Home on Adriaans ramblings

Creating a SIEM from scratch - Part 0 (Why)

Sun, 08 Jun 2025 16:43:33 +0200

So once again I’m stuck inside due to severe hay fever allergies, and so it’s time to make the first blog post of the year and talk about SIEMs. Yay!

For the uninitiated, SIEMs (Security Information & Event Management) are what Security departments use to collect data about what’s happening on systems so they (pro)-actively alert on interesting events. And despite the high criticality of such systems, every SIEM I’ve used, has sucked massively. So if you’re here to know why I’m building my own SIEM, that’s why. But let’s first dive into the sucky part.

Why is my website broken on IPv6?

Tue, 22 Oct 2024 18:00:00 +0200

TL;DR: I missed adding “ssl” to the listen [::]:443 statement in nginx. I only did this with listen 443 ssl default_server. And so it broke all IPv6 connections attempting to do HTTPS on a HTTP port.

Symptoms

Yesterday when doing a bit of work on the IAAN server I suddenly got browser warnings that it cannot connect to my website. I immediately started investigating the issue, changing things here and there and eventually got it back working. What I didn’t know was what had just happened, I just restarted nginx, nomad and some pods until it worked again. Today, I went to the office and noticed on my phone that it also showed errors that it cannot connect to my website, like refuses to connect. But then I checked on my work laptop and it was all fine?

Why are my Podman containers using so much storage?

Mon, 21 Oct 2024 18:00:00 +0200

Issue

Found out i’m using a lot of space where i’m not expecting it:

# du -hs /home/*
...
1.5G	/home/website

Where is it coming from?

$ cd 
$ du -hs .local/share/containers/storage/*
4.0K	.local/share/containers/storage/defaultNetworkBackend
80K	.local/share/containers/storage/libpod
4.0K	.local/share/containers/storage/mounts
4.0K	.local/share/containers/storage/networks
4.0K	.local/share/containers/storage/secrets
4.0K	.local/share/containers/storage/storage.lock
4.0K	.local/share/containers/storage/tmp
0	.local/share/containers/storage/userns.lock
1.5G	.local/share/containers/storage/vfs
48K	.local/share/containers/storage/vfs-containers
48K	.local/share/containers/storage/vfs-images
408K	.local/share/containers/storage/vfs-layers

Now this user is running a standard nginx container which is not that big:

$ podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED     STATUS         PORTS                                           NAMES
5d22e1b58e9d  docker.io/library/nginx:latest  nginx -g daemon o...  2 days ago  Up 2 days ago  127.0.0.1:8000->80/tcp, 127.0.0.1:8000->80/udp  deploy_website-e259076d-f130-0240-52fc-e56c40e4c059

From a quick look on docker hub, it’s about 70MB big but we’re using 1.5GBs…

Going to a Container-based setup

Fri, 18 Oct 2024 16:00:00 +0200

Most of what you see on my website dates from 2021 when I kicked out the old blog and started using Wordpress. The reason for this was simple: I just wanted to write some blog posts without being held back by making it perfect. However, that backfired somewhat because I realized after several blog posts that the template I was using was holding me back, once again. So here we are, a pandemic and 3 years later doing a blog post on a new platform (Hugo).

Home Theatre PC (HTPC) Build Part 3

Sun, 11 Jun 2023 17:05:50 +0200

Oof, the previous part has already been from November last year, some 8 months ago! I ended that blog post with the ominous message about shenanigans with the Operating System. It’s time to clarify what I meant with that.

Debian 11 and my hardware

I like Debian. It provides the perfect balance between stability and flexibility in an Operating System that I desire. Although this blog is about technical stuff, I’m happy that I have to spent a minimal amount of time on keeping things running in the house. This includes the new HTPC build as well. I don’t want it to break every time I perform any kind of update or change.

Home Theatre PC (HTPC) Build Part 2

Mon, 28 Nov 2022 17:05:50 +0200

So here we are, with a small factor PC that is missing some very crucial parts. To make sure I was not going to waste money on a non-working motherboard and PSU, I had already booted the PC without any memory or CPU. Besides the awful noise of the PSU (we’re gonna have to fix that later), there were some blinking lights at the front confirming the motherboard wasn’t totally cooked. Checking for any burns or blown capacitors or broken parts: All good.

Hidden features of "resetting" passwords of VMs in the Azure Portal

Thu, 17 Nov 2022 22:41:34 +0200

The "Reset" Password functionality for VMs in Azure.

In the Azure Portal, Azure conveniently allows you to reset the password of the local Administrator on a Virtual Machine. To use this functionality it requires you to enter the username and the new password for this account. All good and well, you’d say. That’s what it is supposed to do after all.

Color me surprised when I noticed that a colleague of mine had gotten access to my VM without resetting the password of the local Administrator account that I had created. I didn’t give this colleague the username (which you need) nor should it have been trivial to put the password back to what it was (and that I had safely stored in my password manager).

Home Theatre PC (HTPC) Build Part 1

Fri, 11 Nov 2022 17:05:50 +0200

A few weeks ago I was throwing away some garbage at the local recycle/container park. Whilst I was throwing away my garbage an older guy in a big Dodge RAM pulls up at the same container and also starts throwing away all types of stuff. We were standing at the “Big Waste” container, so anything goes. After helping him with hedging some heavy stuff over the edge of the container, I notice a small computer-like device in the back of his trunk.

Logging User Access Admin elevations to Microsoft Sentinel

Wed, 05 Jan 2022 15:39:51 +0200

This week I was surprised to figure out that elevation logs that indicate a Global Admin becoming a User Access Administrator don’t flow to Log Analytics. It’s not possible to enable diagnostics settings for it.

TL;DR I built a Logic App that forwards those logs to Log Analytics so I can have Analytic rules in Sentinel report if this action happens.

Background

An Azure AD Global Admin at the company I work at, notified me that he was going to become a User Access Administrator, following the procedure described here. Global Admins in Azure AD might (or should) not have access to all subscriptions and management groups and that’s exactly the power they grant themselves if they become a User Access Admin.

Querying Log Analytics From Logic Apps

Sun, 14 Nov 2021 22:41:34 +0200

I spent some time this week at work trying to get a correct setup in querying the (Sentinel) Log Analytics store from a Logic App in Microsoft Azure. So I thought it would be good idea to document it for myself and others. :)

The problem

Logic Apps allow you to perform actions in Microsoft and 3rd party services. The integration in Logic Apps sometimes supports the use of System-assigned Managed Identities and sometimes they don’t. As you can guess, when you want to query a Log Analytics store, it doesn’t.

Hello World!

Sat, 13 Nov 2021 21:16:15 +0200

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!