Interactive CLI

The interactive CLI utility provides access to numerous server maintenance utilities, including password changes, third party integration processes, many routines to access information required for support, and more.

To launch the interactive utility, run:

/home/plixer/scrutinizer/bin/scrut_util

This will open the Scrutinizer prompt:

SCRUTINIZER>

To close the interactive prompt, type ‘exit’:

SCRUTINIZER> exit
Exiting...
[[email protected] ~] #

Modes of operation

The scrut_util utility has two modes of operation.

  1. Interactive:

Launch the interactive utility and enter the commands in the SCRUTINIZER> prompt.

  1. Command Line Interface (CLI):

SSH as root to run the CLI mode. This will allow you to execute commands without entering the SCRUTINIZER> prompt. For example:

[[email protected] bin]# ./scrut_util --version

Help function

To display the list of the available commands, run:

SCRUTINIZER> help

For help with specific commands (for example, the “show” command) enter:

SCRUTINIZER> help show

For help with specific extended commands (for example, the “show groups” command) type:

SCRUTINIZER> help show groups

Commands

Following are the available top level commands:

For each top level command, there are several extended commands.

check

Runs a test or check against the command provided.

ciscoise

Manage CiscoISE Node Integration with Scrutinizer.
Command Description
ciscoise add <ise_ip> <ise_tcp_port> <ise_user>

Adds a CiscoISE node to the queue to acquire user identity on all active sessions.

The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API.

Scrutinizer will prompt the user for the <ise_user> password.

ciscoise check Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly.
ciscoise kick <ise_id> <mac_address> <user_ip> Kicks the user off the ISE node forcing them to re-authenticate. Minimally the users IP address is required. Optionally, the <mac_address> can be provided.
ciscoise nodelist Lists the currently configured CiscoISE nodes.
ciscoise poll Runs a poll manually and outputs the results to the screen. When integration is enabled, polling is automatically performed routinely. To diagnose issues, run ‘ciscoise check’ or ‘ciscoise test’
ciscoise remove <ise_ip> Removes a CiscoISE node from Scrutinizer. The required parameter <ise_ip> is the IP address of the CiscoISE node.
ciscoise test Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly.
ciscoise update <ise_ip> <ise_tcp_port> <ise_user>

Updates existing configuration settings for a specific CiscoISE node.

The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API.

Scrutinizer will prompt for the <ise_user> password.

clean

Executes housekeeping tasks that are scheduled to run at various times during Scrutinizer’s normal operations.

Warning

These commands will purge data from Scrutinizer. Please use with caution.

Command Description
clean all Executes several housekeeping tasks that are scheduled to run at various times during Scrutinizer’s normal operations.
clean baseline Resets all configured baselines to the default baselines for each exporter. Historical data will not be deleted. However, it will expire based on Scrutinizer’s historical settings.
clean database Cleans out temporary database entries manually. This command is executed automatically every 30 minutes by Scrutinizer’s task scheduler.
clean ifinfo Clears entries in the ifinfo db table that do not have an entry in the activeif db table.
clean old_logs Clears out old log files that are set to a ‘backup’ status.
clean pcap [<pcapfile>] Removes all, or if specified, a specific pcapfile from the Scrutinizer server. To see a list of pcap files, execute show pcaplist
clean tmp Removes any temporary files created by the graphing engine. Executing this will perform an on-demand clean up. By default, it is scheduled to be executed by Scrutinizer routinely.

collect

Manually collect data that is useful for Scrutinizer.
Command Description
collect asa_acl Manually collects ASA ACL information from Cisco ASA Devices. This task is scheduled and routinely executed as part of normal operations.
collect baseline Manually collects baseline data and checks for alarms. This task is scheduled and routinely executed as part of normal operations.
collect dbsize Collects database size information.
collect elk <elk_ip>

Manually collects data from Scrutinizer and sends it to the configured ELK server.

Reference the Elasticsearch / Kibana (ELK) Integration guide for more detailed information on the ELK integration.

collect optionsummary Manually process flow option data collected by Scrutinizer. This information is routinely processed automatically.
collect pcap <in_sec> [<host>] Collects a packet capture on the interfaces of the Scrutinizer server. Requires a timeout (in seconds) and an optional host name in IP format to further filter the capture.
collect snmp Manually collects SNMP data that is used during Scrutinizer’s operations. This process is automatically scheduled by Scrutinizer to run regularly.
collect splunk <splunk_ip> <port>

Manually collect data from Scrutinizer and send it over to the configured Splunk server.

