Interactive CLI¶
The interactive CLI utility provides access to numerous server maintenance utilities, including password changes, third party integration processes, many routines to access information required for support, and more.
To launch the interactive utility, run:
/home/plixer/scrutinizer/bin/scrut_util
This will open the Scrutinizer prompt:
SCRUTINIZER>
To close the interactive prompt, type ‘exit’:
SCRUTINIZER> exit
Exiting...
[root@Scrutinizer ~] #
Modes of operation¶
The scrut_util utility mode of operation.
- Interactive:
SSH as the plixer user and type scrut_util to launch the interactive utility and enter the commands in the SCRUTINIZER> prompt.
Help function¶
To display the list of the available commands, run:
SCRUTINIZER> help
For help with specific commands (for example, the “show” command) enter:
SCRUTINIZER> help show
For help with specific extended commands (for example, the “show groups” command) type:
SCRUTINIZER> help show groups
Commands¶
Following are the available top level commands:
- aws
- check
- ciscoise
- clean
- collect
- convert
- counteract
- delete
- disable
- download
- enable
- endace
- expire
- export
- import
- moloch
- optimize
- remove
- repair
- rotate
- services
- set
- show
- snoop
- system
- unlock
- update
- upload
- version
For each top level command, there are several extended commands.
aws¶
Manages AWS flow logs integration with Plixer Scrutinizer.
| Command | Description |
|---|---|
| awssync | Sync IDs and descriptions from AWS. |
check¶
Runs a test or check against the command provided.
| Command | Description |
|---|---|
| check activeif | Checks for active flows by looking at active interface details and lists the last timestamp and number of interfaces that received flows. |
| check collectorclass <class> [<subsystem>] | Logs information about the collector’s current running state. |
| check data_last_written | Checks the activity of collected flow data written to the database. |
| check database <db_name> <db_pass> | Checks the specified database for errors. |
| check dist_info | Checks and displays distributed information about the Scrutinizer servers. |
| check hdtest | Tests the performance of the hard drive. This is a good way to determine if the hardware is adequate for Scrutinizer’s current flow volume. |
| check heartbeat <database|api> | Checks heartbeat functions to make sure Scrutinizer is internally communicating properly. |
| check history_index | Checks history_index for 1m interval table activity. |
| check history_index_empty_tables | List tables with zero rows from history_index. Please stop the collector prior to running this command. This command will not delete entries reported. To do so, use delete instead of check. |
| check history_index_orphans | Checks entries from history_index for which a table does not actually exist. This should never happen, but occasionally when things go wrong we need something like this to make cleanup easier. This command will not delete entries reported. To do so, use delete instead of check. |
| check history_table_orphans | List tables with no history_index entry. Please stop the collector prior to running this command. This command will not delete entries reported. To do so, use delete instead of check. |
| check interfaces [all|cisco|hauwei|sonicwall] [host_ip] | Tries alternative methods to retrieve interface descriptions. For Cisco and SonicWALL that means using NetFlow data. For Huawei, that means using SNMP and referencing their vendor specific MIBs. |
| check license | Checks and displays license details from the Scrutinizer Server. |
| check machine_id | Checks and displays the current machine_id of the Scrutinizer Server. |
| check machine_id_list | Checks and displays the current, possible, and historical Machine IDs of the Scrutinizer Server. |
| check objects | Verifies that xcheck_hosts all have a corresponding row in objects. |
| check password rootdb | Checks the database root password to make sure it’s the same password represented in the plixer.ini. |
| check rollcall | Analyzes rollcall and the state of rollups per time bucket. This is used to confirm the activity of rollups on this Scrutinizer Collector. |
| check rollups | Lists rollups and their current state. This is used to confirm the activity of rollups on this Scrutinizer Collector. |
| check route <ip> | Checks device specified to determine if Scrutinizer can access its routing data. |
| check serverpref <serverpref> | Checks and displays the current value for the specified serverpref. |
| check simplercv <udp_port> | Runs a simple test to see if udp traffic is seen on the udp port provided. This command is useful to determine if flows are received at the top of the stack (i.e. tcpdump -> collector). |
| check snmp | Attempts to get SysObjectID for all devices. If SNMP connected successfully, it will return the credential object. Otherwise, it will return the error message. |
| check ssl | Checks and lists the current settings configured for SSL parameters. Use the set ssl command to modify settings or enable/disable SSL. |
| check stats_exporters | Lists statistical details related to time and exporter activity. |
| check task <id> | Checks the execution times and error codes for the specified task <id>. A list of tasks is available by using the show task command. |
| check tuning | Checks the operating system and Scrutinizer settings that can be changed to improve Scrutinizer’s performance. Best used under supervision of Plixer Support. |
| check version | Checks to see if a newer version of Scrutinizer is available. |
ciscoise¶
Manage CiscoISE Node Integration with Scrutinizer.
