Panduan Pengguna CLI Google Security Operations
Sebagai alternatif untuk menggunakan antarmuka pengguna grafis Google Security Operations, pengguna tingkat lanjut dapat menggunakan antarmuka command line (CLI) Google Security Operations, chronicle_cli
, untuk memulai alur kerja Google Security Operations.
Anda dapat menggunakan Google Security Operations CLI untuk alur kerja berikut:
Perintah CLI Google Security Operations menggunakan sintaksis berikut (COMMAND dan ARGUMENT diperlukan, tetapi OPTIONS bersifat opsional):
$ chronicle_cli COMMAND ARGUMENT [OPTIONS]
Misalnya, untuk membuat feed baru menggunakan alur kerja pengelolaan feed, gunakan perintah berikut:
$ chronicle_cli feeds create
Sebelum memulai
Sebelum menginstal Google Security Operations CLI, lakukan hal berikut:
- Instal Python 3 di lingkungan Anda. Untuk mengetahui informasi selengkapnya, lihat Menginstal Python.
- Buat lingkungan virtual dan aktifkan. Untuk mengetahui informasi selengkapnya, lihat Menginstal paket menggunakan pip dan lingkungan virtual.
- Buat direktori tersembunyi bernama
.chronicle_cli
di direktori utama Anda dan tempatkan kredensial akun layanan Developer Google Anda di dalamnya dengan namachronicle_credentials.json
. Perwakilan Google Security Operations akan memberikan kredensial akun layanan Developer Google kepada Anda. Kredensial akun layanan Google Developer memungkinkanchronicle_cli
berkomunikasi dengan API. Jika berencana menggunakan perintah pengelolaan parser v2, Anda harus melakukan hal berikut:
- Ikat instance Google Security Operations ke project yang Anda miliki. Lihat dokumen berikut:
- Buat akun layanan di project yang terikat dengan Google Security Operations. Untuk informasi selengkapnya, lihat Membuat dan mengelola kunci akun layanan.
- Berikan peran Chronicle API Admin (
roles/chronicle.admin
) ke akun layanan.
Penginstalan
Bagian ini memberikan informasi tentang cara menginstal Google Security Operations CLI di lingkungan Anda.
Buat dan aktifkan lingkungan virtual
venv
.Clone repositori menggunakan perintah berikut:
git clone https://github.com/chronicle/cli.git
Buka terminal dan instal semua paket dependen yang diperlukan di lingkungan virtual Anda dengan menjalankan perintah berikut:
$ cd cli $ (env) pip install -r requirements.txt
Instal biner Google Security Operations dengan menjalankan perintah berikut:
$ (env) python3 -m pip install --editable .
Pastikan penginstalan berhasil dengan menjalankan perintah berikut:
$ chronicle_cli --help
Contoh output
Usage: chronicle_cli [OPTIONS] COMMAND [ARGS]...
Google Security Operations CLI is a CLI tool for managing Google Security Operations user workflows for e.g.
Feed Management workflows.
Options:
-h, --help Show this message and exit.
Commands:
feeds Feed Management Workflows
Opsi
Anda dapat mengganti konfigurasi default dengan memberikan flag tambahan saat menjalankan perintah.
Menetapkan region default (--region)
Anda dapat memilih region dengan meneruskan tanda --region
dengan perintah dan
panggilan API akan dilakukan ke backend region Google Security Operations yang sesuai.
Anda dapat menetapkan wilayah berikut:
ASIA-NORTHEAST1
ASIA-SOUTH1
ASIA-SOUTHEAST1
AUSTRALIA-SOUTHEAST1
EUROPE
EUROPE-WEST2
EUROPE-WEST3
EUROPE-WEST6
EUROPE-WEST9
EUROPE-WEST12
ME-CENTRAL1
ME-CENTRAL2
ME-WEST1
NORTHAMERICA-NORTHEAST2
SOUTHAMERICA-EAST1
US
Jika Anda tidak menentukan region, region default akan ditetapkan ke US
.
Alur kerja pengelolaan feed
Anda dapat menggunakan Google Security Operations CLI untuk membuat dan mengelola feed data ke instance Google SecOps.
Perintah
feeds
perintah
Perintah feeds
menggunakan argumen berikut:
create
update
get
list
delete
enable
disable
Sintaksis penggunaan:
$ chronicle_cli feeds ARGUMENT [OPTIONS]
Argumen
Argumen create
Membuat feed baru.
Contoh penggunaan
$ chronicle_cli feeds create --help
Usage: chronicle_cli feeds create [OPTIONS]
Create a feed
Options:
--url TEXT Base URL to be used for API calls.
--region
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
- Untuk platform Windows
====================================
========== Set Properties ==========
====================================
List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API
[Source type] Enter your choice: 7
You have selected Third party API
List of Log types:
(i) How to select log type?
- Press ENTER key (scrolls one line at a time) or SPACEBAR key (display next screen).
- Note down the choice number for the log type that you want to select.
- Press 'q' to quit and enter that choice number.
