Available Commands in the Sensor CLI Access Window

Shows asset information.

Shows CM Controller IP address and connection status.

Shows information on Customer Log Parsers, if applied.

Shows MAC and IP address for sensor data port(s) (where data is ingested by the sensor).

Shows actions being taken to limit disk usage.

Shows the IP address of the sensor's DNS server.

Shows deep packet inspection information, including the categorization for different applications. Note that the output for this command can be lengthy. Use the all parameter to see all entries in paged output (for example, show dpi all).

Shows information on the number of packets dropped by the sensor broken out by Rx and Tx and interface.

Shows syn flood detection information.

Shows the IP address of the sensor's default gateway.

Shows the status of the IDS PCAP capture feature on the Modular Sensor. When enabled, this feature captures trace files to the Sensor's storage when an IDS signature match is detected. The show ids output reports whether the IDS PCAP feature is enabled, and, if enabled, the filenames of any saved PCAP files so you can copy them off of the device for further analysis. This command only provides output when used with a virtual 6.0.0+ Modular Sensor with the IDS feature enabled in its Sensor Profile.

Refer to Capturing Trace Files for IDS Signature Matches for more information on enabling and configuring the IDS PCAP feature.

Shows equivalent output of the Linux ifconfig command with status, packets, drops, and bytes Rx and Tx broken out by interface.

Shows information on AFIX IPFIX classification engines.

Shows information on AFIX JSON metadata transfer.

Shows information on the configuration of and records sent by different log collectors.

Shows information on logs received and forwarded. Also indicates whether specific log forwarding features (such as the HTTP JSON Parser, forwarding to an external server, or TLS log forwarding) are enabled, as well as the number of workers provisioned for the sensor by the system. If you are using a custom log forwarder certificate with the TLS log forwarding feature, its name is displayed here, as well.

Shows the log level for different Stellar Cyber modules. Note that you can also set the log level for different modules from the CLI Access window using the set loglevel command; see the table below.

Shows detailed statistics on malware sandbox usage, including the total number of IDS events broken out by the number of events buffered by the sensor and the number already sent to the DP.

Note: The 5.3.0 sensor improves its approach to sending IDS events to the DP and sends them as soon as they are received, only buffering events when the sensor cannot reach the DP. Because of this, you may notice that the values reported in the Output buffering section of the show maltrace output for Buffered and Outputed are smaller than those reported in previous releases. That happens because the 5.3.0 sensor is not buffering as many events, sending them to the DP immediately, instead.

Shows information on control and data plane memory availability and usage.

Shows information on the black list of metadata applications (traffic explicitly excluded from ingestion/evaluation in the sensor profile).

Note that the output for this command can be lengthy. The following tips can help you see the entries that interest you:

• Use the all parameter to see all entries in paged output (for example, show metalist all).

• Use a regex filter to exclude aella_log_forwarder entries and see only user-defined applications. For example:

  show metalist regex ^(?!.*aella_log_forwarder).*

  show metalist all regex ^(?!.*aella_log_forwarder).*

Shows the current Maximum Transmission Unit (MTU) setting for each interface on the sensor.

Shows information on configured traffic mirroring.

Modular Sensors only. Shows which modular features are enabled on a modular sensor (for example, log collector, aggregator, Tenable scanner, and so on), as well as its current CPU, RAM, and disk provisioning.

Modular Sensors only. Shows the amount of CPU, RAM, and disk required to support different combinations of modular sensor features.

Modular Sensors only. Shows standard netstat output for the modular sensor's management port.

The syntax is as follows:

show netstat [all | delta | rate] protocol [tcp | udp | all]

• all – returns all statistics available from the Linux kernel.

• delta – returns statistics from the previous time netstat was run, the current value, and the difference between the two.

• rate – returns just those statistics that are different from the previous time netstat was run.

• protocol – choose whether to view statistics for TCP, UDP, or both.

Lists the NICs installed in the sensor along with their names, driver names, driver versions, firmware versions, and bus information.

Lists the configured NTP servers for this sensor in order of use.

Shows packet processing settings, including slicing and deduplication.

Shows detailed information on internal AFIX process mapping, including NUMA register mapping.

Shows information on proxies configured for the sensor, if any.

Shows information on the configured data receiver for the sensor, including the following:

• IP Address or hostname

• Port number

• Receiver type (JSON or Packet)

• Transport (HTTPS or HTTP)

• Status, including response time

This command is supported for Windows Server Sensors as of the 6.2.0 release.

Shows information on the AFIX ring.

Shows static route table entries.

Shows information on configured maltrace rules.

Shows detailed scan information on sensor.