Reference the Scrutinizer for Splunk Application integration guide for more information

collect supportfiles Collects various log files and server configuration data used by Plixer support to troubleshoot server issues.
collect topology Collects various types of data from devices and Scrutinizer to help Scrutinizer understand the topology layout of the network.
collect useridentity Manually process user identity data collected by Scrutinizer. This information is routinely processed automatically.

counteract

Third-party integration support for ForeScout CounterACT servers.
Command Description
counteract <on|off> <counteract_ip[:port]> Enables or disables support to ForeScout CounterACT servers. Required parameters are <on|off> and the host name and optional tcp port.

delete

This operation deletes database tables and/or database table entries.

Warning

These commands will purge data from Scrutinizer. Please use with caution.

Command Description
delete custom_algorithm <identifier>

Deletes a custom algorithm at the system level. For more information, reference the Flow Analytics Custom Algorithms section.

Warming: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

delete history_index_empty_tables Deletes tables with zero rows from history_index. Please stop the collector, if running, prior to executing this command.
delete history_index_orphans Deletes entries from history_index for which a table does not actually exist. This should never happen, but occasionally when things go wrong we need something like this to make cleanup easier.
delete history_table_orphans Deletes tables with no history_index entries. Please stop the collector, if running, prior to executing this command.
delete orphans Deletes all known orphan alarm events.

disable

Disables functionality used by Scrutinizer or incorporated as part of customized development.
Command Description
disable baseline <exporter_ip>

Disables all baselines for the specified <exporter_ip>. The historical data will not be deleted. However, it will expire based on Scrutinizer’s historical data settings.

Warning: This command will alter the behavior of Scrutinizer baseline functionality. Please use with caution.

disable elk http://<ip:port>

Disables ELK (Elasticsearch, Logstash, and Kibana) flows from Scrutinizer to the URL specified.

Reference the Elasticsearch / Kibana (ELK) Integration guide for more detailed information on the ELK integration.

Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

disable ipv6

Disables ipv6 in sysctl.conf for all interfaces.

Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

disable splunk http://<ip:port>

Disables Splunk flows from Scrutinizer to the URL specified.

Reference the Scrutinizer for Splunk Application integration guide for more information on the Scrutinizer for Splunk integration.

Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

disable user <username>

Removes a login account with access to the interactive utility for Scrutinizer server.

Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

disable unresponsive

Disables ping for exporters that have not responded.

Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

disable hypervtools

Disables Hyper-V Integration Tools for a Virtual Appliance running on Hyper-V.

Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

disable vmwaretools

Disables vmwaretools for a Virtual Appliance running on VMware.

Warning: This command will alter the behavior of Scrutinizer functionality. Please use with caution.

download

Downloads various files and utilities useful to Scrutinizer’s operations.
Command Description
download hostreputationlists Download the latest Flow Analytics Host Reputations Lists manually. This is also automatically updated.
download installer Download the Scrutinizer installer to perform upgrades.

enable

Enables functionality used by Scrutinizer or incorporated as part of customized development.

Warning

These commands will alter the behavior of Scrutinizer functionality. Please use with caution.

endace

Third-party integration support for Endace probes.
Command Description

endace add <host_ip> <port> <endace_user> <endace_pass>

endace remove <host_ip>

endace update <host_ip> <port> <endace_user> <endace_pass>

Manages integration with Endace probes. For more information on this integration, reference the Configuring Endace probe integration guide.

expire

Purges data history older then the number of days defined by Scrutinizer’s history settings.

Warning

These commands will purge data from Scrutinizer. Please use with caution.

Command Description
expire alarms Expires alarm history from the threatsoverview and fa_transports_violations tables as specified in the Data History Flow Historical 1 Min Avg preference.
expire bulletinboards Purges alarm bulletin board events older then the number of days defined by Scrutinizer’s history settings.
expire dnscache Purges DNS cache older then the number of days defined by Scrutinizer’s history settings.
expire history [trim]

Expires flow data as defined by Scrutinizer’s history settings.

If the optional ‘trim’ mode is passed, Scrutinizer will trim older data to make more space on the hard disk.

expire ifinfo Purges old and outdated interface information.
expire inactiveflows Expires interfaces from the interface view that have stopped sending flows. Entries are expired based on the number of hours specified in the Scrutinizer System Preferences. (Admin -> Settings -> System Preferences -> Inactive Expiration)
expire orphans Purges alarm orphan events older then the number of days defined by Scrutinizer’s history settings.
expire templates Expires flow template meta data for templates that haven’t been seen in 30 days.

export

Run various export commands to dump data out of Scrutinizer for external use.
Command Description
export langtemplate <lang_name>

The <lang_name> parameter is required. If the language exists, then it will create a CSV file that shows the english and <lang_name> keys. If the language does not exist, a blank template will be created.