=============================================================================
1. Anomali
2. Azure AD
3. Azure AD Directory Audit
4. Azure AD Organizational Context
5. Cloud Passage
6. Duo Auth
7. Duo User Context
8. Fox-IT
9. Imperva
10. Microsoft Graph API Alerts:
[Log type] Enter your choice: 7
You have selected Duo User Context
Enter feed display name: my_duo_user_context_feed
======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as)
=> USERNAME
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> api-xxxxxxxx.duosecurity.com
Feed created successfully with Feed ID: 9cfce415-97df-413b-8e38-e7c747f9ed38
- Untuk platform lain seperti Linux/Ubuntu/CentOS/MacOS
====================================
========== Set Properties ==========
====================================
List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API
[Source type] Enter your choice: 7
You have selected Third party API
List of Log types:
(i) How to select log type?
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific log type, press '/' key, enter text and press enter.
- Note down the choice number for the log type that you want to select.
- Press 'q' to quit and enter that choice number.
- Press `h` for all the available options to navigate the list.
=============================================================================
1. Anomali
2. Azure AD
3. Azure AD Directory Audit
4. Azure AD Organizational Context
5. Cloud Passage
6. Duo Auth
7. Duo User Context
8. Fox-IT
9. Imperva:
[Log type] Enter your choice: 7
You have selected Duo User Context
======================================
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as)
=> USERNAME
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> api-xxxxxxxx.duosecurity.com
Feed created successfully with Feed ID: 9cfce415-97df-413b-8e38-e7c747f9ed38
Jika pembuatan feed gagal, Anda akan diminta untuk mencoba lagi pembuatan feed yang gagal pada lain waktu. Anda dapat memilih untuk mencoba lagi atau melanjutkan pembuatan feed baru. Mekanisme percobaan ulang memungkinkan Anda mengubah nilai yang diberikan secara interaktif dalam upaya yang gagal sebelumnya. Tekan Enter untuk menggunakan kembali nilai yang sama untuk opsi dalam alur pembuatan feed.
Contoh output
====================================
========== Set Properties ==========
====================================
List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API
[Source type] Enter your choice: 7
You have selected Third party API
[Log type] Enter your choice: 6
You have selected Duo Auth
Enter feed display name: my_duo_auth_feed
======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as)
=> test
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> test.com
Error occurred while creating feed.
Response Code: 400.
Error: generic::invalid_argument: failed to create feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to create feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to create feed because of the following errors in the request: generic::invalid_argument: for Duo feeds, 'hostname' must be specified as "api-xxxxxxxx.duosecurity.com", e.g. "api-eval.duosecurity.com"
$ chronicle_cli feeds create
Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?
======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as) [test]
=>
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [test.com]
=> api-xxxxxxxx.duosecurity.com
Feed created successfully with Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
Argumen get
Mendapatkan detail feed yang ada.
Contoh penggunaan
$ chronicle_cli feeds get --help
Usage: main feeds get [OPTIONS]
Get feed details using Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
Anda harus memasukkan ID feed secara interaktif untuk mendapatkan detail feed.
Contoh output
Enter Feed ID: 72d9b843-b387-4b17-ab2d-a8497313c89c
Feed Details:
ID: 72d9b843-b387-4b17-ab2d-a8497313c89c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Salesforce
State: ACTIVE
Feed Settings:
API Hostname: myinstance.salesforce.com
Argumen list
Mencantumkan semua feed. Perintah ini digunakan untuk mengambil detail semua feed.
Contoh penggunaan
$ chronicle_cli feeds list --help
Usage: chronicle_cli feeds list [OPTIONS]
List all feeds
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Feed Details:
ID: 29259301-156b-4b60-ae91-855d15c39f6a
Source type: Third party API
Log type: Anomali
State: INACTIVE
============================================================
Feed Details:
ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Duo Auth
State: ACTIVE
Feed Settings:
API hostname: api-test.duosecurity.com
============================================================
Feed Details:
ID: 0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65
Source type: Third party API
Log type: Workspace Activities
State: ACTIVE
Feed Settings:
Customer ID: C12abc
Applications: ['drive', 'login']
============================================================
Jika ingin mengekspor data, Anda dapat menentukan jalur absolut/relatif file yang akan diekspor beserta format file (CSV/TXT/JSON). Format file default-nya adalah CSV.
Contoh output
Feed Details:
ID: 29259301-156b-4b60-ae91-855d15c39f6a
Source type: Third party API
Log type: Anomali
State: INACTIVE
============================================================
Feed Details:
ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Duo Auth
State: ACTIVE
Feed Settings:
API hostname: api-test.duosecurity.com
============================================================
Feed Details:
ID: 0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65
Source type: Third party API
Log type: Workspace Activities
State: ACTIVE
Feed Settings:
Customer ID: C12abc
Applications: ['drive', 'login']
============================================================
Feed list details exported successfully to: /usr/local/google/home/<user>/out/chronicle-cli/output.txt
Argumen update
Memperbarui feed yang ada.
Contoh penggunaan
$ chronicle_cli feeds update
Usage: chronicle_cli feeds update [OPTIONS]
Update feed details using Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
Setelah menjalankan perintah, masukkan ID feed dan semua nilai kolom lagi. Tekan Enter untuk menggunakan kembali nilai lama.
Contoh output
Enter Feed ID: ea28d66b-d81b-4b4d-ae16-3b1cd98132ca
Press Enter if you don't want to update.
Enter feed display name[old_display_name]:
(*) Username (Username to authenticate as)
=> USERNAME
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [api-xxxxxxxx.duosecurity.com]
=>
Feed updated successfully with Feed ID: ea28d66b-d81b-4b4d-ae16-3b1cd98132ca
Enter Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
Press Enter if you don't want to update.
