Interactive CLI¶
The interactive CLI utility provides access to numerous server maintenance utilities, including password changes, third party integration processes, many routines to access information required for support, and more.
To launch the interactive utility, run:
/home/plixer/scrutinizer/bin/scrut_util
This will open the Scrutinizer prompt:
SCRUTINIZER>
To close the interactive prompt, type ‘exit’:
SCRUTINIZER> exit
Exiting...
[[email protected] ~] #
Modes of operation¶
The scrut_util utility has two modes of operation.
- Interactive:
Launch the interactive utility and enter the commands in the SCRUTINIZER> prompt.
- Command Line Interface (CLI):
SSH as root to run the CLI mode. This will allow you to execute commands without entering the SCRUTINIZER> prompt. For example:
[[email protected] bin]# ./scrut_util --version
Help function¶
To display the list of the available commands, run:
SCRUTINIZER> help
For help with specific commands (for example, the “show” command) enter:
SCRUTINIZER> help show
For help with specific extended commands (for example, the “show groups” command) type:
SCRUTINIZER> help show groups
Commands¶
Following are the available top level commands:
- check
- ciscoise
- clean
- collect
- counteract
- delete
- disable
- download
- enable
- endace
- expire
- export
- import
- moloch
- optimize
- repair
- services
- set
- show
- snoop
- system
- upload
- version
For each top level command, there are several extended commands.
check¶
Runs a test or check against the command provided.
ciscoise¶
Manage CiscoISE Node Integration with Scrutinizer.
Command | Description |
---|---|
ciscoise add <ise_ip> <ise_tcp_port> <ise_user> | Adds a CiscoISE node to the queue to acquire user identity on all active sessions. The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API. Scrutinizer will prompt the user for the <ise_user> password. |
ciscoise check | Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly. |
ciscoise kick <ise_id> <mac_address> <user_ip> | Kicks the user off the ISE node forcing them to re-authenticate. Minimally the users IP address is required. Optionally, the <mac_address> can be provided. |
ciscoise nodelist | Lists the currently configured CiscoISE nodes. |
ciscoise poll | Runs a poll manually and outputs the results to the screen. When integration is enabled, polling is automatically performed routinely. To diagnose issues, run ‘ciscoise check’ or ‘ciscoise test’ |
ciscoise remove <ise_ip> | Removes a CiscoISE node from Scrutinizer. The required parameter <ise_ip> is the IP address of the CiscoISE node. |
ciscoise test | Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly. |
ciscoise update <ise_ip> <ise_tcp_port> <ise_user> | Updates existing configuration settings for a specific CiscoISE node. The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API. Scrutinizer will prompt for the <ise_user> password. |
clean¶
Executes housekeeping tasks that are scheduled to run at various times during Scrutinizer’s normal operations.
Warning
These commands will purge data from Scrutinizer. Please use with caution.
Command | Description |
---|---|
clean all | Executes several housekeeping tasks that are scheduled to run at various times during Scrutinizer’s normal operations. |
clean baseline | Resets all configured baselines to the default baselines for each exporter. Historical data will not be deleted. However, it will expire based on Scrutinizer’s historical settings. |
clean database | Cleans out temporary database entries manually. This command is executed automatically every 30 minutes by Scrutinizer’s task scheduler. |
clean ifinfo | Clears entries in the ifinfo db table that do not have an entry in the activeif db table. |
clean old_logs | Clears out old log files that are set to a ‘backup’ status. |
clean pcap [<pcapfile>] | Removes all, or if specified, a specific pcapfile from the Scrutinizer server. To see a list of pcap files, execute show pcaplist |
clean tmp | Removes any temporary files created by the graphing engine. Executing this will perform an on-demand clean up. By default, it is scheduled to be executed by Scrutinizer routinely. |
collect¶
Manually collect data that is useful for Scrutinizer.
