Available Commands in the Sensor CLI Access Window
This topic summarizes the commands available in the Sensor CLI Access window available from the System | Sensors page.
Refer to Using the Sensor CLI for a summary of how to display and use the Sensor CLI Access window.
Sensor CLI Access Command Types
The following types of commands are available in the Sensor CLI Access window:
-
show – You use show commands to see the settings and statuses for different options on the sensor.
-
set – You use set commands to configure options on the sensor.
You can type any of the following to see the available commands of the corresponding type:
-
show ? or show help
-
set ? or set help
You can also use the ? with a specific command to see its available arguments. For example:
sds-a > set ntp ?
<NTP server> Specify NTP server name or IP address
The tables below summarize the available arguments for the show/set commands.
Arguments for the "show" command in the Sensor CLI Access Window
You can use the show command with any of the arguments listed and described in the table below.
Some of the show commands return a hardcoded maximum number of entries (for example, 128 for the show metalist command). In situations such as this, you can add the all parameter to ensure that the CLI returns all available entries in paged output. For example, the show metalist all command returns all entries across a set of pages, each of which has a maximum of 128 entries.
show command |
description |
---|---|
aflow | Shows AFIX AFlow Information. |
aggregator | Shows information on Data Aggregators used by the sensor, if any. Also reports CM Controller IP address and connection status. |
asset |
Shows asset information. |
cm |
Shows CM Controller IP address and connection status. |
customer_log |
Shows information on Customer Log Parsers, if applied. |
data-port-ip |
Shows MAC and IP address for sensor data port(s) (where data is ingested by the sensor). |
disk-monitor |
Shows actions being taken to limit disk usage. |
dns |
Shows the IP address of the sensor's DNS server. |
dpi |
Shows deep packet inspection information, including the categorization for different applications. Note that the output for this command can be lengthy. Use the all parameter to see all entries in paged output (for example, show dpi all). |
drop |
Shows information on the number of packets dropped by the sensor broken out by Rx and Tx and interface. |
flood |
Shows syn flood detection information. |
gateway |
Shows the IP address of the sensor's default gateway. |
interface |
Shows equivalent output of the Linux ifconfig command with status, packets, drops, and bytes Rx and Tx broken out by interface. |
ipfix |
Shows information on AFIX IPFIX classification engines. |
json |
Shows information on AFIX JSON metadata transfer. |
logcollector |
Shows information on the configuration of and records sent by different log collectors. |
logforwarder |
Shows information on logs received and forwarded. Also indicates whether specific log forwarding features (such as the HTTP JSON Parser, forwarding to an external server, or TLS log forwarding) are enabled, as well as the number of workers provisioned for the sensor by the system. If you are using a custom log forwarder certificate with the TLS log forwarding feature, its name is displayed here, as well. |
loglevel |
Shows the log level for different Stellar Cyber modules. Note that you can also set the log level for different modules from the CLI Access window using the set loglevel command; see the table below. |
maltrace |
Shows detailed statistics on malware sandbox usage, including the total number of IDS events broken out by the number of events buffered by the sensor and the number already sent to the DP. Note: The 5.3.0 sensor improves its approach to sending IDS events to the DP and sends them as soon as they are received, only buffering events when the sensor cannot reach the DP. Because of this, you may notice that the values reported in the Output buffering section of the show maltrace output for Buffered and Outputed are smaller than those reported in previous releases. That happens because the 5.3.0 sensor is not buffering as many events, sending them to the DP immediately, instead. |
memory |
Shows information on control and data plane memory availability and usage. |
metalist |
Shows information on the black list of metadata applications (traffic explicitly excluded from ingestion/evaluation in the sensor profile). Note that the output for this command can be lengthy. The following tips can help you see the entries that interest you:
|
mirror |
Shows information on configured traffic mirroring. |
module |
Modular Sensors only. Shows which modular features are enabled on a modular sensor (for example, log collector, aggregator, Tenable scanner, and so on), as well as its current CPU, RAM, and disk provisioning. |
module request |
Modular Sensors only. Shows the amount of CPU, RAM, and disk required to support different combinations of modular sensor features. |
nic |
Lists the NICs installed in the sensor along with their names, driver names, driver versions, firmware versions, and bus information. |
ntp |
Lists the configured NTP servers for this sensor in order of use. |
packet |