Enter feed display name[]: my_feed_display_name
(*) Username (Username to authenticate as)
=> test1
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [api-xxxxxxxx.duosecurity.com]
=> test.com
Error occurred while updating feed. Response code: 400.
Error: generic::invalid_argument: failed to update feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to edit feed because of the following errors in the request: generic::invalid_argument: for Duo feeds, 'hostname' must be specified as "api-xxxxxxxx.duosecurity.com", e.g. "api-eval.duosecurity.com"
$ chronicle_cli feeds update
Enter Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?
Press Enter if you don't want to update.
(*) Username (Username to authenticate as) [test1]
=>
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [test.com]
=> api-devtest.duosecurity.com
Feed updated successfully with Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
Jika pembaruan feed gagal dan Anda memasukkan ID feed yang sama, perintah akan ditampilkan untuk mencoba ulang feed yang gagal atau memulai ulang proses. Jika Anda memasukkan ID feed yang tidak cocok dengan ID feed yang gagal, opsi untuk mencoba lagi tidak akan ditampilkan dan proses normal pembaruan feed akan dilanjutkan. Mekanisme percobaan ulang memungkinkan Anda mengubah nilai opsi yang diberikan dalam upaya yang gagal sebelumnya dengan cara interaktif. Tekan Enter untuk menggunakan kembali nilai yang sama untuk opsi dalam alur pembaruan feed.
Contoh output
Enter Feed ID: 51574667-dee6-408b-a5fc-0e07d3e9a429
Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?
Press Enter if you don't want to update.
Enter feed display name[old_display_name]:
(*) Username (Username to authenticate as) [TEEST]
=> TEST
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [asd]
=> api-xxxxxxxx.duosecurity.com
Feed updated successfully with Feed ID: 51574667-dee6-408b-a5fc-0e07d3e9a429
Argumen delete
Gunakan argumen ini untuk menghapus feed menggunakan ID feed. Saat dieksekusi, tindakan ini akan meminta ID feed yang akan dihapus.
Contoh penggunaan
$ chronicle_cli feeds delete --help
Usage: chronicle_cli feeds delete [OPTIONS]
Delete a feed
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Enter Feed ID: b0798c54-ed84-44e7-96d5-cbe208f28e49
Feed (ID: b0798c54-ed84-44e7-96d5-cbe208f28e49) deleted successfully.
Argumen enable
Mengaktifkan feed.
Contoh penggunaan
$ chronicle_cli feeds enable --help
Usage: main feeds enable [OPTIONS]
Enable feed for the given Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Anda harus memasukkan ID feed untuk mengaktifkan feed.
Contoh output
Enter Feed ID: 29259301-156b-4b60-ae91-855d15c39f6a
Feed with ID: 29259301-156b-4b60-ae91-855d15c39f6a enabled successfully.
Argumen disable
Menonaktifkan feed.
Contoh penggunaan
$ chronicle_cli feeds disable --help
Usage: main feeds disable [OPTIONS]
Disable feed for the given Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Anda harus memasukkan ID feed untuk menonaktifkan feed.
Contoh output
Enter Feed ID: 29259301-156b-4b60-ae91-855d15c39f6a
Feed with ID: 29259301-156b-4b60-ae91-855d15c39f6a disabled successfully.
Opsi
Bantuan (-h / --help)
Gunakan opsi -
h atau --
help untuk melihat penggunaan/deskripsi untuk perintah/opsi apa pun.
Contoh penggunaan
$ chronicle_cli feeds get -h
Usage: main feeds get [OPTIONS]
Get feed details using Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chron
icle_credentials.json
-h, --help Show this message and exit.
Jalur Kredensial (-c atau --credential-path)
Opsi ini memungkinkan Anda menentukan jalur untuk kredensial akun layanan
yang akan digunakan untuk autentikasi. Jika opsi ini tidak ditentukan,
CLI Google Security Operations akan mencari kredensial di jalur default,
yaitu ~/.chronicle_cli
(di dalam direktori tersembunyi bernama .chronicle_cli
di direktori utama).
Contoh penggunaan
$ chronicle_cli feeds list --credential-path=C:\chronicle_credentials.json
Panjang (--verbose)
Google Security Operations CLI akan mencetak detail selengkapnya ke konsol, seperti permintaan dan respons HTTP, saat flag ini digunakan.
Contoh penggunaan
$ chronicle_cli feeds list --verbose
Ekspor (--export)
Opsi ini memungkinkan Anda menentukan jalur file tempat output perintah list
akan diekspor. Jalur relatif dan absolut didukung.
Contoh penggunaan
$ chronicle_cli feeds list --export=$HOME/listFeedsResponse.txt
Format File (--file-format)
Opsi ini memungkinkan Anda menentukan format file konten yang diekspor dengan perintah list
. Ada tiga format yang didukung: CSV, JSON, dan TXT. Jika opsi ini tidak ditentukan dengan opsi --export
, format CSV akan digunakan sebagai default.