Command | Description |
---|---|
collect asa_acl | Manually collects ASA ACL information from Cisco ASA Devices. This task is scheduled and routinely executed as part of normal operations. |
collect baseline | Manually collects baseline data and checks for alarms. This task is scheduled and routinely executed as part of normal operations. |
collect dbsize | Collects database size information. |
collect elk <elk_ip> | Manually collects data from Scrutinizer and sends it to the configured ELK server. Reference the Elasticsearch / Kibana (ELK) Integration guide for more detailed information on the ELK integration. |
collect optionsummary | Manually process flow option data collected by Scrutinizer. This information is routinely processed automatically. |
collect pcap <in_sec> [<host>] | Collects a packet capture on the interfaces of the Scrutinizer server. Requires a timeout (in seconds) and an optional host name in IP format to further filter the capture. |
collect snmp | Manually collects SNMP data that is used during Scrutinizer’s operations. This process is automatically scheduled by Scrutinizer to run regularly. |
collect splunk <splunk_ip> <port> | Manually collect data from Scrutinizer and send it over to the configured Splunk server. Reference the Scrutinizer for Splunk Application integration guide for more information |
collect supportfiles | Collects various log files and server configuration data used by Plixer support to troubleshoot server issues. |
collect topology | Collects various types of data from devices and Scrutinizer to help Scrutinizer understand the topology layout of the network. |
collect useridentity | Manually process user identity data collected by Scrutinizer. This information is routinely processed automatically. |
counteract¶
Third-party integration support for ForeScout CounterACT servers.
Command | Description |
---|---|
counteract <on|off> <counteract_ip[:port]> | Enables or disables support to ForeScout CounterACT servers. Required parameters are <on|off> and the host name and optional tcp port. |
delete¶
This operation deletes database tables and/or database table entries.
Warning
These commands will purge data from Scrutinizer. Please use with caution.
Command | Description |
---|---|
delete custom_algorithm <identifier> | Deletes a custom algorithm at the system level. For more information, reference the Flow Analytics Custom Algorithms section. Warming: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
delete history_index_empty_tables | Deletes tables with zero rows from history_index. Please stop the collector, if running, prior to executing this command. |
delete history_index_orphans | Deletes entries from history_index for which a table does not actually exist. This should never happen, but occasionally when things go wrong we need something like this to make cleanup easier. |
delete history_table_orphans | Deletes tables with no history_index entries. Please stop the collector, if running, prior to executing this command. |
delete orphans | Deletes all known orphan alarm events. |
disable¶
Disables functionality used by Scrutinizer or incorporated as part of customized development.
Command | Description |
---|---|
disable baseline <exporter_ip> | Disables all baselines for the specified <exporter_ip>. The historical data will not be deleted. However, it will expire based on Scrutinizer’s historical data settings. Warning: This command will alter the behavior of Scrutinizer baseline functionality. Please use with caution. |
disable elk http://<ip:port> | Disables ELK (Elasticsearch, Logstash, and Kibana) flows from Scrutinizer to the URL specified. Reference the Elasticsearch / Kibana (ELK) Integration guide for more detailed information on the ELK integration. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
disable ipv6 | Disables ipv6 in sysctl.conf for all interfaces. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
disable splunk http://<ip:port> | Disables Splunk flows from Scrutinizer to the URL specified. Reference the Scrutinizer for Splunk Application integration guide for more information on the Scrutinizer for Splunk integration. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
disable user <username> | Removes a login account with access to the interactive utility for Scrutinizer server. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
disable unresponsive | Disables ping for exporters that have not responded. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
disable hypervtools | Disables Hyper-V Integration Tools for a Virtual Appliance running on Hyper-V. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
disable vmwaretools | Disables vmwaretools for a Virtual Appliance running on VMware. Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution. |
download¶
Downloads various files and utilities useful to Scrutinizer’s operations.
Command | Description |
---|---|
download hostreputationlists | Download the latest Flow Analytics Host Reputations Lists manually. This is also automatically updated. |
download installer | Download the Scrutinizer installer to perform upgrades. |
enable¶
Enables functionality used by Scrutinizer or incorporated as part of customized development.
Warning
These commands will alter the behavior of Scrutinizer functionality. Please use with caution.
endace¶
Third-party integration support for Endace probes.
Command | Description | |
---|---|---|
endace add <host_ip> <port> <endace_user> <endace_pass> endace remove <host_ip> endace update <host_ip> <port> <endace_user> <endace_pass> |
Manages integration with Endace probes. For more information on this integration, reference the Configuring Endace probe integration guide. |
expire¶
Purges data history older then the number of days defined by Scrutinizer’s history settings.
Warning
These commands will purge data from Scrutinizer. Please use with caution.
