Interactive CLI

Interactive CLI#

The Scrutinizer interactive CLI utility provides access to system-level functions, such as admin operations, configuration/maintenance routines, and integration management.

The interactive prompt (SCRUTINIZER>) is accessed by establishing an SSH session with the Scrutinizer server and running:

scrut_util

On this page:

System management
System management
Configuration & settings
Configuration & settings
Data management & maintenance
Data management & maintenance
Data collection & processing
Data collection & processing
User & security management
User & security management
Third-party integrations
Third-party integrations
Importing & exporting data
Importing & exporting data
Network & monitoring
Network & monitoring

Note

Most scrut_util commands can also be executed using direct shell syntax, which allows them to be used in scripts to automate maintenance tasks. Run the following from the shell to view the equivalent syntax for the top-level interactive commands listed below:

scrut_util --help [COMMAND]

System management#

services#

The services command is used to stop, start, or restart all or specific services.

Syntax
services all <stop|start|restart>

Managing individual services

To stop, start, or restart specific services, run one of the following from the shell instead:

systemctl syntax

Service

Function

 
sudo systemctl <stop|start|restart> scrutinizer

Start, stop, or restart all Scrutinizer services

 
sudo systemctl <stop|start|restart> plixer_collector

Start, stop, or restart all data collection and processing services

 
sudo systemctl <stop|start|restart> plixer_webapp

Start, stop, or restart all Scrutinizer UI and API-related services

 
sudo systemctl <stop|start|restart> plixer_db

Start, stop, or restart all database, connection pooling, and caching services

 
sudo systemctl <stop|start|restart> replicator

Start, stop, or restart all Replicator-related services when it is licensed to operate on the same machine as Scrutinizer

system#

The system command is used to reboot or shut down the system.

Syntax

Command

Description

 
system <restart|shutdown>

Reboots or shuts down the system

version#

The version command is used to show version information for Scrutinizer.

Syntax

Command

Description

 
version

Shows version information for Scrutinizer

Configuration & settings#

convert#

The convert command is used to convert different types of data and information.

Options and syntax

Command

Description

 
converttoaes

Converts all encrypted information stored by Scrutinizer to use AES 256 encryption

set#

The set commands are used to manage settings/behaviors related to authentication, networking, and general operation for the Scrutinizer server.

Options and syntax

Note

These commands can alter Scrutinizer functionality and should be used with caution.

Command

Description

 
set columnmoniker <OLD_NAME> <NEW_NAME> [ELEMENT_LIST]

Replaces an information element’s OLD_NAME with the specified NEW_NAME

If the optional ELEMENT_LIST of one or more elements (comma-delimited) is included, renaming will be limited to flow templates that also include those elements.

This command should only be run under the direction of Plixer Technical Support.

 
set dns

Allows use the user to enter one or more new DNS servers for hostname resolution

The operation will overwrite the system’s previous DNS server list.

 
set hostinfo <IP_ADDRESS> <FQHN>

Assigns the specified FQHN (fully qualified hostname) to the current Scrutinizer appliance and configures resolution for the provided IP_ADDRESS

 
set leds_threshold

Resets the LED warning threshold to 10% of the total storage available on the appliance’s data partition

When combined with the Auto History Trimming settings, this function can help prevent Scrutinizer from using up all available storage.

 
set myaddress <IPv4_ADDRESS> <NETMASK> <GATEWAY>
set myaddress <IPv6_ADDRESS/CIDR> <GATEWAY>

Assigns the specified IPv4/IPv6_ADDRESS, CIDR/NETMASK, and GATEWAY to the current appliance

After the provided IP information has been confirmed to be correct, the previous address of the same type will be overwritten.