| Command | Description |
|---|---|
| ciscoise add <ise_ip> <ise_tcp_port> <ise_user> | Adds a CiscoISE node to the queue to acquire user identity on all active sessions. The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API. Scrutinizer will prompt the user for the <ise_user> password. |
| ciscoise check | Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly. |
| ciscoise kick <ise_id> <mac_address> <user_ip> | Kicks the user off the ISE node forcing them to re-authenticate. Minimally the users IP address is required. Optionally, the <mac_address> can be provided. |
| ciscoise nodelist | Lists the currently configured CiscoISE nodes. |
| ciscoise poll | Runs a poll manually and outputs the results to the screen. When integration is enabled, polling is automatically performed routinely. To diagnose issues, run ‘ciscoise check’ or ‘ciscoise test’ |
| ciscoise remove <ise_ip> | Removes a CiscoISE node from Scrutinizer. The required parameter <ise_ip> is the IP address of the CiscoISE node. |
| ciscoise test | Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly. |
| ciscoise update <ise_ip> <ise_tcp_port> <ise_user> | Updates existing configuration settings for a specific CiscoISE node. The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API. Scrutinizer will prompt for the <ise_user> password. |
clean¶
Executes housekeeping tasks that are scheduled to run at various times during Scrutinizer’s normal operations.
Warning
These commands will purge data from Scrutinizer. Please use with caution.
| Command | Description |
|---|---|
| clean all | Executes several housekeeping tasks that are scheduled to run at various times during Scrutinizer’s normal operations. |
| clean baseline | Resets all configured baselines to the default baselines for each exporter. Historical data will not be deleted. However, it will expire based on Scrutinizer’s historical settings. |
| clean database | Cleans out temporary database entries manually. This command is executed automatically every 30 minutes by Scrutinizer’s task scheduler. |
| clean ifinfo | Clears entries in the ifinfo db table that do not have an entry in the activeif db table. |
| clean old_logs | Clears out old log files that are set to a ‘backup’ status. |
| clean pcap [<pcapfile>] | Removes all, or if specified, a specific pcapfile from the Scrutinizer server. To see a list of pcap files, execute show pcaplist |
| clean tmp | Removes any temporary files created by the graphing engine. Executing this will perform an on-demand clean up. By default, it is scheduled to be executed by Scrutinizer routinely. |
collect¶
Manually collect data that is useful for Scrutinizer.
| Command | Description |
|---|---|
| collect asa_acl | Manually collects ASA ACL information from Cisco ASA Devices. This task is scheduled and routinely executed as part of normal operations. |
| collect baseline | Manually collects baseline data and checks for alarms. This task is scheduled and routinely executed as part of normal operations. |
| collect dbsize | Collects database size information. |
| collect elk <elk_ip> | Manually collects data from Scrutinizer and sends it to the configured ELK server. Reference the Elasticsearch / Kibana (ELK) Integration guide for more detailed information on the ELK integration. |
| collect optionsummary | Manually process flow option data collected by Scrutinizer. This information is routinely processed automatically. |
| collect pcap <in_sec> [<host>] | Collects a packet capture on the interfaces of the Scrutinizer server. Requires a timeout (in seconds) and an optional host name in IP format to further filter the capture. |
| collect snmp | Manually collects SNMP data that is used during Scrutinizer’s operations. This process is automatically scheduled by Scrutinizer to run regularly. |
| collect splunk <splunk_ip> <port> | Manually collect data from Scrutinizer and send it over to the configured Splunk server. Reference the Scrutinizer for Splunk Application integration guide for more information |
| collect supportfiles | Collects various log files and server configuration data used by Plixer support to troubleshoot server issues. |
| collect topology | Collects various types of data from devices and Scrutinizer to help Scrutinizer understand the topology layout of the network. |
| collect useridentity | Manually process user identity data collected by Scrutinizer. This information is routinely processed automatically. |
convert¶
This operation converts all encrypted information stored in Scrutinizer to use AES 256 encryption.
