compliances , security , visio-stencils

CLI Exabeam Field Notes

May 3, 2024

Troubleshoot for Exabeam Site Collector | Exabeam Documentation Portal

Note

Load balanced

Or not load balanced

Syntax Web UI

https://exabeam.hostname:8484
https://xxx.xxx.xxx.xxx:8484

Command line

ssh exabeam@ xxx.xxx.xxx.xxx

exabeam@ xxx.xxx.xxx.xxx:oneTrueScript.zip

scp oneTrueScript.zip exabeam@ xxx.xxx.xxx.xxx:/home/exabeam

/opt/exabeam/support/uba-exa-support-xx-xx.tar.gz

/opt/exabeam/config/custom

/opt/exabeam/data/input/2024-09-27/{15..16}*.log.gz | grep “Microsoft Azure Active Directory” | grep “StrongAuthenticationUserDetails”

scp oneTrueScript.zip exabeam@xxx.xxx.xxx.xxx:/home/exabeam

Worker Nodes Processing Lagging

Troubleshooting Worker Nodes Stopped (exabeam.com)

/opt/exabeam/config/custom

Output

/opt/exabeam/support

/opt/exabeam/support/uba-exa-support-09-28.tar.gz

CLI Exabeam Syntax

Cleanup if needed

hdfs –text /opt/exabeam/data/input/9999-01-01/*.msg.gz

Hdfs –rm /opt/exabeam/data/input/99999-01-01/*.gz

hdfs –ls /opt/exabeam/data/input/9999-01-01

hdfs –ls /opt/exabeam/data/input/99999-01-01

hdfs –rm /opt/exabeam/data/input/99999-01-01/*.evt.gz

Copy out of into hdfs

exa-cp/opt/Exabeam/data/input/2024-09-29/*.log.gz /opt/Exabeam/data/input/99999-01-01/*.gz

Show file exists

hdfs –ls /opt/Exabeam/data/input/99999-01-01

exa-fetch-parse –config.file /opt/Exabeam/config/custom/custom_exabeam_config.conf – request “(9999-01-01,9999-01-01,mso365)” -status ParseOnly -messageOutput true

{“msgType=”:”=0365-search-data-4”,”datatype”:”app-activity”,”time”:1635522944000,”rawLogTime”:1635522944000,”timeFormat”:”yyyy-MM-dd\xxxxxxx0027HH:rnm:ss=7fields=4″activity=:”Get-QuarantineMessage”,’host”:”hostname”,”app”:”SecurityComplianceCenter=”,”time”:”2024-09-29T15:55:44″}}

Parser (default, original)

{ Name=o365-search-data-4

Vendor = Microsoft Product = Microsoft Office 365

Lms=Splunk

DataType = “app-activity”

TimeFormat = “yyyy-MM-ddTHH:mm:ss

Conditions =[”””SecurityComplianceCenter”””,”””Workload”””,”””Operation”””]

Fields =[

”””Exabeam_host=([^=]+@\s*)?({host}[\w\-.]+)”””,

”””CreationTime”*:\s*”*({time}\d\d\d\d-\d\dT\d\d:\d\d:\d\d)”””,

”””Operation”*:\s*”*({activity}[^”]+)”*”””

o365 Log’s not converted to events

Exabeam

hdfs -ls /opt/exabeam/data/input/2024-09-{20..31}/*mso365*.gz | grep –v “  20” | grep –v “ 72”

hdfs -ls /opt/exabeam/data/input/2024-09-{01..02}/*mso365*.gz | grep –v “  20” | grep –v “ 72”

ls

more rotational_check.py

lvdisplay

pvdisplay

sudo su –

df -h

clear

top

clear

hdfs -text /opt/exabeam/data/input/2024-09-04/-syslogglog.gz 1 grep ‘cdport=’

top

hdfs -text /opt/exabeam/data/input/2024-09-04/4evt.gz 1 awk -F “exa-msg-type\”:\”” ‘{print $2}’ 1 awk -F “\”” ‘{print $1}’ 1 sort |

hdfs -text /opt/exabeam/data/input/2024-04-04/”evt.gz 1 grep hdfs -text /opt/exabeam/data/input/2024-06-04/*evt.gz 1 awk -F “exa-ms

hdfs -text /opt/exabeam/data/input/2024-09-04/gevt.gz 1 grep zscaler-firewall

pwd

cd /opt/exabeam/config/custom/

cat event_builder.conf

cd 35 cd default

vi event_builder_default.conf

cd 16 ..

cd custom

cat parsers.conf

cd ..

cd default

cat parsers_zscaler.conf

cat parsers_zscaler.conf  grep ‘zscaler-firewal’

cat event_builder_default.conf | grep ‘zscaler-firewal ‘

clear

pwd

cat parsers_zscaler.conf

sudo tcpdump –I docker0 -n -v I grep -P “(POST I GET I Host:)”

sudo tcpdump -i docker -n -v

sudo tcpdump -i any -n -v 1 grep -P “(POST IGET IHost:)”

docker network ls

cat /etc/resolv.conf

exit

docker exec -it exabeam-cloud-connection-service bash

exit

which ipmitool

cd /opt/exabeam

cd support

cd ds-server

cd exabeam_yum_repo

cd yum

ls –i grep ipmi

host1

host2

ssh hostname

crontab –i

tail -100 /var/log cron.log

tail -100 /var/log/cron.log

cd /home/exabeam/tmp/

ll

copy /home/exabeam/tmp/health_script.sh to /home/exabeam/tmp/health_script.bak.06022024.sh

cp /home/exabeam/tmp/health_script.sh to /home/exabeam/tmp/health_script.bak.06022024.sh

health-check-script/health-check.sh at master · SimplyLinuxFAQ/health-check-script · GitHub