Because an SSH session will automatically be terminated after the new IP address is assigned, it is recommended to run this command from a console connection.

 
set partitions <PARTITION> <extend>

Extends the specified PARTITION to expand OS diskspace for the current hardware or virtual (requires the extend flag) appliance

It is highly recommended to create a backup before running this command.

 
set password plixer
set password webui <USER_NAME>

Resets the password for the plixer OS user/account or the web interface account with the specified USER_NAME

 
set registercollector <IP_ADDRESS> [secondary]

Registers the Scrutinizer appliance with the specified IP_ADDRESS as a remote collector and, if the SECONDARY flag is included, as the secondary reporter for the distributed cluster

This command must be run from the distributed cluster’s primary reporter/server.

 
set salt <SALT>

Adds the specified SALT value to the current appliance’s machine details for license key generation

 
set selfregister [reset]

Reinitializes the server and, if the reset flag is included, resets all appliance settings

 
set selfreporter

Promotes the secondary reporter in a distributed cluster to the primary reporter role

This command must be run on an appliance that was assigned the secondary reporter role (see registercollector above).

 
set sshcollectorkeys

Generates a new SSH key pair and distributes it to all registered appliances

The operation will also overwrite any previous key pairs, which will address any issues that require re-syncing of SSH access.

 
set ssl <on|off> [ecc]

Toggles SSL support in Scrutinizer on or off

If the on option is passed, the user will also be prompted to enter the required certificate details, which will overwrite any existing values even if SSL was already enabled (default).

If the ecc argument is included, a 256-bit Elliptical Curve (EC) public/private key pair will also be generated.

For further details on Scrutinizer’s default SSL settings and behavior, see the SSL configuration guide.

 
set timezone <TIMEZONE>

Sets the Scrutinizer appliance’s time zone to the specified TIMEZONE

For a list of time zones, use the show timezone command.

 
set tuning

Re-tunes the appliance by modifying certain Scrutinizer and OS settings in sysctl.conf, postgresql.conf, and plixer.ini as well as in the plixer.exporters and plixer.serverprefs tables.

This command should only be run under the direction of Plixer Technical Support.

 
set voip <on|off>

Toggles predefined VoIP port ranges on or off

 
set webui_timeout <SECONDS>

Sets the number of SECONDS before web app requests or queries to the web server and PostgreSQL time out

 
set yum_proxy <HOST> <PORT> <USER>

Configures/overwrites proxy settings using the provided HOST address/hostname, PORT, and USER in the yum configuration file.

show#

The show commands are used to view various details, settings, and other functional elements for the Scrutinizer server/environment.

Options and syntax

Command

Description

 
show custom_algorithms

Displays a list of all custom algorithms saved to scrutinizer/files/algorithms/ and their current state

 
show datasize

Displays a breakdown of database storage sizes by schema

 
show diskspace

Displays storage allocation and utilization details

 
show dns

Displays a list of all DNS servers used for hostname resolution

 
show exporters [FILTER]

Displays a list of exporters sending data to collectors (using the specified FILTER if included)

 
show groups

Displays a list of all current device/mapping groups

 
show interfaces [FILTER]

Displays a list of interfaces sending data to collectors (using the specified FILTER if included)

 
show ipaddresses

Displays all IP addresses assigned to the current Scrutinizer appliance

 
show metering [FILTER]

Displays a list of interfaces by exporter and their metering direction (using the specified device IP address FILTER if included)

 
show partitions

Displays partition information for the current Scrutinizer appliance

 
show task [FILTER]

Displays a list of all tasks currently configured in Scrutinizer (using the specified task name FILTER if included)

 
show timezone

Displays the timezone configured for the current Scrutinizer appliance

 
show tzlist [FILTER]

Displays a list of timezones that can be configured for the Scrutinizer appliance (via the set timezone command)

 
show unknowncolumns

Displays a list of exporter information elements that are unrecognized by Scrutinizer

Contact Plixer Technical Support for any information elements that you need supported.

 
show yum_prox

Displays the current yum proxy settings

To edit these settings, use the set yum_proxy command.

Data management & maintenance#

clean#

The clean commands are used to manually execute housekeeping processes that are automatically run at regular intervals.

Options and syntax

Command

Description

 
clean all

Immediately executes all scheduled housekeeping tasks

 
clean baseline

Resets all configured baselines to the default values

Historical data will not be deleted but will still expire following the configured data retention settings.

 
clean database

Purges all temporary database entries

 
clean ifinfo

Purges ifinfo entries that do not have matching entries in activeif

 
clean old_logs

Purges old log files that are set to the backup status

 
clean tmp

Purges all temporary files created by the graphing engine

delete#

The delete commands are used to delete database entries or tables from the Scrutinizer system.