Command | Description |
---|---|
expire alarms | Expires alarm history from the threatsoverview and fa_transports_violations tables as specified in the Data History Flow Historical 1 Min Avg preference. |
expire bulletinboards | Purges alarm bulletin board events older then the number of days defined by Scrutinizer’s history settings. |
expire dnscache | Purges DNS cache older then the number of days defined by Scrutinizer’s history settings. |
expire history [trim] | Expires flow data as defined by Scrutinizer’s history settings. If the optional ‘trim’ mode is passed, Scrutinizer will trim older data to make more space on the hard disk. |
expire ifinfo | Purges old and outdated interface information. |
expire inactiveflows | Expires interfaces from the interface view that have stopped sending flows. Entries are expired based on the number of hours specified in the Scrutinizer System Preferences. (Admin -> Settings -> System Preferences -> Inactive Expiration) |
expire orphans | Purges alarm orphan events older then the number of days defined by Scrutinizer’s history settings. |
expire templates | Expires flow template meta data for templates that haven’t been seen in 30 days. |
export¶
Run various export commands to dump data out of Scrutinizer for external use.
Command | Description |
---|---|
export langtemplate <lang_name> | The <lang_name> parameter is required. If the language exists, then it will create a CSV file that shows the english and <lang_name> keys. If the language does not exist, a blank template will be created. The language file resides at /home/plixer/scrutinizer/files/pop_languages_<lang_name>_template.csv |
export peaks_csv <file> <interval> <dir> <date_range> [<group_id>] | Exports a CSV file listing interfaces and peak values based on criteria specified. Valid options for are specified as raw minutes (1, 5, 30, 120, 720, 1440, 10080). Directory must exist as a sub-directory of Scrutinizer’s home directory. If specifying /home/plixer/scrutinizer/temp, then use temp as the directory. The valid <ranges> are Last24hours, LastFifteenMinutes, LastFiveMinutes, LastFortyfiveMinutes, LastFullHour, LastHour, LastMonth, LastSevenDays, LastTenMinutes, LastThirtyDays, LastThirtyMinutes, LastThreeDays, LastTwentyMinutes, LastWeek, LastYear, ThisMonth, ThisWeek, ThisYear, Today, or Yesterday. <group_id> is optional. To see a list of group_ids use show groups. |
import¶
Run various import commands to bring external sources of data into Scrutinizer.
Command | Description |
---|---|
import aclfile | Imports ACL information from a file. The file must reside at /home/plixer/scrutinizer/files/acl_file.txt. The format is a direct output of SHOW ACCESS-LIST directly on the exporter. |
import applications <path/file> [reset] | Import application rules from a CSV file. It is recommended to use this file and path for the applications import csv file.
A reset option can be passed which will remove all application rules before the bulk import. Expected format is one named application and one application rule per line. Supported rule types are subnet, single IP, IP range, wildcard, port, and child rules. Child Applications must be declared before being used in a parent Application’s rule set. Valid application rule syntax is:
Applications must have at least one port rule and one of the IP rule types defined above. Applications not defined this way will be imported, but may not be tagged properly in flow data. For example the first application in this import file is valid while the second is not. The second application does not have at least one port rule: ‘My first Application’,10.0.0.0/8 ‘My first Application’,0-65535/6 ‘My second Application’,11.0.0.0/8 Up to 100,000 individual application rules are supported. |
import asns <path/file> [<delimiter>] | Imports custom asn definitions from a csv file. The is a required field. The path should be specified from after the /home/plixer/ scrutinizer/ directory. The is an optional parameter and defaults to ” ” (i.e. space). The csv file name must be all lowercase and requires these elements, in this order:
The fields are comma delimited, whereas the optional parameter applies specifically to the IP Network(s) element. A comma cannot be used for the IP Network(s) delimiter. Example File:
Example Command:
|
import csv_to_gps <csv_file> <group_name|group_id> [<create_new>] [<file_format>] | Uploads latitude and longitude locations of devices from a csv file and imports them into an existing Google map. The csv file must be located in the ‘/home/plixer/scrutinizer’ directory. If the csv file is in ‘/home/plixer/scrutinizer/files/’, enter ‘files/[name_of_file]’ as the file name. The csv file format is ‘ip,latitude,longitude’. If the csv file format
is different, specify that layout as the <file_format> command
parameter. EXAMPLE CSV FILE:
Provide either the group ID or group name in the arguments.