Provides the service to AppID mapping for the sensor, including the NUMA register for each. Note that the output for this command can be lengthy. Use the all parameter to see all entries in paged output (for example, show service all).

Provides a session table for the sensor listing ongoing sessions and their NUMA mappings and summary statistics. You can filter this command by source/destination IP addresses and ports using the following syntax:

show session [source ip [port]] [dest ip [port]]

Shows the status of key Stellar Cyber services on the sensor, including service uptime.

If a given service is down, you can use the restart service <service_name> command to restart it.

This command is supported for Windows Server Sensors as of the 6.2.0 release.

Not supported.

Available if tenable nessus is enabled in the sensor profile. Shows status of the scanner.

Shows information on CPU threads.

Shows system time.

Shows top resource usage by process.

Shows report on upgrades for this sensor.

Shows information on user-defined applications for this sensor.

Note that the output for this command can be lengthy. The following tips can help you see the entries that interest you:

• Use the all parameter to see all entries in paged output (for example, show userapp all).

• Use a regex filter to exclude aella_log_forwarder entries and see only user-defined applications. For example:

  show userapp regex ^(?!.*aella_log_forwarder).*

  show userapp all regex ^(?!.*aella_log_forwarder).*

Shows the sensor software version, license status, features, platform, basic configuration settings, and sensor up time. Note that values for some of these options can also be seen in the Sensor List, depending on which fields you add to the display.

Note: The statistics displayed by the show version command can vary depending on your sensor type and version. The statistics listed below are current for the latest sensor software version.

Note: Windows Server Sensors show only the following fields in their show version output – AOS Version, Product Model, License Status, Product EngineID, Internal ID, Running Mode, Running Feature, Aggregator, CM Controller,, Ctrl Plane Status, Platform OS, and Platform Type.

• AOS Version – The version of the Stellar Cyber operating system on the sensor.

  You can use the AOS Version to determine whether the sensor is operating in SaaS or on-prem/pre-SaaS mode:

  • Sensors operating in on-prem/pre-SaaS mode include a p at the end of their AOS Version in the show version output. For example:

    AOS Version : 5.2.0_99e79ab-p

  • Sensors operating in SaaS mode do not include the p in their AOS Version.

• Product Model – Shows Data_Sensor for Device Sensors and either Windows Agent Sensor or Linux Agent Sensor for Server Sensors.

• License Status – Shows whether the license on the sensor is valid.

  This field does not appear for physical Photon Sensors.

• Product EngineID – The unique system ID assigned to this sensor by Stellar Cyber.

• Product Tenant ID – The unique system ID assigned to this sensor's tenant.

• Platform Type – The type of platform on which this sensor is installed. For a virtual sensor, this can be VMware, QEMU, Virtual Machine, Microsoft, and so on. For physical sensors, a hardware revision is shown.

• Platform OS – The operating system in use on the sensor.

• Hostname – The sensor's hostname.

• Running Mode/Feature – Indicates whether the sensor is a device sensor or a server sensor (agent), as well as the type of sensor profile enabled.

  • Photon Sensors show device/modular.

  • Virtual Modular Sensors show device/modular.

  • Linux Server Sensors show agent/ds.

  • Windows Server Sensors show agent/wds, but broken out on separate lines.

• Management Port – The device interface designation for the management port on the sensor (for example, eth0).

• Management IP – The IP address of the management port on the sensor.

• CM Controller – The IP address of the Stellar Cyber platform that manages this sensor.

• Ctrl Plane Status – Can be Authorized or Unauthorized. Indicates the status of the authorization handshake between the sensor and its managing Stellar Cyber Platform's Configuration Management module (CM). Once the handshake has established management communications and the Control Plane is authorized, the Stellar Cyber Platform pushes sensor profile settings to the sensor.

• Sensor Boot Time – The time at which the sensor was last booted. Note that this field only appears for physical Photon Sensors.

• Sensor Up Time – The amount of time the sensor has been running since the last time it was booted.

• Data Plane Status – Can be Online or Offline. Indicates whether the sensor is successfully sending ingested data to its managing Stellar Cyber Platform.

Shows interfaces available for use as a VXLAN tunnel destination.

Shows Information on VXLAN tunnel configuration.

Lets you configure the AFIX ring buffer size. AFIX is used on the sensor to extract flow and metadata information from sessions.

Must be a specified as a power of 2 with a default size of 8192.

Lets you specify the IP address of the aggregator for the sensor, if any.

Lets you set the IP address to reach the management interface of the Data Processor from the sensor or aggregator. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname. Running this command from the Sensor CLI Access window can be useful when migrating sensors from one DP to another.

Note: Using this command from the Sensor CLI Access window disconnects the sensor from its current DP. Because of this, you need to manually close the Sensor CLI Access window once the disconnection occurs.