Contoh penggunaan
$ chronicle_cli feeds list --export=$HOME/listFeedsResponse.txt --file-format=TXT
Contoh output
Format CSV
ID,Display Name,Source type,Log type,State,Feed Settings
29259301-156b-4b60-ae91-855d15c39f6a,,Third party API,Anomali,INACTIVE,
292b7629-0250-476c-9fb2-4c8a738ce42c,my_duo_auth_feed,Third party API,Duo Auth,ACTIVE,API hostname: api-xxxxxxxxabjdsfklsadlfnsafs.duosecurity.com
0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65,,Third party API,Workspace Activities,ACTIVE,"Customer ID: C12abc Applications: ['drive', 'login']"
Format TXT
Feed Details:
ID: 29259301-156b-4b60-ae91-855d15c39f6a
Source type: Third party API
Log type: Anomali
State: INACTIVE
============================================================
Feed Details:
ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Duo Auth
State: ACTIVE
Feed Settings:
API hostname: api-test.duosecurity.com
============================================================
Format JSON
[
{
"name": "feeds/29259301-156b-4b60-ae91-855d15c39f6a",
"details": {
"logType": "ANOMALI_IOC",
"feedSourceType": "API",
"anomaliSettings": {}
},
"feedState": "INACTIVE"
},
{
"name": "feeds/292b7629-0250-476c-9fb2-4c8a738ce42c",
"details": {
"logType": "DUO_AUTH",
"feedSourceType": "API",
"duoAuthSettings": {
"hostname": "api-test.duosecurity.com"
}
},
"feedState": "ACTIVE",
"displayName": "my_duo_auth_feed"
}
]
Wilayah (--region)
Anda dapat memilih region dengan meneruskan flag --region
saat menjalankan perintah.
Untuk mengetahui informasi selengkapnya tentang cara menetapkan region default, lihat Menetapkan region default.
Pemecahan masalah
Bagian ini menampilkan output yang ditampilkan di konsol terhadap berbagai jenis kode respons yang diterima dari respons API.
Kode respons argumen get
Kode Respons | Output Konsol |
404 | ID feed tidak valid. Masukkan ID feed yang valid. |
400 | Feed tidak ada. |
Kode respons lainnya | Terjadi error saat mengambil feed.
Kode Respons: {status code}
Error: {error message}
|
Kode respons argumen list
Kode Respons | Output Konsol |
Kode respons apa pun selain 200 | Terjadi error saat mengambil daftar feed.
Kode Respons: {status code}
Error: {error message}
|
Semua feed dalam daftar gagal diambil | Di akhir output konsol, daftar akan dicetak dengan detail ID feed dan pesan error yang sesuai. |
Kode respons argumen create
Kode Respons | Output Konsol |
Kode respons apa pun selain 200 | Terjadi error saat membuat feed.
Kode Respons: {status code}
Error: {error message}
|
Kode respons argumen update
Kode Respons | Output Konsol |
Kode respons apa pun selain 200 | Terjadi error saat memperbarui feed. Kode Respons: {status code}
Error: {error message}
|
Kode respons argumen delete
Kode Respons | Output Konsol |
404 | ID feed tidak valid. Masukkan ID feed yang valid. |
400 | Feed tidak ada. |
Kode respons lainnya | Terjadi error saat menghapus feed.
Kode Respons: {status code}
Error: {error message}
|
Kode respons argumen enable
Kode Respons | Output Konsol |
404 | ID feed tidak valid. Masukkan ID feed yang valid. |
400 | Feed tidak ada. |
Kode respons lainnya | Terjadi error saat mengaktifkan feed.
Kode Respons: {status code}
Error: {error message}
|
Kode respons argumen disable
Kode Respons | Output Konsol |
404 | ID feed tidak valid. Masukkan ID feed yang valid. |
400 | Feed tidak ada. |
Kode respons lainnya | Terjadi error saat menonaktifkan feed.
Kode Respons: {status code}
Error: {error message}
|
Error atau pengecualian lainnya
Pengecualian | Output Konsol |
KeyError | Gagal menemukan kunci {key name} dalam respons.
|
Pengecualian | Gagal dengan pengecualian: {exception details}
|
File kredensial tidak ada | Gagal dengan pengecualian: [Errno 2] Tidak ada file atau direktori tersebut: '/usr/local/google/home/ Anda harus menempatkan kredensial di direktori yang diharapkan. Lihat Penginstalan. |
Alur kerja pengguna pengelolaan parser v2
Anda dapat menggunakan Google SecOps CLI untuk mengelola parser normalizer berbasis konfigurasi (CBN). Sebaiknya gunakan perintah CLI pengelolaan parser v2.
Perintah
parsers
perintah
Perintah parsers
menggunakan argumen berikut:
list_parsers
list_extensions
run_parser
submit_parser
submit_extension
delete_parser
delete_extension
deactivate_parser
activate_parser
get_parser
get_extension
get_validation_report
Sintaksis penggunaan:
$ chronicle_cli parsers ARGUMENT [OPTIONS]
Argumen
Semua alur kerja pengelolaan parser CBN di CLI Google SecOps bersifat interaktif. Jika diperlukan, Anda juga dapat menggunakan opsi perintah.
Argumen list_parsers
Mencantumkan semua parser.
$ chronicle_cli parsers list_parsers -h
Usage: chronicle_cli parsers list_parsers [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
[New]List all parsers for a given customer
Options:
-s, --state [ALL|ACTIVE|INACTIVE]
Filter on Parser State.
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Fetching list of parsers... Parser Details: Parser ID: 1242538299340357633 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: 44684d8a-1d01-4e69-ab50-2e2d6e3ef3b2 Create Time: 2023-07-05T05:36:31.121236Z ============================================================ Parser Details: Parser ID: 3840440184193679361 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: 3d2e1bdb-2793-48d1-a485-4f4748095cb8 Create Time: 2023-04-14T09:15:13.718842Z ============================================================ Parser Details: Parser ID: 3651720008402206721 Log type: GCP_SECURITYCENTER_ERROR State: ACTIVE Type: CUSTOM Author: - Validation Report ID: - Create Time: 2023-03-30T09:54:20.414510Z ============================================================
Argumen list_extensions
Mencantumkan semua ekstensi parser.