|
import csv_to_membership <csv_file> <grouptype> [<file_format>] | Imports group definitions from a csv file. The csv file must be located in the ‘/home/plixer/scrutinizer’ directory. If the csv file is in ‘/home/plixer/scrutinizer/files/’, enter ‘files/[name_of_file]’ as the file name. The <grouptype> field refers to the map type that will be created if the group in the csv file does not already exist and can be either ‘flash’ or ‘google’. The default csv file format is ipaddr,group. If the csv file format is
different, specify that layout as <file_format> command parameter. EXAMPLE CSV FILE:
|
import hostfile | Imports a custom hosts.txt file that contains a list of IP Addresses and hostnames. The file format is:
Example:
The file must be located at /home/plixer/scrutinizer/files/hosts.txt. |
import ipgroups [<path/file>] [reset] | Import ipgroup rules from a csv file. It is recommended to use this file for the ipgroups import csv file:
A reset option can be passed which will remove all ipgroup rules before the bulk import. Each line of the file is an individual ipgroup with the name of the group as the first field and the rules of the group separated by a space in the second field. Supported rule types are subnet, single ip, ip range, wildcard and child rules. Any child groups must already exist in Scrutinizer or be declared in the import file BEFORE it can be used as a rule in another group. Valid ipgroup rule syntax is:
Up to 100,000 individual IpGroup rules are supported. |
moloch¶
Third-party integration support for Moloch probes.
Command | Description |
---|---|
moloch <on|off> <moloch_ip> <moloch_port> | Manages integration with Moloch probes. The <moloch_port> parameter is optional. |
optimize¶
Run various optimization tasks.
Warning
These commands will alter database tables in Scrutinizer. Please use with caution.
Command | Description |
---|---|
optimize common | Optimizes tables that are commonly inserted and deleted. This action keeps things neat and clean for the database. This command is routinely executed as part of normal operations. |
optimize database <db_name> <db_pass> | Optimizes the tables in the database specified. |
repair¶
Run various database check and repair commands.
Command | Description |
---|---|
repair business_hour_saved_reports | Saved reports prior to 15.5 that were saved with business hours will require a manual check and repair. This command converts older saved reports with business hours specified to the newer format. |
repair database <db_name> <db_pass> | Repairs errors for the database specified. |
repair history_tables | Fixes history tables that have the wrong col type for octetdeltacount. It may be updated in the future to address other issues. |
repair policy_priority_order | With some professional services and automated policy creation, some policy IDs have been known to get out of whack (or duplicated). This function fixes that. |
repair range_starts | Fixes history tables that may not have a start time that helps identify the range of data within the individual history tables. NOTE: This command may take a long time to complete. Only execute under the direction of technical support. |
services¶
Manages the Scrutinizer services.
Warning
This command will alter Scrutinizer’s operations. Please use with caution.
Command | Description |
---|---|
services <service|all> <action> | Starts, stops, or restarts the specified service (or all services). |
set¶
Modifies certain behaviors on how Scrutinizer authenticates and performs operations.
Command | Description |
---|---|
set dns | Modifies system file to manage list of dns servers. This command will remove any preconfigured dns servers. Use show dns to see what is currently configured. |
set hostinfo <ip_address> <fqhn> | Sets the local machine name to the fully qualified host name provided Ensures that /etc/hosts is configured to resolve between the given <fqhn> and <ip_address>. |
set httpd <port> | Changes the web port of non-ssl installs for the Scrutinizer WebUI. Use set ssl to change the SSL port. |
set myaddress | Changes the IP Address of the current Scrutinizer Server. |
set ntp | Modifies system file to manage list of ntp servers. |
set partitions <partition_name> | Expands the operating system disk space for hardware and virtual appliances. NOTE: Make a backup before using this command. |
set password webui <user> | Modifies the webui password for the specified user. |
set registercollector | Manually registers this collector for both stand-alone and distributed use. |
set reportmenu | Manually recreates the report menu. NOTE: The report menu is automatically maintained based on the flows received. |
set salt <salt> | Setting a salt value will allow users to mask certain machine characteristics from any license key generated. |
set selfregister [reset] | Manually registers this Scrutinizer Server to identify itself for both stand-alone or distributed functionality. |
set selfreporter | Promotes this Scrutinizer Server to a reporter. |
set sshcollectorkeys | Generates a new SSH key pair, and distribute it to all active, registered machines. Any previous SSH key pairs will be overwritten unconditionally, making this suitable for resynchronizing SSH access should problems arise. This enables future functionality to perform upgrades and other maintenance operations en masse. |
set ssl <on|off> | Enables or disables SSL support in Scrutinizer. It only works with the local Apache server bundled with Scrutinizer. Please reference the System/SSL section for detailed configuration instructions. |
set timezone <timezone> | Sets the server’s time zone. To see a list of time zones, run show tzlist |
set tuning | This command will alter some operating system and Scrutinizer settings in these database tables: plixer.exporters and plixer.serverprefs; and these files: sysctl.conf, postgresql.conf , and plixer.ini. |
set voip <on|off> | Toggles the predefinition of VoIP port ranges on or off. |
set yum_proxy <host> <port> <user> | Used to set up yum proxy setting in the yum configuration file. This command will remove any previously configured proxy servers. All fields are required. Once all fields are entered on the command line, a prompt for the users password will appear. To see what proxy servers are currently configured, use show yum_proxy |
show¶
Shows various details about the Scrutinizer Server.