| Command | Description |
|---|---|
| converttoaes | Converts all encrypted information stored in Scrutinizer to use AES 256 encryption. Warning: The command will alter database tables in Scrutinizer. Please use with caution. |
counteract¶
Third-party integration support for ForeScout CounterACT servers.
| Command | Description |
|---|---|
| counteract <on|off> <counteract_ip[:port]> | Enables or disables support to ForeScout CounterACT servers. Required parameters are <on|off> and the host name and optional tcp port. |
delete¶
This operation deletes database tables and/or database table entries.
Warning
These commands will purge data from Scrutinizer. Please use with caution.
| Command | Description |
|---|---|
| delete custom_algorithm <identifier> | Deletes a custom algorithm at the system level. For more information, reference the Flow Analytics Custom Algorithms section. Warming: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
| delete history_index_empty_tables | Deletes tables with zero rows from history_index. Please stop the collector, if running, prior to executing this command. |
| delete history_index_orphans | Deletes entries from history_index for which a table does not actually exist. This should never happen, but occasionally when things go wrong we need something like this to make cleanup easier. |
| delete history_table_orphans | Deletes tables with no history_index entries. Please stop the collector, if running, prior to executing this command. |
| delete orphans | Deletes all known orphan alarm events. |
disable¶
Disables functionality used by Scrutinizer or incorporated as part of customized development.
| Command | Description |
|---|---|
| disable baseline <exporter_ip> | Disables all baselines for the specified <exporter_ip>. The historical data will not be deleted. However, it will expire based on Scrutinizer’s historical data settings. Warning: This command will alter the behavior of Scrutinizer baseline functionality. Please use with caution. |
| disable elk http://<ip:port> | Disables ELK (Elasticsearch, Logstash, and Kibana) flows from Scrutinizer to the URL specified. Reference the Elasticsearch / Kibana (ELK) Integration guide for more detailed information on the ELK integration. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
| disable ipv6 | Disables ipv6 in sysctl.conf for all interfaces. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
| disable splunk http://<ip:port> | Disables Splunk flows from Scrutinizer to the URL specified. Reference the Scrutinizer for Splunk Application integration guide for more information on the Scrutinizer for Splunk integration. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
| disable user <username> | Removes a login account with access to the interactive utility for Scrutinizer server. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
| disable unresponsive | Disables ping for exporters that have not responded. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
| disable hypervtools | Disables Hyper-V Integration Tools for a Virtual Appliance running on Hyper-V. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
| disable vmwaretools | Disables vmwaretools for a Virtual Appliance running on VMware. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
download¶
Downloads various files and utilities useful to Scrutinizer’s operations.
| Command | Description |
|---|---|
| download hostreputationlists | Download the latest Flow Analytics Host Reputations Lists manually. This is also automatically updated. |
| download installer | Download the Scrutinizer installer to perform upgrades. |
enable¶
Enables functionality used by Scrutinizer or incorporated as part of customized development.
Warning
These commands will alter the behavior of Scrutinizer functionality. Please use them with caution.