The syntax is as follows:

• cm_addr – the IP address or hostname of the managing DP.

• safe – reverts the CM address to the previous address if connection to the new one is not successful. This parameter is automatically used by Stellar Cyber when set cm is executed from the Sensor CLI Access window regardless of whether you included it in the command line.

• force – sets the CM address to whatever you specify, regardless of connection success. Be careful when using this option.

Stellar Cyber strongly recommends that you always use the safe argument with set cm in order to prevent yourself from accidentally orphaning a sensor by assigning an incorrect IP address.
As a safeguard, the safe option is used automatically when you run set cm from the Sensor CLI Access window.

Lets you specify the hostname for the sensor. You can also specify hostnames in the Sensor List.

Enables and configures the IDS PCAP capture feature on the Modular Sensor. When enabled, this feature captures trace files to the Sensor's storage when an IDS signature match is detected.

Refer to Capturing Trace Files for IDS Signature Matches for more information on enabling and configuring the IDS PCAP feature.

Lets you set IP configuration for a sensor interface by name, including its IP address, default gateway, and DNS server. Start by using show interface to get the name of the interface you want to configure. For example, to configure the management interface, you would use set interface management <arguments>.

The syntax is as follows:

• ip [<IP Address/Netmask> | dhcp]
• gateway <IP Address>
• dns <IP Address>

Lets you enable the Metadata Summarization feature. You can turn off the feature with unset ldap-metadata.

Lets you configure the logforwarder feature.

Lets you set the log level for different modules. The syntax is as follows:

You can also set the loglevel timeout with the following command:

Stellar Cyber recommends that you only change the log level for modules while working with Custom Success personnel. If you do decide to change log levels, a good way to start is by checking the current log levels with the show log level command. The default log level for all modules is info.

The available modules (services) for which you can set the log level are as follows:

• audit (aella_audit)

• conf (aella_conf)

• ctrl (aella_ctrl)

• flow (aella_flow)

• mon (aella_mon)

The available log levels are as follows, from least to most severe:

• debug

• info

• warning

• error

• critical

As an example, you can set the log level for aella_flow to warning with the following command:

set loglevel flow warning

When you specify a log level, Stellar Cyber records events of the specified severity and above. So, for example, if you specify a log level of error, only events with a severity of error and critical are logged.

The log level setting also directly affects the quantity of events logged. For example, if you specify a log level of debug for a service, all events for that module are logged, regardless of severity.

Log Level Tips

Keep in mind the following tips when making changes to the log level:

• Stellar Cyber strongly recommends that you consult with Customer Success before changing log levels for a service.

• If you do make changes to the log level, Stellar Cyber recommends that you also set a loglevel timeout so that the log level returns to its normal state after whatever testing you are performing.

• Stellar Cyber recommends that you keep track of the time at which you change the log level. This can help the Customer Success team assist you with troubleshooting.

Lets you configure the malware upload feature. Refer to Forwarding Malware to an External HTTPS Server for details.

Lets you set the MTU for a specified interface. The syntax is as follows:

set mtu <mtu_value> <ifn_name(s)>

You can specify multiple interfaces in a single command. For example, the following command sets the MTU to 5500 bytes for eth0, eth1, and eth2:

Lets you specify an NTP server for the sensor. The syntax is as follows:

Specifying an NTP server does not configure a time zone for the sensor. During installation, the timezone for a sensor is automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product. Set the time zone for a sensor from the Sensor List. Refer also to Best Practices for NTP and Timezones .

Lets you change the password for the sensor.

Lets you specify an HTTP proxy for the sensor. The syntax is as follows:

Note: The CLI prevents you from entering non-printable characters as part of the username or password for the proxy, as well as the proxy itself.

Lets you change the receiver configured for the sensor in its sensor profile.

Lets you toggle the SMB Reduction feature. Enabling this option reduces the amount of metadata collected for SMB commands. This is especially helpful in increasing your compression ratio if your network has a great deal of SMB traffic. If you enable this, metadata is only collected for:

• session setup
• logoff
• read
• write

Lets you set the system date and time in <YYYY-MM-DD HH:MM:SS> format, if you are not using NTP.

Lets you remove aggregator settings from the sensor.

Lets you disable the Metadata Summarization feature.

Lets you unset logforwarder settings.

Lets you remove malware_upload settings.

Lets you remove the configured NTP settings.

Lets you remove the configured password from the sensor, resetting it to its default of aella/changeme.

Restarts the specified sensor service.

To use this command, start by running the show system command to see the status of sensor services (for example, aella_flow, aella_mon, maltrace, and so on). Then, find the service name you need to restart in the show system output and include it as part of the restart service <service_name> command.