The language file resides at /home/plixer/scrutinizer/files/pop_languages_<lang_name>_template.csv

export peaks_csv <file> <interval> <dir> <date_range> [<group_id>]

Exports a CSV file listing interfaces and peak values based on criteria specified.

Valid options for are specified as raw minutes (1, 5, 30, 120, 720, 1440, 10080).

Directory must exist as a sub-directory of Scrutinizer’s home directory. If specifying /home/plixer/scrutinizer/temp, then use temp as the directory.

The valid <ranges> are Last24hours, LastFifteenMinutes, LastFiveMinutes, LastFortyfiveMinutes, LastFullHour, LastHour, LastMonth, LastSevenDays, LastTenMinutes, LastThirtyDays, LastThirtyMinutes, LastThreeDays, LastTwentyMinutes, LastWeek, LastYear, ThisMonth, ThisWeek, ThisYear, Today, or Yesterday.

<group_id> is optional. To see a list of group_ids use show groups.

import

Run various import commands to bring external sources of data into Scrutinizer.
Command Description
import aclfile Imports ACL information from a file. The file must reside at /home/plixer/scrutinizer/files/acl_file.txt. The format is a direct output of SHOW ACCESS-LIST directly on the exporter.
import applications <path/file> [reset]

Import application rules from a CSV file.

It is recommended to use this file and path for the applications import csv file.

/home/plixer/scrutinizer/files/application_import.csv

A reset option can be passed which will remove all application rules before the bulk import.

Expected format is one named application and one application rule per line. Supported rule types are subnet, single IP, IP range, wildcard, port, and child rules. Child Applications must be declared before being used in a parent Application’s rule set.

Valid application rule syntax is:

“subnet rule”,10.0.0.0/8
“single ip rule”,10.1.1.1
“range rule”,10.0.0.1-10.0.0.42
“wildcard rule”,10.0.0.1/0.255.255.0
“parent/child rule”,”my subnet”
“ports and protocols”,0-65535/256

Applications must have at least one port rule and one of the IP rule types defined above. Applications not defined this way will be imported, but may not be tagged properly in flow data.

For example the first application in this import file is valid while

the second is not. The second application does not have at least one

port rule:

‘My first Application’,10.0.0.0/8 ‘My first Application’,0-65535/6 ‘My second Application’,11.0.0.0/8

Up to 100,000 individual application rules are supported.

import asns <path/file> [<delimiter>]

Imports custom asn definitions from a csv file. The is a required field. The path should be specified from after the /home/plixer/ scrutinizer/ directory. The is an optional parameter and defaults to ” ” (i.e. space).

The csv file name must be all lowercase and requires these elements, in this order:

AS Number,AS Name,AS Description,IP Network(s)

The fields are comma delimited, whereas the optional parameter applies specifically to the IP Network(s) element. A comma cannot be used for the IP Network(s) delimiter.

Example File:

213,my_list,what a great autonomous system,10.0.0.0/8 192.168.0.0/16
214,your_list,meh its an okay system,11.0.0.0/8

Example Command:

SCRUTINIZER > import asns files/custom_asn.import
import csv_to_gps <csv_file> <group_name|group_id> [<create_new>] [<file_format>]

Uploads latitude and longitude locations of devices from a csv file and imports them into an existing Google map.

The csv file must be located in the ‘/home/plixer/scrutinizer’ directory. If the csv file is in ‘/home/plixer/scrutinizer/files/’, enter ‘files/[name_of_file]’ as the file name.

The csv file format is ‘ip,latitude,longitude’. If the csv file format is different, specify that layout as the <file_format> command parameter.
EXAMPLE: “ip,lng,lat”

EXAMPLE CSV FILE:

10.169.1.3,37.7749,122.4194
192.168.6.1,40.7128,74.0059

Provide either the group ID or group name in the arguments.
The group_id can be determined by running show groups.
Using the optional <create_new> parameter will add new objects if the IP address does not already exist.

EXAMPLE COMMAND:
SCRUTINIZER> import csv_to_gps import_gps.import 3
EXAMPLE COMMAND with <create_new> and different file format
SCRUTINIZER> import csv_to_gps import_gps.import 3 create_new ip,lng,lat
import csv_to_membership <csv_file> <grouptype> [<file_format>]

Imports group definitions from a csv file.

The csv file must be located in the ‘/home/plixer/scrutinizer’ directory. If the csv file is in ‘/home/plixer/scrutinizer/files/’, enter ‘files/[name_of_file]’ as the file name.