| Command | Description |
|---|---|
| enable baseline <exporter_ip> default | Enables default or custom baselines (manual) based on elements from NetFlow and IPFIX templates. Baselining has several parameters available to customize the specific baseline data to collect with the ‘manual’ option. |
| enable baseline <exporter_ip> manual <pri_element[,sec_element]> <element> <AVG|COUNT|MIN|MAX|STD|SUM> <dailyhr|busday|sameday> |
Enables default or custom baselines (manual) based on elements from NetFlow and IPFIX templates. Baselining has several parameters available to customize the specific baseline data to collect with the ‘manual’ option. |
| enable custom_algorithm <identifier> “<algoname>” | Reference the Flow Analytics Custom Algorithms section for specific information on how to configure custom algorithms and create alarm policies. |
| enable dbpool <pool_port> | Enables database connection pooling for Postgresql. |
| enable ipv6 | Enables ipv6 in sysctl.conf for all interfaces. |
| enable perl_support | Installs additional perl packages to assist with with custom scripting. |
| enable splunk http://<ip:port> <syslog_port> [<indexer>] | Enables splunk flows from Scrutinizer to the URL specified. The Scrutinizer for Splunk App is required on the Splunk Server. Visit plixer.com for more information. |
| enable user <username> <security_level> | Creates a new login account with access to the interactive utility for Scrutinizer server maintanance. The <security_level> switch is for disabling commands that can alter Scrutinizer’s functionality. The security levels are: 1 - Disable commands that can stop data collection. 2 - Disable the ability to remove integrations or stop data collection. 3 - These users can only collect information about Scrutinizer and the operating system. |
| enable hypervtools | Enables Hyper-V Integration Tools for a Virtual Appliance running on Hyper-V. Running enable hypervtools wil also upgrade an already existing install of the hyperv-daemons. |
| enable vmwaretools | Enables vmwaretools for a Virtual Appliance running on VMware. Running enable vmwaretools will also upgrade an already existing install of the vmware agent. |
endace¶
Third-party integration support for Endace probes.
| Command | Description |
|---|---|
| endace add <host_ip> <port> <endace_user> <endace_pass> | Manages integration with Endace probes. For more information on this integration, reference the Configuring Endace probe integration guide. |
| endace remove <host_ip> | Manages integration with Endace probes. For more information on this integration, reference the Configuring Endace probe integration guide. |
| endace update <host_ip> <port> <endace_user> <endace_pass> | Manages integration with Endace probes. For more information on this integration, reference the Configuring Endace probe integration guide. |
expire¶
Purges data history older then the number of days defined by Scrutinizer’s history settings.
Warning
These commands will purge data from Scrutinizer. Please use with caution.
| Command | Description |
|---|---|
| expire alarms | Expires alarm history from the threatsoverview and fa_transports_violations tables as specified in the Data History Flow Historical 1 Min Avg preference. |
| expire bulletinboards | Purges alarm bulletin board events older then the number of days defined by Scrutinizer’s history settings. |
| expire dnscache | Purges DNS cache older then the number of days defined by Scrutinizer’s history settings. |
| expire history [trim] | Expires flow data as defined by Scrutinizer’s history settings. If the optional ‘trim’ mode is passed, Scrutinizer will trim older data to make more space on the hard disk. |
| expire ifinfo | Purges old and outdated interface information. |
| expire inactiveflows | Expires interfaces from the interface view that have stopped sending flows. Entries are expired based on the number of hours specified in the Scrutinizer System Preferences. (Admin -> Settings -> System Preferences -> Inactive Expiration) |
| expire orphans | Purges alarm orphan events older then the number of days defined by Scrutinizer’s history settings. |
| expire templates | Expires flow template meta data for templates that haven’t been seen in 30 days. |
export¶
Run various export commands to dump data out of Scrutinizer for external use.
| Command | Description |
|---|---|
| export langtemplate <lang_name> | The <lang_name> parameter is required. If the language exists, then it will create a CSV file that shows the english and <lang_name> keys. If the language does not exist, a blank template will be created. The language file resides at /home/plixer/scrutinizer/files/pop_languages_<lang_name>_template.csv |
| export peaks_csv <file> <interval> <dir> <date_range> [<group_id>] | Exports a CSV file listing interfaces and peak values based on criteria specified. Valid options for are specified as raw minutes (1, 5, 30, 120, 720, 1440, 10080). Directory must exist as a sub-directory of Scrutinizer’s home directory. If specifying /home/plixer/scrutinizer/temp, then use temp as the directory. The valid <ranges> are Last24hours, LastFifteenMinutes, LastFiveMinutes, LastFortyfiveMinutes, LastFullHour, LastHour, LastMonth, LastSevenDays, LastTenMinutes, LastThirtyDays, LastThirtyMinutes, LastThreeDays, LastTwentyMinutes, LastWeek, LastYear, ThisMonth, ThisWeek, ThisYear, Today, or Yesterday. <group_id> is optional. To see a list of group_ids use show groups. |
import¶
Run various import commands to bring external sources of data into Scrutinizer.