Options and syntax

Note

  • These commands will permanently delete data and should be used with caution.

  • The collector should be stopped before running any of the history_index commands.

Command

Description

 
delete custom_algorithm <FILENAME>

Permanently deletes the custom algorithm with the specified FILENAME

FILENAME should not include the algorithm file’s .pm extension.

 
delete history_index_empty_tables

Deletes all tables with zero rows from the history index

 
delete history_index_orphans

Deletes all history index entries for which a table does not actually exist

 
delete history_table_orphans

Deletes all tables that do not have a history index entry

expire#

The expire commands are used to delete expired historical data following the configured data retention settings.

Options and syntax

Note

These commands will permanently delete data and should be used with caution.

Command

Description

 
expire dnscache [all]

Purges expired DNS cache data (based on the Days of DNS Request Data setting) or, if the all option is included, all DNS cache data

 
expire history [trim]

Purges expired flow data (based on Flow Historical X Avg settings) and also deletes older data until the Minimum Percent Free Disk Before Trimming is reached if the trim option is included

 
expire inactiveflows

Removes expired inactive interfaces (based on the Inactive Expiration system preference setting) from interface views

 
expire templates

Purges flow template metadata for templates that haven’t been observed for 30 days

optimize#

The optimize commands are used to manually execute optimization processes that are automatically run at regular intervals.

Options and syntax

Note

These commands will modify database tables in Scrutinizer and should be used with caution.

Command

Description

 
optimize common

Optimizes tables that are commonly inserted and deleted to improve database performance

 
optimize database <DATABASE>

Optimizes only tables in the specified DATABASE

repair#

The repair commands are used to run various repair processes related to Scrutinizer functions and databases.

Options and syntax

Note

These commands will modify database tables in Scrutinizer and should be used with caution.

Command

Description

 
repair business_hour_saved_reports

Converts saved reports with business hours that were created in older Scrutinizer versions (15.5 and below) to the latest format with the same business hours

 
repair history_tables

Repairs history tables that have the wrong col type for octetDeltaCount

This command is not used for PostgreSQL installations.

 
repair policy_priority_order

Repairs irregularities in alarm policy IDs (e.g., duplication)

 
repair range_starts

Repairs history tables without the start time used to identify the range of data they contain

This repair process may take some time to complete and should only be executed under the direction of Plixer Technical Support.

Data collection & processing#

check#

The check commands can be used to run a check/test against the resource, setting, or function specified by the option used.

Options and syntax

Note

The collector should be stopped before running any of the history_index commands.

Command

Description

 
check activeif

Checks for active flows based on interface details and returns the last timestamp and number of interfaces that received flows

 
check collectorclass <CLASS [SUBSYSTEM]>

Returns running state details for the specified collector CLASS or, if provided, the specified SUBSYSTEM of that class

This command is used by Plixer Technical Support for troubleshooting.

 
check data_last_written

Returns activity details for collected flow data written to the database

 
check dist_info

Returns distributed cluster configuration details for the Scrutinizer server

 
check hdtest <TRIES>

Tests hard drive performance by running a write-delete operation either 10 times (default) or, if provided, the number of times specified by the TRIES parameter and returns details for the amount of time taken

 
check heartbeat <database|api>

Test and returns information on internal communications with the specified resource type

 
check history_index

Checks the history index and returns historical activity information for the 1m interval aggregation table

 
check history_index_empty_tables

Checks the history index and returns a list of tables with zero rows (collector should be stopped first)

To delete empty tables, use the delete command instead.

 
check history_index_orphans

Checks the history index and returns a list of entries for which a table does not actually exist

To delete orphan entries, use the delete command instead.

 
check history_index_table_orphans

Checks the history index and returns a list of tables that do not have a history index entry (collector should be stopped first)

To delete orphan tables, use the delete command instead.

 
check interfaces [all|cisco|sonicwall|huawei [HOST_IP]]

