs/volumes/name/of/vms/directory

3. Edit the file and replace the following 4 (or more lines) with the equivalent values from the Workstation vmx file:


uuid.location = "56 2d af 08 59 0b 10 8c-78 9d 96 3d 9c 82 fe d4"
uuid.bios = "56 2d 92 33 47 3b 9e 16-e1 12 56 db 8f 32 4f 3f"
vc.uuid = "52 c3 f7 68 14 da 8f a4-16 a1 d1 54 07 85 f3 16"
ethernet0.generatedAddress = "00:0c:31:33:4a:3f"

You may have more than one ethernet interface, so change them all.

4. Remove the VM from the ESXi server's inventory (but do not remove it from Disk!), so that it will notice the change (this is done in configuration -> storage management, of course.)

5. Add it back to the machine's inventory

6. When you start it up now, it should have the same ethernet MAC addresses.

Scenario 2: Moving a VM by removing it from the inventory of one ESXi host to another ESXi host

    In this case, the VM was shut down. It resided on shared storage, so the other hypervisor head could see it. When importing it into the new machine, the person performing the operation chose "I copied it" instead of "I moved it."

This was more complex. The solution is very, very similar.


1. ssh to the new ESXi host

2. cd to the VM's directory

3. look for old log files and cat out the info you need (for instance, if the "copy" happened today, a log file from yesterday would suffice (ls -la vmware*.log)

4. Assuming the older log file is called vmware-1.log,

cat vmware-1.log | egrep  egrep "(generatedA|uuid)" > mydata.txt

5. make a backup copy of the vmx file

6. look in the mydata.txt file and grab the data you need.

7. edit the vmx file and replace the appropriate lines from the current config with the config from the mydata.txt file. You'll need to remove some text from mydata.txt

8. remove the host from ESXi's inventory and re-add it.


Building Snort RPMs On CentOS 6.x x86_64

This was done on

You'll want epel, most likely - to pick up the libdnet dependencies for snort. (sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm)


1. install the prerequisites:


 sudo yum install -y pcre pcre-devel gcc flex byacc bison l libxml2-devel kernel-devel  libdnet libdnet-devel  autoconf automake libpcap-devel rpm-build

2. install the src rpms (do not do this as root)

3. This will create an rpmbuild dir in your home, go ahead and build daq:

rpmbuild -bb ~/rpmbuild/SPECS/daq.spec

4. Install the daq libraries you just built:

  sudo rpm -ivh RPMS/x86_64/daq-*.rpm

5. Now, build snort

rpmbuild -bb ~/rpmbuild/SPECS/snort.spec

6. Remove the daq libraries you installed in step 4:

 sudo rpm -e daq

You should have two libraries in RPMS/x86_64. You'll need to install both for Snort to function.

Thursday, August 8, 2013

Splunk CLI one-liners

1. list monitored files/directories:

  /opt/splunk/bin/splunk list monitor

2. remove a file/directory from monitoring/indexing:

/opt/splunk/bin/splunk remove monitor /path/to/file/or/dir

3. add a file for monitoring:

/opt/splunk/bin/splunk add monitor /var/log/httpd/access_log

4. add a oneshot file for indexing:

/opt/splunk/bin/splunk add oneshot /var/log/httpd/access_log

5. remove a oneshot file/directory from monitoring/indexing:

/opt/splunk/bin/splunk remove oneshot /path/to/file/or/dir

6. list forward servers (splunk servers this host forwards to):

/opt/splunk/bin/splunk list forward-server