| Command | Description |
|---|---|
| import aclfile | Imports ACL information from a file. The file must reside at. /home/plixer/scrutinizer/files/acl_file.txt. The format is a direct output of SHOW ACCESS-LIST directly on the exporter. |
| import applications <path/file> [reset] | Import application rules from a CSV file. It is recommended to use this file and path for the applications import csv file. /home/plixer/scrutinizer/files/application_import.csv A reset option can be passed which will remove all application rules before the bulk import. Expected format is one named application and one application rule per line. Supported rule types are subnet, single IP, IP range, wildcard, port, and child rules. Child Applications must be declared before being used in a parent Application’s rule set. Valid application rule syntax is: “subnet rule”,10.0.0.0/8 “single ip rule”,10.1.1.1 “range rule”,10.0.0.1-10.0.0.42 “wildcard rule”,10.0.0.1/0.255.255.0 “parent/child rule”,”my subnet” “ports and protocols”,0-65535/256 Applications must have at least one port rule and one of the IP rule types defined above. Applications not defined this way will be imported, but may not be tagged properly in flow data. For example, the first application in this import file is valid while the second is not. The second application does not have at least one port rule: ‘My first Application’,10.0.0.0/8 ‘My first Application’,0-65535/6 ‘My second Application’,11.0.0.0/8 Up to 100,000 individual application rules are supported. |
| import asns <path/file> [<delimiter>] | Imports custom asn definitions from a csv file. The is a required field.
The path should be specified from after the /home/plixer/ scrutinizer/ directory. The is an optional parameter and defaults to ” ” (i.e. space). The csv file name must be all lowercase and requires these elements, in this order: AS Number,AS Name,AS Description,IP Network(s) The fields are comma delimited, whereas the optional parameter applies specifically to the IP Network(s) element. A comma cannot be used for the IP Network(s) delimiter. Example File: 213,my_list,what a great autonomous system,10.0.0.0/8 192.168.0.0/16 214,your_list,meh its an okay system,11.0.0.0/8 Example Command: SCRUTINIZER > import asns files/custom_asn.import |
| import csv_to_gps <csv_file> <group_name|group_id> [<create_new>] [<file_format>] |
Uploads latitude and longitude locations of devices from a csv file and imports them into an existing Google map. The csv file must be located in the ‘/home/plixer/scrutinizer’ directory. If the csv file is in ‘/home/plixer/scrutinizer/files/’, enter ‘files/[name_of_file]’ as the file name. The csv file format is ‘ip,latitude,longitude’. If the csv file format is different, specify that layout as the <file_format> command parameter. For example, “ip,lng,lat” 10.169.1.3,37.7749,122.4194 192.168.6.1,40.7128,74.0059 Provide either the group ID or group name in the arguments. The group_id can be determined by running show groups. Using the optional <create_new> parameter will add new objects if the IP address does not already exist. Example command: SCRUTINIZER> import csv_to_gps import_gps.import 3 Example command with <create_new> and different file format SCRUTINIZER> import csv_to_gps import_gps.import 3 create_new ip,lng,lat |
| import csv_to_membership <csv_file> <grouptype> [<file_format>] |
Imports group definitions from a csv file. The csv file must be located in the ‘/home/plixer/scrutinizer’ directory.
If the csv file is in ‘/home/plixer/scrutinizer/files/’, enter ‘files/[name_of_file]’ as the file name.
The <grouptype> field refers to the map type that will be created if the group in the csv file does not already exist and can be either ‘flash’ or ‘google’.
The default csv file format is ipaddr,group. If the csv file format is different, specify that layout as <file_format> command parameter. EXAMPLE group,ipaddr 10.169.1.3,Routers 192.168.6.1,Firewalls |
| import hostfile | Imports a custom hosts.txt file that contains a list of IP Addresses and hostnames. The file format is: IPv4orIPv6Address HostName Optional Description Example: 10.1.1.4 my.scrutinizer.rocks The Best Software in my company The file must be located at /home/plixer/scrutinizer/files/hosts.txt. |
| import ipgroups [<path/file>] [reset] | Import ipgroup rules from a csv file. It is recommended to use this file for the ipgroups import csv file: /home/plixer/scrutinizer/files/ip_group.import A reset option can be passed which will remove all ipgroup rules before the bulk import. Each line of the file is an individual ipgroup with the name of the group as the first field and the rules of the group separated by a space in the second field. Supported rule types are subnet, single ip, ip range, wildcard and child rules. Any child groups must already exist in Scrutinizer or be declared in the import file BEFORE it can be used as a rule in another group. Valid ipgroup rule syntax is: ‘subnet rule’,10.0.0.0/8 ‘single ip rule’,10.1.1.1 ‘range rule’,10.0.0.1-10.0.0.42 ‘wildcard rule’,10.0.0.1/0.255.255.0 ‘parent/child rule’,’my subnet’ Up to 100,000 individual IpGroup rules are supported. |
moloch¶
Third-party integration support for Moloch probes.