$ chronicle_cli parsers list_extensions -h
Usage: chronicle_cli parsers list_extensions [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
[New]List all extensions for a given customer
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Fetching list of Parser Extensions... ParserExtension Details: ParserExtension ID: 7b948bfb-d3f5-4922-9153-a20e75085990 Log type: BRO_DNS State: VALIDATED Validation Report ID: 6ef30ad9-db89-4f30-80f3-0f79758ff3c2 Create Time: 2023-07-06T03:58:26.594863Z State Last Changed Time: 2023-07-06T03:58:26.667151Z Last Live Time: 2023-07-06T03:58:28.019050Z ============================================================ ParserExtension Details: ParserExtension ID: 0fd9129b-d02b-42f7-912a-04b0bba0e0a7 Log type: GCP_DNS State: LIVE Validation Report ID: 1965880f-7cd7-4943-9adf-4bff0041793d Create Time: 2023-05-12T08:12:17.090559Z State Last Changed Time: 2023-05-12T08:12:17.271615Z Last Live Time: 2023-05-12T08:12:27.244342Z ============================================================ ParserExtension Details: ParserExtension ID: d9df9d75-bb3a-4c28-b18d-69a608762ecc Log type: GCP_VPC_FLOW State: REJECTED Validation Report ID: c59ef2ab-4a70-4373-bdc8-067c39ca5a40 Create Time: 2023-04-13T04:43:12.884287Z State Last Changed Time: 2023-04-13T04:43:13.288338Z Last Live Time: - ============================================================
Argumen run_parser
Untuk memvalidasi parser terhadap log tertentu, gunakan perintah berikut:
$ chronicle_cli parsers run_parser -h
Usage: chronicle_cli parsers run_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_CONFIG_FILE LOG_FILE
[New]Run a parser(with extension) against given logs
Options:
--parserextension_config_file TEXT
Path to extension config file.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Running parser(with extension) against given logs... {"host_ip": "1.1.1.1"} {'events': [{'event': {'metadata': {'eventTimestamp': '2023-06-26T08:45:10Z', 'eventType': 'GENERIC_EVENT', 'logType': 'BRO_DNS'}, 'principal': {'ip': ['1.1.1.1']}}}]} some thing {} Runtime: 1.2396s
Argumen submit_parser
Mengirimkan parser baru. Parser yang dikirim akan melalui validasi dan parser yang ada akan dipromosikan menjadi kandidat rollback.
$ chronicle_cli parsers submit_parser -h
Usage: main parsers submit_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
CONFIG_FILE [AUTHOR]
[New]Submit a new parser
Options:
--skip_validation_on_no_logs Skip validation if no logs are found.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Submitting Parser... Parser Details: Parser ID: 12774126091501569 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: - Create Time: 2023-07-06T13:58:10.475391Z ============================================================
Argumen submit_extension
Mengirimkan ekstensi parser baru. Ekstensi parser yang dikirim akan melalui validasi. Jika validasi lulus, ekstensi parser baru akan dibuat.
$ chronicle_cli parsers submit_extension -h
Usage: chronicle_cli parsers submit_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
CONFIG_FILE LOG_FILE
[New]Submit a new extension
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Submitting Parser Extension... ParserExtension Details: ParserExtension ID: 88907461-c115-4204-8391-425b7a9cfb2c Log type: WORKSPACE_CHROMEOS State: NEW Validation Report ID: - Create Time: 2023-07-06T13:58:10.475391Z State Last Changed Time: - Last Live Time: - ============================================================
Argumen delete_parser
Menghapus parser kustom. Anda dapat mulai menggunakan parser bawaan untuk jenis log yang diberikan.
$ chronicle_cli parsers delete_parser -h
Usage: chronicle_cli parsers delete_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_ID
[New]Delete a parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Deleting Parser… Parser deleted successfully.
Argumen delete_extension
Menghapus parser kustom. Anda dapat mulai menggunakan parser bawaan untuk jenis log yang diberikan.
$ chronicle_cli parsers delete_extension -h
Usage: chronicle_cli parsers delete_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSEREXTENSION_ID
[New]Delete an extension
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Deleting Parser Extension… ParserExtension deleted successfully.
Argumen deactivate_parser
Menonaktifkan parser kustom yang aktif. Jika penonaktifan berhasil, Anda dapat mulai menggunakan parser bawaan untuk jenis log yang diberikan.
$ chronicle_cli parsers deactivate_parser -h
Usage: chronicle_cli parsers deactivate_parser [OPTIONS] PROJECT_ID CUSTOMER_ID
LOG_TYPE PARSER_ID
[New]Deactivate a parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Deactivating Parser… Parser deactivated successfully.
Argumen activate_parser
Mengaktifkan parser kustom. Anda dapat mulai menggunakan parser aktif.
$ chronicle_cli parsers activate_parser -h
Usage: chronicle_cli parsers activate_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_ID
[New]Activate a parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Activating Parser… Parser activated successfully.
Argumen get_parser
Mengambil detail ID parser dan jenis log yang diberikan.