The <grouptype> field refers to the map type that will be created if the group in the csv file does not already exist and can be either ‘flash’ or ‘google’.

The default csv file format is ipaddr,group. If the csv file format is different, specify that layout as <file_format> command parameter.
EXAMPLE group,ipaddr

EXAMPLE CSV FILE:

10.169.1.3,Routers
192.168.6.1,Firewalls
import hostfile

Imports a custom hosts.txt file that contains a list of IP Addresses and hostnames. The file format is:

IPv4orIPv6Address HostName Optional Description

Example:

10.1.1.4 my.scrutinizer.rocks The Best Software in my company

The file must be located at /home/plixer/scrutinizer/files/hosts.txt.

import ipgroups [<path/file>] [reset]

Import ipgroup rules from a csv file.

It is recommended to use this file for the ipgroups import csv file:

/home/plixer/scrutinizer/files/ip_group.import

A reset option can be passed which will remove all ipgroup rules before the bulk import.

Each line of the file is an individual ipgroup with the name of the group as the first field and the rules of the group separated by a space in the second field. Supported rule types are subnet, single ip, ip range, wildcard and child rules. Any child groups must already exist in Scrutinizer or be declared in the import file BEFORE it can be used as a rule in another group.

Valid ipgroup rule syntax is:

‘subnet rule’,10.0.0.0/8
‘single ip rule’,10.1.1.1
‘range rule’,10.0.0.1-10.0.0.42
‘wildcard rule’,10.0.0.1/0.255.255.0
‘parent/child rule’,’my subnet’

Up to 100,000 individual IpGroup rules are supported.

moloch

Third-party integration support for Moloch probes.
Command Description
moloch <on|off> <moloch_ip> <moloch_port> Manages integration with Moloch probes. The <moloch_port> parameter is optional.

optimize

Run various optimization tasks.

Warning

These commands will alter database tables in Scrutinizer. Please use with caution.

Command Description
optimize common Optimizes tables that are commonly inserted and deleted. This action keeps things neat and clean for the database. This command is routinely executed as part of normal operations.
optimize database <db_name> <db_pass> Optimizes the tables in the database specified.

repair

Run various database check and repair commands.
Command Description
repair business_hour_saved_reports Saved reports prior to 15.5 that were saved with business hours will require a manual check and repair. This command converts older saved reports with business hours specified to the newer format.
repair database <db_name> <db_pass> Repairs errors for the database specified.
repair history_tables Fixes history tables that have the wrong col type for octetdeltacount. It may be updated in the future to address other issues.
repair policy_priority_order With some professional services and automated policy creation, some policy IDs have been known to get out of whack (or duplicated). This function fixes that.
repair range_starts

Fixes history tables that may not have a start time that helps identify the range of data within the individual history tables.

NOTE: This command may take a long time to complete. Only execute under the direction of technical support.

services

Manages the Scrutinizer services.

Warning

This command will alter Scrutinizer’s operations. Please use with caution.

Command Description
services <service|all> <action> Starts, stops, or restarts the specified service (or all services).

set

Modifies certain behaviors on how Scrutinizer authenticates and performs operations.
Command Description
set dns

Modifies system file to manage list of dns servers.

This command will remove any preconfigured dns servers. Use show dns to see what is currently configured.

set hostinfo <ip_address> <fqhn> Sets the local machine name to the fully qualified host name provided Ensures that /etc/hosts is configured to resolve between the given <fqhn> and <ip_address>.
set httpd <port> Changes the web port of non-ssl installs for the Scrutinizer WebUI. Use set ssl to change the SSL port.
set myaddress Changes the IP Address of the current Scrutinizer Server.
set ntp Modifies system file to manage list of ntp servers.
set partitions <partition_name>

Expands the operating system disk space for hardware and virtual appliances.

NOTE: Make a backup before using this command.

set password webui <user> Modifies the webui password for the specified user.
set registercollector Manually registers this collector for both stand-alone and distributed use.
set reportmenu

Manually recreates the report menu.

NOTE: The report menu is automatically maintained based on the flows received.

set salt <salt> Setting a salt value will allow users to mask certain machine characteristics from any license key generated.
set selfregister [reset] Manually registers this Scrutinizer Server to identify itself for both stand-alone or distributed functionality.
set selfreporter Promotes this Scrutinizer Server to a reporter.
set sshcollectorkeys

Generates a new SSH key pair, and distribute it to all active, registered machines. Any previous SSH key pairs will be overwritten unconditionally, making this suitable for resynchronizing SSH access should problems arise.