Uses alternative methods to retrieve interface descriptions (SNMP for Huawei and NetFlow data for Cisco and SonicWall) on the specified HOST_IP

This operation leverages NetFlow data for Cisco and SonicWall devices. Checking Huawei devices relies on SNMP and referencing their vendor-specific MIBs instead.

 
check license

Returns license details for the Scrutinizer server

 
check machine_id

Returns the current Machine ID of the Scrutinizer server

 
check machine_id_list

Returns all previous, current, and possible Machine IDs for the Scrutinizer server

 
check rollcall

Checks the current states of data roll-up time buckets and returns a list of states and record counts by bucket

 
check rollups

Checks the current states of all data roll-ups and returns a list of roll-up counts by status

 
check route <DEVICE_IP>

Checks the specified DEVICE_IP to determine if its routing data is accessible and returns the result

 
check simplercv <UDP_PORT>

Checks for UDP traffic on the specified <UDP_PORT>

This command can be used to verify that flows are being received at the top of the stack (i.e., tcpdump -> collector).

 
check snmp

Attempts to get SysObjectID for all devices and returns the credential object if successful (or an error if the attempt failed)

 
check ssl

Returns the current settings for SSL parameter

To enable/disable SSL or edit the configuration, use the set ssl command.

 
check stats_exporters

Returns an exporter activity time log

 
check task <TASK_ID>

Returns a list of execution times and error codes for the specified TASK_ID

For a list of all task IDs, use the show task command.

 
check tuning

Checks the current system configuration and returns a list of settings that can be modified to improve performance

collect#

The collect commands are used to manually execute collection processes for data that can be used in various Scrutinizer functions. Many of these processes are run automatically at regular intervals.

Options and syntax

Command

Description

 
collect asa_acl

Immediately polls Cisco ASA devices to collect ASA ACL information

 
collect baseline

Collects baseline data and checks for alarms/events

 
collect dbsize

Collects database size information

 
collect elk <IP_ADDRESS>

Collects data from Scrutinizer and forwards it to the ELK server using the IP_ADDRESS specified

 
collect optionsummary

Initiates processing of flow option data collected by Scrutinizer

 
collect snmp

Immediately polls SNMP devices to collect data used by Scrutinizer

 
collect splunk <IP_ADDRESS> <PORT>

Collects data from Scrutinizer and forwards it to the Splunk server using the IP_ADDRESS and PORT specified

 
collect supportfiles

Collects various logs and configuration data that can be used by Plixer Technical Support for troubleshooting

 
collect topology

Collects device data to help Scrutinizer understand the network’s topological layout

 
collect useridentity

Initiates processing of user identity data collected by Scrutinizer

User & security management#

disable#

The disable commands are used to disable specific functions/features in Scrutinizer.

Options and syntax

Note

These commands can alter Scrutinizer functionality and should be used with caution.

Command

Description

 
disable baseline <IP_ADDRESS>

Disables all baselines for the exporter with the specified IP_ADDRESS

Historical data associated with the exporter will not be deleted but will still expire following the configured data retention settings.

 
disable elk http://<IP:PORT>

Disables ELK flows from Scrutinizer to the URL specified by IP:PORT

 
disable ipv6

Disables IPv6 for all interfaces in sysctl.conf

 
disable splunk http://<IP:PORT>

Disables Splunk flows from Scrutinizer to the URL specified by IP:PORT

 
disable ssh_root_login

Prohibits the superuser root account from logging into a Linux shell directly from outside hosts

Instead of allowing remote root SSH login, it is recommended to instead log in as the plixer user and use sudo for maintenance tasks. This command will not affect root logins from a physical or virtual console.

 
disable unresponsive

Disables pinging of exporters that have been flagged as unresponsive

 
disable user <USERNAME>

Disables the specified USERNAME account with scrut_util access (e.g., for server maintenance)

enable#

The enable commands are used to enable/configure specific functions in Scrutinizer.

Options and syntax

Note

These commands can alter Scrutinizer functionality and should be used with caution.