$ chronicle_cli parsers get_parser -h
Usage: chronicle_cli parsers get_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_ID
[New]Get details of a parser
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Fetching Parser details... Parser Details: Parser ID: 3840440184193679361 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: 3d2e1bdb-2793-48d1-a485-4f4748095cb8 Create Time: 2023-04-14T09:15:13.718842Z ============================================================
Argumen get_extension
Mengambil konfigurasi ID parser dan jenis log yang diberikan.
$ chronicle_cli parsers get_extension -h
Usage: chronicle_cli parsers get_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSEREXTENSION_ID
[New]Get details of an extension
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Fetching Parser Extension details... ParserExtension Details: ParserExtension ID: 7b948bfb-d3f5-4922-9153-a20e75085990 Log type: BRO_DNS State: VALIDATED Validation Report ID: 6ef30ad9-db89-4f30-80f3-0f79758ff3c2 Create Time: 2023-07-06T03:58:26.594863Z State Last Changed Time: 2023-07-06T03:58:26.667151Z Last Live Time: 2023-07-06T03:58:28.019050Z ============================================================
Argumen get_validation_report
Mengambil laporan validasi untuk parser atau ekstensi.
$ chronicle_cli parsers get_validation_report [OPTIONS] PROJECT_ID CUSTOMER_ID
LOG_TYPE VALIDATION_REPORT_ID
[New]Get validation report for a parser/extension
Options:
--parser_id TEXT ID of the parser.
--parserextension_id TEXT ID of the parser extension.
--env [prod|test] Optional: Specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select a region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Contoh output
Fetching Validation report for ParserExtension... Validation Report: Verdict: PASS Stats: LogEntry Count: 10000 Successfully Normalized Log Count: 10000 Failed Log Count: 0 Invalid Log Count: 0 On Error Count: 153938 Event Count: 10000 Generic Event Count: 0 Event Category: Valid_event: 10000 Drop Tag: - Max Parse Duration: 0.274677769s Avg Parse Duration: 0.010s Normalization percent: 100 Generic Event percent: 0 Errors: -
Opsi
Bantuan (-h / --help)
Gunakan opsi -h
atau --help
untuk melihat penggunaan dengan deskripsi untuk perintah apa pun.
Contoh Penggunaan:
$ chronicle_cli parsers list_parsers -h
Usage: chronicle_cli parsers list_parsers [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
[New]List all parsers for a given customer
Options:
-s, --state [ALL|ACTIVE|INACTIVE]
Filter on Parser State.
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
Lingkungan (--env)
Anda dapat memilih lingkungan dengan meneruskan flag --env
dengan perintah dan panggilan API akan dieksekusi sebagaimana mestinya.
Anda dapat memilih nilai env dari berikut: prod
, test
.
Jika Anda tidak menentukan opsi ini, defaultnya ditetapkan ke prod
.
File Kredensial (-c atau --credential_file)
Opsi ini memungkinkan Anda menentukan jalur untuk kredensial akun layanan
yang akan digunakan untuk autentikasi.
Jika opsi ini tidak ditentukan, Google SecOps CLI akan mencari kredensial di
jalur default, yaitu ~/.chronicle_cli
(di dalam direktori tersembunyi bernama .chronicle_cli
di direktori utama).
Contoh Penggunaan:
$ chronicle_cli parsers list_parsers --credential_file=C:\chronicle_credentials.json
Wilayah (--region)
Anda dapat memilih region dengan meneruskan flag --region
saat menjalankan perintah.
Untuk mengetahui informasi selengkapnya tentang cara menetapkan region default, lihat Menetapkan region default.
Panjang (--verbose)
Opsi ini memungkinkan Anda mencetak detail Permintaan HTTP yang dibuat dan Respons yang diterima.
Contoh Penggunaan:
$ chronicle_cli parsers list_parsers --verbose
Ekspor (--export)
Opsi ini memungkinkan Anda menentukan jalur file tempat output perintah list
atau list_errors
akan diekspor. Jalur relatif dan absolut didukung.
Contoh Penggunaan:
$ chronicle_cli parsers list_parsers --export=parser_list
Format File (--file-format)
Opsi ini memungkinkan Anda menentukan format file konten yang diekspor dengan perintah list
atau list_errors
. Ada dua format yang didukung: JSON
dan TXT
. Jika opsi ini tidak ditentukan dengan opsi --export
, format TXT
akan digunakan sebagai default.
Contoh Penggunaan:
$ chronicle_cli parsers list_parsers --export=parser_list --file-format=JSON
Alur kerja pengguna pengelolaan parser
Google SecOps CLI dapat digunakan untuk mengelola parser CBN menggunakan perintah berikut. Namun, sebaiknya gunakan perintah CLI pengelolaan parser v2.
Perintah
parsers
perintah
Perintah parsers
menggunakan argumen berikut:
archive
download
generate
history
list
list_errors
run
status
submit
Sintaksis penggunaan:
$ chronicle_cli parsers ARGUMENT [OPTIONS]
Argumen
Semua alur kerja pengelolaan parser CBN di CLI Google SecOps bersifat interaktif. Anda akan diminta untuk memilih opsi jika diperlukan untuk perintah.
Argumen list
Untuk mencantumkan detail semua parser, gunakan perintah berikut:
$ chronicle_cli parsers list -h
Usage: main parsers list [OPTIONS]
List all parsers of a given customer
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Fetching list of parsers...