This enables future functionality to perform upgrades and other maintenance operations en masse.

set ssl <on|off>

Enables or disables SSL support in Scrutinizer. It only works with the local Apache server bundled with Scrutinizer.

Please reference the System/SSL section for detailed configuration instructions.

set timezone <timezone> Sets the server’s time zone. To see a list of time zones, run show tzlist
set tuning This command will alter some operating system and Scrutinizer settings in these database tables: plixer.exporters and plixer.serverprefs; and these files: sysctl.conf, postgresql.conf , and plixer.ini.
set voip <on|off> Toggles the predefinition of VoIP port ranges on or off.
set yum_proxy <host> <port> <user>

Used to set up yum proxy setting in the yum configuration file. This command will remove any previously configured proxy servers.

All fields are required. Once all fields are entered on the command line, a prompt for the users password will appear. To see what proxy servers are currently configured, use show yum_proxy

show

Shows various details about the Scrutinizer Server.
Command Description
show alarms [filter] Displays a list of alarms ordered by timestamp, descending.
show custom_algorithms Displays a list of custom algorithms available and whether they are enabled. For information on managing custom algorithms, reference the Flow Analytics Custom Algorithm section.
show diskspace Displays details about available storage.
show dns Displays a list of DNS servers currently used to resolve hostnames. Use the set dns command to change the list of DNS servers.
show exporters [filter] Displays a list of exporters that are currently sending data to Scrutinizer based on the supplied filter (if any).
show extalarms [filter] Displays a list of alarms with extended json data ordered by timestamp, descending.
show groups Displays a list of groups currently configured on this Scrutinizer server.
show interfaces [filter] Displays a list of interfaces that are currently sending data to Scrutinizer based on the supplied filter (if any).
show ipaddresses Displays the current ip address(es) on this Scrutinizer server.
show metering [filter] Displays a list based on the supplied filter (if any) of matching exporter IPs and how each interface is metered (i.e. ingress and/or egress).
show ntp Displays a list of NTP servers currently used to sync time.
show partitions

Displays a list of partitions on the current Scrutinizer Appliance. This command is only available for Hardware and Virtual Appliances.

Use show diskspace if looking for diskspace per volume (or partition).

show pcaplist List what current pcap files have been created and their sizes. Pcaps can be removed using the clean pcap command.
show serverpref [filter] Displays serverprefs and their current values. The filter parameter is optional to narrow the serverprefs to match the string provided.
show task [name] Displays a list of tasks currently configured in Scrutinizer. The name parameter is optional to narrow the task names to match the string provided.
show timezone Displays the current timezone of this Scrutinizer Server. Use set timezone command to modify the timezone.
show tzlist [filter] Displays the list of timezones.
show unknowncolumns

List info elements from exporters that are unknown to Scrutinizer.

Don’t fret! Give the list to Plixer and support will be added for it!

show yum_proxy Displays the currently configured yum proxy settings. To change these settings, use set yum_proxy

Note

If after running the show command the results are long, ‘q’ can be typed in to quit and return to the SCRUTINIZER> prompt.

snoop

Listens at the interface level for traffic from the specified interface or ip address.
Command Description
snoop interfaces <interface_name> Listens at the interface level for traffic from the specified interface.
snoop ipaddresses <ip_address> Listens at the interface level for traffic from the specified ip address.

system

Scrutinizer system level functions.

Warning

This command will alter Scrutinizer’s operations. Please use with caution.

Command Description
system <restart|shutdown> system update [schedule|unschedule]

Performs system level functions such as rebooting, shutting down, or applying operating system level patches.

To enable daily scheduled operating system updates, run the ‘system update schedule’ command. This will run the system update command every day at a random time. This time is selected outside of the ‘business hours’ set in Admin > Settings > Reporting. An alert is sent to Scrutinizer describing what time this command will run. To change the time, simply run the ‘system update schedule’ command again. A new time will be selected.

To disable daily scheduled operating system updates, run the ‘system update unschedule’ command.

If operating system patches are applied, all Scrutinizer services will be restarted and could cause a minute of missed data.

**The ‘system update’ command will break installs prior to version 18.** **Do not attempt to run this command on version 17.11 or prior**

upload

Uploads files for troubleshooting purposes.
Command Description
upload pcap <capturefile> Uploads the specified packet capture collected by the collect pcap command. To see a list of captures on this server, execute show pcaplist
upload supportfiles Uploads files for troubleshooting purposes.

version

Displays Scrutinizer version.
Command Description
version Shows version information about Scrutinizer.