Command

Description

 
enable baseline <IP_ADDRESS> default

Enables default baselines for the exporter with the specified IP_ADDRESS

 
enable baseline <IP_ADDRESS> manual <PRIMARY[, SECONDARY] ELEMENT avg|count|min|max|std|sum dailyhr|busday|sameday>

Enables a custom baseline with the following parameters for the exporter with the specified IP_ADDRESS:

  • PRIMARY - IPFIX element to be included in the baseline (e.g., sourceIPv4Address, applicationName, etc.)

  • SECONDARY - Optional secondary IPFIX element to be included in the baseline

  • ELEMENT - Corresponding numeric IPFIX element for the primary and secondary elements to be used to determine the baseline (e.g., packetDeltaCount, octetDeltaCount, etc.)

  • AVE | COUNT | MIN | MAX | STD | SUM - Selects between average (AVE), flow count (COUNT), minimum value (MIN), maximum value (MAX), standard deviation (STD), or sum (SUM) for measuring the specified ELEMENT

  • dailyhr | busday | sameday - Selects between daily (dailyhr), daily on business days (busday), or same day weekly (sameday) for baseline comparison

When baselining IP addresses, IP groups should be defined for the address ranges and subnets to be included in the baseline. This will prevent addresses that may only talk once from triggering false positives.

 
enable custom_algorithm <FILENAME> <NAME>

Enables the custom algorithm FILENAME in the flow analytics engine under the specified NAME

FILENAME should not include the .pm extension of the algorithm file (must be saved to scrutinizer/files/algorithms/).

 
enable elk http://<IP:PORT>

Enables ELK flows from Scrutinizer to the URL specified by IP:PORT

 
enable ipv6

Enables IPv6 for all interfaces in sysctl.conf

 
enable splunk http://<SPLUNK_SERVER_IP:PORT> <SYSLOG_PORT> <SPLUNK_FORWARDER_IP>

Enables Splunk integration using the provided server and forwarder details

 
enable ssh_root_login

Allows the superuser root account to log into a Linux shell directly from outside hosts

Instead of allowing root SSH login, it is recommended to instead log in as the plixer user and use sudo for maintenance tasks.

 
enable user <USERNAME> <1|2|3>

Creates a new login account with the specified USERNAME and one of the following security levels:

1 - Only commands that can stop data collection are disabled. • 2 - Commands that can remove integrations or stop data collection are disabled. • 3 - Only commands to collect information about Scrutinizer and the operating system are enabled.

rotate#

The rotate commands are used to replace the keys and certificates used by Scrutinizer in its functions.

Options and syntax

Note

  • These commands will alter Scrutinizer functionality and should be used with caution.

  • rotatecerts can only be run using direct shell/script syntax and not from the SCRUTINIZER> prompt (as shown below).

Command

Description

 
rotatekeys

Creates a new encryption key and re-encrypts all encrypted fields in the database

 
scrut_util --rotatecerts [--days <DAYS>] [--reset] [--verbose]

Regenerates all certificates on all nodes (including any Plixer ML Engine deployments) with an optional expiration date in the specified number of DAYS

If the --reset flag is included, the CA certificate on the primary reporter and the web server certificate will also be regenerated.

unlock#

The unlock command is used to unlock a locked USER account (due to failed login attempts).

If no authentication method is specified (ldap, radius, or tacacs) the account defaults to local authentication.

Syntax

Command

Description

 
unlock <USER> [ldap|radius|tacacs]

Unlocks a locked USER account (due to failed login attempts)

Third-party integrations#

awssync#

The awssync command can be used to sync IDs and descriptions from AWS when AWS flow log ingestion is enabled.

Syntax

Command

Description

 
awssync

Syncs IDs and descriptions from AWS when AWS flow log ingestion is enabled

ciscoise#

The ciscoise commands are used to manage Cisco Identity Services Engine (ISE) node integration in Scrutinizer.