Parser Details:
Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
Log type: WINDOWS_SYSMON
State: LIVE
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: <user>@test.com
Submit Time: 2022-08-26T09:57:10.644351Z
State Last Changed Time: 2022-08-26T09:58:23.809636Z
Last Live Time: 2022-08-26T09:58:23.809636Z
============================================================
Parser Details:
Config ID: 7f2ae1f5-8f0c-43f9-bb02-299e7c8b9e82
Log type: BOX
State: LIVE
SHA256: 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: <user>@test.com
Submit Time: 2022-08-25T07:33:31.026399Z
State Last Changed Time: 2022-08-25T07:33:32.263754Z
Last Live Time: 2022-08-25T07:33:32.263754Z
============================================================
Argumen generate
Untuk membuat contoh log untuk jenis log tertentu, gunakan perintah berikut:
$ chronicle_cli parsers generate -h
Usage: main parsers generate [OPTIONS]
Generate sample logs for a given log type
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Perintah ini membuat tiga file dengan 1, 10, dan 1.000 contoh log di direktori root
di bagian <root>/chronicle_cli/cbn/<log_type>/
.
Contoh output
Enter Start Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-17T10:00:00Z
Enter End Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-23T10:00:00Z
Enter Log Type: WINDOWS_DHCP
Generating sample size: 1...
Generating sample size: 10...
Generating sample size: 1k...
Generated sample data (WINDOWS_DHCP); run this to go there:
cd /usr/local/home/<user>/cbn/windows_dhcp
Argumen history
Untuk mendapatkan daftar semua detail pengiriman parser untuk jenis log tertentu, gunakan perintah berikut:
$ chronicle_cli parsers history -h
Usage: main parsers history [OPTIONS]
History retrieves all parsers submissions given a log type
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Enter Log Type: WINDOWS_SYSMON
Fetching history for parser...
Parser History:
Config ID: 8d9f5b1c-4689-4ca3-ae9b-863ce78dd123
Log type: WINDOWS_SYSMON
State: LIVE
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: author@test.com
Submit Time: 2022-08-26T12:37:55.187407Z
State Last Changed Time: 2022-08-26T12:39:12.198587Z
Last Live Time: 2022-08-26T12:39:12.198587Z
============================================================
Parser History:
Config ID: 29bbf14b-2ffb-411a-bb37-911b13437123
Log type: WINDOWS_SYSMON
State: ARCHIVED
SHA256: 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: author@test.com
Submit Time: 2022-08-26T12:05:34.421743Z
State Last Changed Time: 2022-08-26T12:39:12.198587Z
Last Live Time: 2022-08-26T12:06:55.495269Z
============================================================
Argumen list_errors
Untuk mencantumkan error jenis log antara stempel waktu tertentu, gunakan perintah berikut:
$ chronicle_cli parsers list_errors -h
Usage: main parsers list_errors [OPTIONS]
List errors of a log type between specific timestamps
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Enter Log Type: CISCO_ASA_FIREWALL
Enter Start Date (Format: yyyy-mm-ddThh:mm:ssZ): 2021-01-16T00:00:00Z
Enter End Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-21T12:00:00Z
Getting parser errors...
Error Details:
Error ID: f9eb72cb-f320-dd5a-a098-00bcaa76a35d
Config ID: N/A
Log type: CISCO_ASA_FIREWALL
Error Time: 2022-08-18T10:57:56.898883208Z
Error Category: CBN_parsers_GENERATED_INVALID_EVENT
Error Message: generic::invalid_argument: diff event timestamp ("seconds:1630106465") and create timestamp ("seconds:1660820265 nanos:202151000"): 8531h36m40.202151s, larger than allowed (4320h0m0s)
Logs:
<190>Aug 27 2020 23:21:05 TEST : %ASA-6-106012: Deny IP from 1.2.3.4 to 5.6.7.8, IP options: Test user
============================================================
Error Details:
Error ID: f9eb72cb-f320-dd5a-a098-00bcaa76a35d
Config ID: N/A
Log type: CISCO_ASA_FIREWALL
Error Time: 2022-08-18T10:57:56.898883208Z
Error Category: CBN_parsers_GENERATED_INVALID_EVENT
Error Message: generic::invalid_argument: diff event timestamp ("seconds:1630106465") and create timestamp ("seconds:1660820265 nanos:202151000"): 8531h36m40.202151s, larger than allowed (4320h0m0s)
Logs:
<190>Aug 27 2020 23:21:05 TEST : %ASA-6-106012: Deny IP from 1.2.3.4 to 5.6.7.8, IP options: Demo user
Argumen run
Untuk memvalidasi parser terhadap log tertentu, gunakan perintah berikut:
$ chronicle_cli parsers run -h
Usage: main parsers run [OPTIONS]
Run the parser against given logs
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Enter path for conf file: /usr/local/home/Desktop/windows_sysmon.conf
Enter path for log file: /usr/local/home/Desktop/windows_sysmon.log
Running Validation…
Runtime: 2.4914s
Argumen submit
Untuk mengirimkan parser baru, gunakan perintah berikut:
$ chronicle_cli parsers submit -h
Usage: main parsers submit [OPTIONS]
Submit new parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Enter Log type: CISCO_ASA_FIREWALL
Enter Config file path: /usr/local/Desktop/windows_sysmon.conf
Enter author: test
Submitting parser...