Shows packet processing settings, including slicing and deduplication. |
process |
Shows detailed information on internal AFIX process mapping, including NUMA register mapping. |
proxy |
Shows information on proxies configured for the sensor, if any. |
receiver |
Shows information on the configured data receiver. |
ring |
Shows information on the AFIX ring. |
route |
Shows static route table entries. |
rules |
Shows information on configured maltrace rules. |
scan |
Shows detailed scan information on sensor. |
service |
Provides the service to AppID mapping for the sensor, including the NUMA register for each. Note that the output for this command can be lengthy. Use the all parameter to see all entries in paged output (for example, show service all). |
session |
Provides a session table for the sensor listing ongoing sessions and their NUMA mappings and summary statistics. You can filter this command by source/destination IP addresses and ports using the following syntax: show session [source ip [port]] [dest ip [port]] |
system |
Shows the status of key Stellar Cyber services on the sensor. |
tech-support |
Not supported. |
tenable |
Available if tenable nessus is enabled in the sensor profile. Shows status of the scanner. |
thread |
Shows information on CPU threads. |
time |
Shows system time. |
top |
Shows top resource usage by process. |
upgrade |
Shows report on upgrades for this sensor. |
userapp |
Shows information on user-defined applications for this sensor. Note that the output for this command can be lengthy. The following tips can help you see the entries that interest you:
|
version |
Shows the sensor software version, license status, features, platform, and basic configuration. Also provides detailed information on CPU and memory usage:
You can also use the output of the
|
vtep |
Shows interfaces available for use as a VXLAN tunnel destination. |
vxlan |
Shows Information on VXLAN tunnel configuration. |
whitelist |
Shows information on whitelist configuration. |
Arguments for the "set" Command in the Sensor CLI Access Window
You can use the set command with any of the arguments listed and described in the table below. If you need help on command syntax, type set <command> ? to see the context-sensitive help.
set command |
description |
---|---|
cm |
Lets you set the IP address to reach the management interface of the Data Processor from the sensor or aggregator. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname. Running this command from the Sensor CLI Access window can be useful when migrating sensors from one DP to another. Note: Using this command from the Sensor CLI Access window disconnects the sensor from its current DP. Because of this, you need to manually close the Sensor CLI Access window once the disconnection occurs. The syntax is as follows: set cm <cm_addr> [safe | force]
Stellar Cyber strongly recommends that you always use the |
loglevel |
Lets you set the log level for different modules. The syntax is as follows: set loglevel <service> <level>You can also set the loglevel timeout with the following command: set loglevel timeout <timeout value in minutes>Stellar Cyber recommends that you only change the log level for modules while working with Custom Success personnel. If you do decide to change log levels, a good way to start is by checking the current log levels with the show log level command. The default log level for all modules is info. The available modules (services) for which you can set the log level are as follows:
The available log levels are as follows, from least to most severe:
As an example, you can set the log level for aella_flow to warning with the following command:
When you specify a log level, Stellar Cyber records events of the specified severity and above. So, for example, if you specify a log level of error, only events with a severity of error and critical are logged. The log level setting also directly affects the quantity of events logged. For example, if you specify a log level of debug for a service, all events for that module are logged, regardless of severity. Log Level TipsKeep in mind the following tips when making changes to the log level:
|
ntp |
Lets you specify an NTP server for the sensor. The syntax is as follows: set ntp <ntp server name or address>Specifying an NTP server does not configure a time zone for the sensor. During installation, the timezone for a sensor is automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product. Set the time zone for a sensor from the Sensor List. Refer also to Best Practices for NTP and Timezones . |
interface <ifn_name> |
Lets you set IP configuration for a sensor interface by name, including its IP address, default gateway, and DNS server. Start by using show interface to get the name of the interface you want to configure. For example, to configure the management interface, you would use set interface management <arguments>. The syntax is as follows: set interface <ifn_name>
|
proxy |
Lets you specify an HTTP proxy for the sensor. The syntax is as follows: set proxy http://[username:password@]<proxy_ip>[:<proxy_port>]Note: The CLI prevents you from entering non-printable characters as part of the username or password for the proxy, as well as the proxy itself. |