CLI Exabeam Field Notes
May 3, 2024Troubleshoot for Exabeam Site Collector | Exabeam Documentation Portal
Note
Load balanced
Or not load balanced
Syntax Web UI
Command line
ssh exabeam@ xxx.xxx.xxx.xxx
exabeam@ xxx.xxx.xxx.xxx:oneTrueScript.zip
scp oneTrueScript.zip exabeam@ xxx.xxx.xxx.xxx:/home/exabeam
/opt/exabeam/support/uba-exa-support-xx-xx.tar.gz
/opt/exabeam/config/custom
/opt/exabeam/data/input/2024-09-27/{15..16}*.log.gz | grep “Microsoft Azure Active Directory” | grep “StrongAuthenticationUserDetails”
scp oneTrueScript.zip exabeam@xxx.xxx.xxx.xxx:/home/exabeam
Worker Nodes Processing Lagging
Troubleshooting Worker Nodes Stopped (exabeam.com)
/opt/exabeam/config/custom
Output
/opt/exabeam/support
/opt/exabeam/support/uba-exa-support-09-28.tar.gz
CLI Exabeam Syntax
Cleanup if needed
hdfs –text /opt/exabeam/data/input/9999-01-01/*.msg.gz
Hdfs –rm /opt/exabeam/data/input/99999-01-01/*.gz
hdfs –ls /opt/exabeam/data/input/9999-01-01
hdfs –ls /opt/exabeam/data/input/99999-01-01
hdfs –rm /opt/exabeam/data/input/99999-01-01/*.evt.gz
Copy out of into hdfs
exa-cp/opt/Exabeam/data/input/2024-09-29/*.log.gz /opt/Exabeam/data/input/99999-01-01/*.gz
Show file exists
hdfs –ls /opt/Exabeam/data/input/99999-01-01
exa-fetch-parse –config.file /opt/Exabeam/config/custom/custom_exabeam_config.conf – request “(9999-01-01,9999-01-01,mso365)” -status ParseOnly -messageOutput true
{“msgType=”:”=0365-search-data-4”,”datatype”:”app-activity”,”time”:1635522944000,”rawLogTime”:1635522944000,”timeFormat”:”yyyy-MM-dd\xxxxxxx0027HH:rnm:ss=7fields=4″activity=:”Get-QuarantineMessage”,’host”:”hostname”,”app”:”SecurityComplianceCenter=”,”time”:”2024-09-29T15:55:44″}}
Parser (default, original)
{ Name=o365-search-data-4
Vendor = Microsoft Product = Microsoft Office 365
Lms=Splunk
DataType = “app-activity”
TimeFormat = “yyyy-MM-ddTHH:mm:ss
Conditions =[”””SecurityComplianceCenter”””,”””Workload”””,”””Operation”””]
Fields =[
”””Exabeam_host=([^=]+@\s*)?({host}[\w\-.]+)”””,
”””CreationTime”*:\s*”*({time}\d\d\d\d-\d\dT\d\d:\d\d:\d\d)”””,
”””Operation”*:\s*”*({activity}[^”]+)”*”””
o365 Log’s not converted to events
Exabeam
hdfs -ls /opt/exabeam/data/input/2024-09-{20..31}/*mso365*.gz | grep –v “ 20” | grep –v “ 72”
hdfs -ls /opt/exabeam/data/input/2024-09-{01..02}/*mso365*.gz | grep –v “ 20” | grep –v “ 72”
ls
more rotational_check.py
lvdisplay
pvdisplay
sudo su –
df -h
clear
top
clear
hdfs -text /opt/exabeam/data/input/2024-09-04/-syslogglog.gz 1 grep ‘cdport=’
top
hdfs -text /opt/exabeam/data/input/2024-09-04/4evt.gz 1 awk -F “exa-msg-type\”:\”” ‘{print $2}’ 1 awk -F “\”” ‘{print $1}’ 1 sort |
hdfs -text /opt/exabeam/data/input/2024-04-04/”evt.gz 1 grep hdfs -text /opt/exabeam/data/input/2024-06-04/*evt.gz 1 awk -F “exa-ms
hdfs -text /opt/exabeam/data/input/2024-09-04/gevt.gz 1 grep zscaler-firewall
pwd
cd /opt/exabeam/config/custom/
cat event_builder.conf
cd 35 cd default
vi event_builder_default.conf
cd 16 ..
cd custom
cat parsers.conf
cd ..
cd default
cat parsers_zscaler.conf
cat parsers_zscaler.conf grep ‘zscaler-firewal’
cat event_builder_default.conf | grep ‘zscaler-firewal ‘
clear
pwd
cat parsers_zscaler.conf
sudo tcpdump –I docker0 -n -v I grep -P “(POST I GET I Host:)”
sudo tcpdump -i docker -n -v
sudo tcpdump -i any -n -v 1 grep -P “(POST IGET IHost:)”
docker network ls
cat /etc/resolv.conf
exit
docker exec -it exabeam-cloud-connection-service bash
exit
which ipmitool
cd /opt/exabeam
cd support
cd ds-server
cd exabeam_yum_repo
cd yum
ls –i grep ipmi
host1
host2
ssh hostname
crontab –i
tail -100 /var/log cron.log
tail -100 /var/log/cron.log
cd /home/exabeam/tmp/
ll
copy /home/exabeam/tmp/health_script.sh to /home/exabeam/tmp/health_script.bak.06022024.sh
cp /home/exabeam/tmp/health_script.sh to /home/exabeam/tmp/health_script.bak.06022024.sh
health-check-script/health-check.sh at master · SimplyLinuxFAQ/health-check-script · GitHub