| Command | Description |
|---|---|
| moloch <on|off> <moloch_ip> <moloch_port> | Manages integration with Moloch probes. The <moloch_port> parameter is optional. |
optimize¶
Run various optimization tasks.
Warning
These commands will alter database tables in Scrutinizer. Please use with caution.
| Command | Description |
|---|---|
| optimize common | Optimizes tables that are commonly inserted and deleted. This action keeps things neat and clean for the database. This command is routinely executed as part of normal operations. |
| optimize database <db_name> <db_pass> | Optimizes the tables in the database specified. |
remove¶
Removes a configured setting from the system.
| Command | Description |
|---|---|
| remove address ipv6 | Removes any IPv6 address configured, but there has to be an IPv4 address set up. Use the set myaddress command to change the addresses configured. Warning: This command will alter Scrutinizer’s operations. Please use with caution. |
repair¶
Runs various database check and repair commands.
| Command | Description |
|---|---|
| repair business_hour_saved_reports | Saved reports prior to 15.5 that were saved with business hours will require a manual check and repair. This command converts older saved reports with business hours specified to the newer format. |
| repair database <db_name> <db_pass> | Repairs errors for the database specified. |
| repair history_tables | Fixes history tables that have the wrong col type for octetdeltacount. It may be updated in the future to address other issues. |
| repair policy_priority_order | With some professional services and automated policy creation, some policy IDs have been known to get out of whack (or duplicated). This function fixes that. |
| repair range_starts | Fixes history tables that may not have a start time that helps identify the range of data within the individual history tables. NOTE: This command may take a long time to complete. Only execute under the direction of technical support. |
rotate¶
Rotates Scrutinizer’s keys and certificates.
Warning
This command will alter Scrutinizer’s operations. Please use with caution.
| Command | Description |
|---|---|
| rotatekeys | Creates a new encryption key and re-encrypts all encrypted fields in the database. |
| rotatedbcerts | Creates new database certificates used for authentication. |
services¶
Manages the Scrutinizer services.
Warning
This command will alter Scrutinizer’s operations. Please use with caution.
| Command | Description |
|---|---|
| services <service|all> <action> | Starts, stops, or restarts the specified service (or all services). |
set¶
Modifies certain behaviors on how Scrutinizer authenticates and performs operations.