Options and syntax

Command

Description

 
ciscoise add <IP_ADDRESS> <TCP_PORT> <ISE_USER>

Adds a Cisco ISE node with the specified IP_ADDRESS, TCP_PORT, and ISE_USER (must have API access) to queue to acquire user identities for all active sessions

The ISE_USER password will also need to be entered after this command is run.

 
ciscoise check

Tests node polling and returns the results

This command can be used to verify that Scrutinizer is able to collect user identity information.

 
ciscoise kick <ISE_ID> <IP_ADDRESS> [MAC_ADDRESS]

Kicks the ISE_ID off the ISE node at the specified IP_ADDRESS and optional MAC_ADDRESS, forcing re-authentication

 
ciscoise nodelist

Returns a list of all Cisco ISE nodes currently configured

 
ciscoise poll

Forces a poll of all Cisco ISE nodes and returns the results

 
ciscoise remove <IP_ADDRESS>

Removes the Cisco ISE node with the specified IP_ADDRESS from Scrutinizer

 
ciscoise update <IP_ADDRESS> <TCP_PORT> <ISE_USER>

Updates the current configuration of the Cisco ISE node with the specified IP_ADDRESS to use the provided TCP_PORT and ISE_USER

The ISE_USER password will also need to be entered after this command is run.

endace#

The endace commands are used to manage EndaceProbe for Pivot2Packets (P2P) integration.

Options and syntax

Command

Description

 
endace add <IP_ADDRESS> <PORT> <USER> <PASSWORD>

Enable integration with an EndaceProbe with the specified IP_ADDRESS, PORT, and Endace USER:PASSWORD

The default port used by an EndaceProbe is 443.

 
endace remove <IP_ADDRESS>

Remove the EndaceProbe with the specified IP_ADDRESS

 
endace update <IP_ADDRESS> <PORT> <USER> <PASSWORD>

Update EndaceProbe integration settings with the specified IP_ADDRESS, PORT, and Endace USER:PASSWORD

Note

The above commands will only accept an IP address. Hostnames will not work.

Hint

  • More than one EndaceProbe can be configured for P2P integration. All probes added will be available in a dropdown menu in the P2P search.

  • Pivot2Vision integration can be configured to use a separate EndaceProbe (or probes) from the probe(s) added via the scrut_util CLI for P2P integration.

moloch#

The moloch command is used to enable or disable integration for the Moloch probe using the specified IP_ADDRESS and PORT.

Syntax

Command

Description

 
moloch <on|off> <IP_ADDRESS [PORT]>

Enables or disables integration for the Moloch probe using the specified IP_ADDRESS and PORT

Importing & exporting data#

export#

The export commands are used to dump data from Scrutinizer for external use.

Options and syntax

Command

Description

 
export applications <PATH/FILENAME>

Exports all current application rules/definitions as a CSV file with the specified PATH and FILENAME

 
export ipgroups <PATH/FILENAME>

Exports all current IP group rules/definitions as a CSV file with the specified PATH and FILENAME

 
export langtemplate <LANG_NAME>

If LANG_NAME keys are defined, creates a CSV file with the English and LANG_NAME keys and saves it as home/plixer/scrutinizer/files/pop_languages_LANGNAME_template.csv

import#

The import commands are used to import various types of data (labels, definitions, groupings, etc.) for use in Scrutinizer’s functions.

For further information, see this guide on importing data.

upload#

The upload supportfiles command is used to upload the log and configuration data package (after running the collect supportfiles command) for use by Plixer Technical Support.

Syntax

Command

Description

 
upload supportfiles

Uploads the log and configuration data package for use by Plixer Technical Support

Network & monitoring#

remove#

The remove address ipv6 command is used to delete the current IPv6 address assigned to the server.

Note

  • The IPv6 address can only be removed if there is an IPv4 address assigned. To edit IP address settings, use the set myaddress command.

  • This command will alter Scrutinizer functionality and should be used with caution.

Syntax

Command

Description

 
remove address ipv6

Deletes the current IPv6 address assigned to the server

snoop#

The snoop commands are used to listen for traffic at the interface level.

Options and syntax

Command

Description

 
snoop interface <INTERFACE> <PORT>

Listens for traffic on the specified INTERFACE and PORT

 
snoop ipaddress <IP_ADDRESS> <PORT>

Listens for traffic on the specified IP_ADDRESS and PORT
Contents