Command | Description |
---|---|
show alarms [filter] | Displays a list of alarms ordered by timestamp, descending. |
show custom_algorithms | Displays a list of custom algorithms available and whether they are enabled. For information on managing custom algorithms, reference the Flow Analytics Custom Algorithm section. |
show diskspace | Displays details about available storage. |
show dns | Displays a list of DNS servers currently used to resolve hostnames. Use the set dns command to change the list of DNS servers. |
show exporters [filter] | Displays a list of exporters that are currently sending data to Scrutinizer based on the supplied filter (if any). |
show extalarms [filter] | Displays a list of alarms with extended json data ordered by timestamp, descending. |
show groups | Displays a list of groups currently configured on this Scrutinizer server. |
show interfaces [filter] | Displays a list of interfaces that are currently sending data to Scrutinizer based on the supplied filter (if any). |
show ipaddresses | Displays the current ip address(es) on this Scrutinizer server. |
show metering [filter] | Displays a list based on the supplied filter (if any) of matching exporter IPs and how each interface is metered (i.e. ingress and/or egress). |
show ntp | Displays a list of NTP servers currently used to sync time. |
show partitions | Displays a list of partitions on the current Scrutinizer Appliance. This command is only available for Hardware and Virtual Appliances. Use show diskspace if looking for diskspace per volume (or partition). |
show pcaplist | List what current pcap files have been created and their sizes. Pcaps can be removed using the clean pcap command. |
show serverpref [filter] | Displays serverprefs and their current values. The filter parameter is optional to narrow the serverprefs to match the string provided. |
show task [name] | Displays a list of tasks currently configured in Scrutinizer. The name parameter is optional to narrow the task names to match the string provided. |
show timezone | Displays the current timezone of this Scrutinizer Server. Use set timezone command to modify the timezone. |
show tzlist [filter] | Displays the list of timezones. |
show unknowncolumns | List info elements from exporters that are unknown to Scrutinizer. Don’t fret! Give the list to Plixer and support will be added for it! |
show yum_proxy | Displays the currently configured yum proxy settings. To change these settings, use set yum_proxy |
Note
If after running the show command the results are long, ‘q’ can be typed in to quit and return to the SCRUTINIZER> prompt.
snoop¶
Listens at the interface level for traffic from the specified interface or ip address.
Command | Description |
---|---|
snoop interfaces <interface_name> | Listens at the interface level for traffic from the specified interface. |
snoop ipaddresses <ip_address> | Listens at the interface level for traffic from the specified ip address. |
system¶
Scrutinizer system level functions.
Warning
This command will alter Scrutinizer’s operations. Please use with caution.
Command | Description |
---|---|
system <restart|shutdown> system update [schedule|unschedule] | Performs system level functions such as rebooting, shutting down, or applying operating system level patches. To enable daily scheduled operating system updates, run the ‘system update schedule’ command. This will run the system update command every day at a random time. This time is selected outside of the ‘business hours’ set in Admin > Settings > Reporting. An alert is sent to Scrutinizer describing what time this command will run. To change the time, simply run the ‘system update schedule’ command again. A new time will be selected. To disable daily scheduled operating system updates, run the ‘system update unschedule’ command. If operating system patches are applied, all Scrutinizer services will be restarted and could cause a minute of missed data.
|
upload¶
Uploads files for troubleshooting purposes.
Command | Description |
---|---|
upload pcap <capturefile> | Uploads the specified packet capture collected by the collect pcap command. To see a list of captures on this server, execute show pcaplist |
upload supportfiles | Uploads files for troubleshooting purposes. |
version¶
Displays Scrutinizer version.
Command | Description |
---|---|
version | Shows version information about Scrutinizer. |