| set columnmoniker <old_element> <new_element> [<element_list>] | Occasionally it is necessary to rename an information element. This is no problem for datareceived after the name has changed. However, if that element used in any reports it will no longer be possible to report on the historical data.columnmoniker takes 3 parameters. Two parameters are required: the <old_element>name and <new_element> name. The third optional parameter is list of info_elementsthat must also exist in the flow template to restrict renaming. This list can be one or moreelements separated by commas (e.g. elementname1,elementname2)Warning: This command should only be used under the instructions of technical support. |
| set dns | Modifies system file to manage list of dns servers. This command will remove any precon-figured dns servers. Use show dns to see what is currently configured. |
| set hostinfo <ip_address> <fqhn> | Sets the local machine name to the fully qualified host name provided Ensures that/etc/hosts is configured to resolve between the given <fqhn> and <ip_address>. |
| set httpd <port> | Changes the web port of non-ssl installs for the Scrutinizer WebUI. Use set ssl to changethe SSL port. |
| set myaddress <ip_address> <netmask> <gateway> | Changes the IPv4 address of the current Scrutinizer server. After entering the new IPinformation, you will be asked if the address provided is correct. Once you answer ‘yes’to the question, you will lose connection to the ssh session. Running this command from aconsole connection is advised.All fields are required.If you have multiple IP addresses on the Scrutinizer server or you have enabled encrypteddatabase communication, please contact Plixer support for assistance.Warning: This command will alter Scrutinizer’s operations. Please use with caution. |
| set myaddress <ipv6_address/cidr> <gateway> | Changes the IPv6 address of the current Scrutinizer server. After entering the new IPinformation, you will be asked if the address provided is correct. Once you answer ‘yes’to the question, you will lose connection to the ssh session. Running this command from aconsole connection is advised.All fields are required. If you are setting an IPv6 address, netmask is not needed but cidrmust be added to the IP. You must provide the new IP address, netmask and gateway forIPv4 addresses. If you have multiple IP addresses on the Scrutinizer server or you haveenabled encrypted database communication, please contact Plixer support for assistance.Warning: This command will alter Scrutinizer’s operations. Please use with caution. |
| set ntp | Modifies system file to manage list of ntp servers. |
| set partitions <partition_name> [extend] | Use this command to expand the operating system diskspace for hardware and virtual ap-pliances.If this is a virtual appliance and you expanded the existing disk, add the [extend] option.NOTE:make a backup before using this command.Warning: This command will alter Scrutinizer’s operations. Please use with caution. |
| set password plixer | Resets the CentOS ‘plixer’ user’s password. |
| set password webui <user> | Modifies the webui password for the specified user. |
| set permissions | Resets file and directory permissions to what is expected by Scrutinizer. Warning: This command will alter Scrutinizer’s operations. Please use with caution. |
| set registercollector <collector_ip> [secondary] | Manually register a collector for distributed use. This command must be run from the primary reporting server. Adding ‘secondary’ to the command will register the collector as a secondary reporting server. Before registering a collector on AWS, make sure you have the key to collector used during deployment. This key must be available on the primary reporter. Warning: This command will alter Scrutinizer’s operations. Please use it with caution. |
| set reportmenu | Manually recreates the report menu. NOTE: The report menu is automatically maintained based on the flows received. |
| set salt <salt> | Setting a salt value will allow users to mask certain machine characteristics from any license key generated. |
| set selfregister [reset] | Manually registers this Scrutinizer server to identify itself for both stand-alone or distributed functionality. |
| set selfreporter | Promotes this Scrutinizer Server to a reporter. |
| set sshcollectorkeys | Generates a new SSH key pair, and distribute it to all active, registered machines. Any previous SSH key pairs will be overwritten unconditionally, making this suitable for resynchronizing SSH access should problems arise. This enables future functionality to perform upgrades and other maintenance operations en masse. |
| set serverpref <serverpref> <value> | Changes the value of the serverpref setting. Use with caution. |
| set ssl <on|off> [ecc] | Enables or disables SSL support in Scrutinizer. It only works with the local Apache server bundled with Scrutinizer. Please reference the System/SSL section for detailed configuration instructions. |
| set timezone <timezone> | Sets the server’s time zone. To see a list of time zones, run show tzlist |
| set tuning | This command will alter some operating system and Scrutinizer settings in these database tables: plixer.exporters and plixer.serverprefs; and these files: sysctl.conf, postgresql.conf , and plixer.ini. |
| set voip <on|off> | Toggles the predefinition of VoIP port ranges on or off. |
| set webui_timeout <seconds> | Resets the timeout for the WebUI. This command must be run on all all collectors/reporters. Warning: This command will alter how Scrutinizer and/or users access data. Please use with caution. |
| set yum_proxy <host> <port> <user> | Used to set up yum proxy setting in the yum configuration file. This command will remove any previously configured proxy servers. All fields are required. Once all fields are entered on the command line, a prompt for the users password will appear. To see what proxy servers are currently configured, use show yum_proxy |
show¶
Shows various details about the Scrutinizer Server.
| Command | Description |
|---|---|
| show alarms [filter] | Displays a list of alarms ordered by timestamp, descending. |
| show custom_algorithms | Displays a list of custom algorithms available and whether they are enabled. For information on managing custom algorithms, reference the Flow Analytics Custom Algorithm section. |
| show diskspace | Displays details about available storage. |
| show dns | Displays a list of DNS servers currently used to resolve hostnames. Use the set dns command to change the list of DNS servers. |
| show exporters [filter] | Displays a list of exporters that are currently sending data to Scrutinizer based on the supplied filter (if any). |
| show extalarms [filter] | Displays a list of alarms with extended json data ordered by timestamp, descending. |
| show groups | Displays a list of groups currently configured on this Scrutinizer server. |
| show interfaces [filter] | Displays a list of interfaces that are currently sending data to Scrutinizer based on the supplied filter (if any). |
| show ipaddresses | Displays the current ip address(es) on this Scrutinizer server. |
| show metering [filter] | Displays a list based on the supplied filter (if any) of matching exporter IPs and how each interface is metered (i.e. ingress and/or egress). |
| show ntp | Displays a list of NTP servers currently used to sync time. |
| show partitions | Displays a list of partitions on the current Scrutinizer Appliance. This command is only available for Hardware and Virtual Appliances. Use show diskspace if looking for diskspace per volume (or partition). |
| show pcaplist | List what current pcap files have been created and their sizes. Pcaps can be removed using the clean pcap command. |
| show serverpref [filter] | Displays serverprefs and their current values. The filter parameter is optional to narrow the serverprefs to match the string provided. |
| show task [name] | Displays a list of tasks currently configured in Scrutinizer. The name parameter is optional to narrow the task names to match the string provided. |
| show timezone | Displays the current timezone of this Scrutinizer Server. Use set timezone command to modify the timezone. |
| show tzlist [filter] | Displays the list of timezones. |
| show unknowncolumns | List info elements from exporters that are unknown to Scrutinizer. Don’t fret! Give the list to Plixer and support will be added for it! |
| show yum_proxy | Displays the currently configured yum proxy settings. To change these settings, use set yum_proxy |
Note
If after running the show command the results are long, ‘q’ can be typed in to quit and return to the SCRUTINIZER> prompt.
snoop¶
Listens at the interface level for traffic from the specified interface or ip address.
| Command | Description |
|---|---|
| snoop interfaces <interface_name> | Listens at the interface level for traffic from the specified interface. |
| snoop ipaddresses <ip_address> | Listens at the interface level for traffic from the specified ip address. |
system¶
Scrutinizer system level functions.
Warning
This command will alter Scrutinizer’s operations. Please use with caution.
| Command | Description |
|---|---|
| system <restart|shutdown> system update [schedule|unschedule] | Performs system level functions such as rebooting, shutting down, or applying operating system level patches. To enable daily scheduled operating system updates, run the ‘system update schedule’ command. This will run the system update command every day at a random time. This time is selected outside of the ‘business hours’ set in Admin > Settings > Reporting. An alert is sent to Scrutinizer describing what time this command will run. To change the time, simply run the ‘system update schedule’ command again. A new time will be selected. To disable daily scheduled operating system updates, run the ‘system update unschedule’ command. If operating system patches are applied, all Scrutinizer services will be restarted and could cause a minute of missed data. |
unlock¶
Unlocks accounts that have exceeded the maximum failed login attempts.
| Command | Description |
|---|---|
| unlock <username> [<auth_method>] | Unlocks accounts that have exceeded the maximum failed login attempts set by the Scrutinizer administrator, and are locked out from authentication. By default, the user account will be set to local authentication. To specify another auth_method, use ‘ldap’, ‘radius’, or ‘tacacs’. |
update¶
Updates Scrutinizer product.
Warning
This command will alter Scrutinizer’s operations. Please use with caution.
| Command | Description |
|---|---|
| update Scrutinizer | Performs Scrutinizer product updates that are pulled from Plixer repositories. This command must be run from the primary reporting server. It will update Scrutinizer accross all collectors in the cluster. Warning: If operating system patches are applied, all Scrutinizer services be restart and could cause a minute of missed data. |
upload¶
Uploads files for troubleshooting purposes.
| Command | Description |
|---|---|
| upload pcap <capturefile> | Uploads the specified packet capture collected by the collect pcap command. To see a list of captures on this server, execute show pcaplist |
| upload supportfiles | Uploads files for troubleshooting purposes. |
version¶
Displays Scrutinizer version.
| Command | Description |
|---|---|
| version | Shows version information about Scrutinizer. |