Submitted Parser Details:
Config ID: 9ba20930-9733-4fcd-badf-18fedb9f8123
Log type: CISCO_ASA_FIREWALL
State: NEW
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: test
Submit Time: 2022-08-30T06:49:54.005119Z
State Last Changed Time: 2022-08-30T06:49:54.005119Z
Parser submitted successfully. To get status of the parser, run this command using following Config ID - 9ba20930-9733-4fcd-badf-18fedb9f8123:
chronicle_cli parsers status
Argumen status
Untuk mendapatkan status parser yang dikirimkan, gunakan perintah berikut:
$ chronicle_cli parsers status -h
Usage: main parsers status [OPTIONS]
Get status of a submitted parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Enter Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
Getting parser...
Parser Details:
Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
Log type: WINDOWS_SYSMON
State: ARCHIVED
SHA256: 79ac67c15ffb047a152be2fb2a3391cbe18b2d183e9e6a402eb2fe53a6666b17
Author: test
Submit Time: 2022-08-26T09:57:10.644351Z
State Last Changed Time: 2022-08-26T09:58:23.809636Z
Last Live Time: 2022-08-26T09:58:23.809636Z
Argumen archive
Untuk mengarsipkan parser yang ada, gunakan perintah berikut:
$ chronicle_cli parsers archive -h
Usage: main parsers archive [OPTIONS]
Archives a parser given the config ID.
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Enter Config ID: 1cb402d9-eab2-4f6b-b402-20b121167123
Archiving parser...
Parser archived Successfully.
Parser Details:
Config ID: 1cb402d9-eab2-4f6b-b402-20b121167123
Log type: WINDOWS_SYSMON
State: ARCHIVED
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: test
Submit Time: 2022-08-26T09:57:10.644351Z
State Last Changed Time: 2022-08-26T09:58:23.809636Z
Last Live Time: 2022-08-26T09:58:23.809636Z
Argumen download
Untuk mendownload file konfigurasi (.conf
) untuk jenis log atau ID konfigurasi tertentu, gunakan perintah berikut:
$ chronicle_cli parsers download -h
Usage: main parsers download [OPTIONS]
Download parser code by given Config ID or Log type.
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Contoh output
- Menggunakan ID Konfigurasi.
Note: If you want to download parser by log type then skip the config ID.
Enter config ID: 9d1474ab-eff2-4855-ba57-4f0c458e3ac2
Downloading parser...
Writing parser to: CISCO_ASA_FIREWALL_20220825131911.conf
- Menggunakan Jenis Log.
Note: If you want to download parser by log type then skip the config ID.
Enter config ID:
Enter Log Type: CISCO_ASA_FIREWALL
Downloading parser...
Writing parser to: CISCO_ASA_FIREWALL_20220825132011.conf
Opsi
Bantuan (-h / --help)
Gunakan opsi -h
atau --help
untuk melihat penggunaan dengan deskripsi untuk perintah apa pun.
Contoh Penggunaan:
$ chronicle_cli parsers list -h
Usage: main parsers list [OPTIONS]
List all parsers of a given customer
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
Lingkungan (--env)
Anda dapat memilih lingkungan dengan meneruskan flag --env
dengan perintah dan panggilan API akan dieksekusi sebagaimana mestinya.
Anda dapat memilih nilai env dari berikut: prod
, test
.
Jika Anda tidak menentukan opsi ini, defaultnya ditetapkan ke prod.
File Kredensial (-c atau --credential_file)
Opsi ini memungkinkan Anda menentukan jalur untuk kredensial akun layanan yang akan digunakan untuk autentikasi pengguna. Jika opsi ini tidak ditentukan, Google SecOps CLI akan mencari kredensial di jalur default, yaitu ~/.chronicle_cli
(di dalam direktori tersembunyi bernama .chronicle_cli
di direktori utama).
Contoh Penggunaan:
$ chronicle_cli parsers list --credential_file=C:\chronicle_credentials.json
Wilayah (--region)
Anda dapat memilih region dengan meneruskan flag --region
saat menjalankan perintah.
Untuk mengetahui informasi selengkapnya tentang cara menetapkan region default, lihat Menetapkan region default.
Panjang (--verbose)
Opsi ini memungkinkan Anda mencetak detail Permintaan HTTP yang dibuat dan Respons yang diterima.
Contoh Penggunaan:
$ chronicle_cli parsers list --verbose
Ekspor (--export)
Opsi ini memungkinkan Anda menentukan jalur file tempat output perintah list
atau
list_errors
akan diekspor. Jalur relatif dan absolut didukung.
Contoh Penggunaan:
$ chronicle_cli parsers list --export=parsers_list
Format File (--file-format)
Opsi ini memungkinkan Anda menentukan format file konten yang diekspor dengan
perintah list
atau list_errors
. Ada tiga format yang didukung: JSON
dan TXT
.
Jika opsi ini tidak ditentukan dengan opsi --export
, format TXT
akan digunakan sebagai default.
Contoh Penggunaan:
$ chronicle_cli parsers list --export=parsers_list --file-format=JSON
Pemecahan masalah
Kode Error Pengelolaan Parser CBN
Bagian ini menampilkan output yang ditampilkan di konsol terhadap berbagai jenis kode respons yang diterima dari respons API.
Lihat tabel di bawah untuk melihat output setiap perintah:
Kode Respons | Perintah | Output Konsol |
Kode respons apa pun selain 200 | {command}[archive, download, generate, history, list_errors, run, status, list, submit] |
Error saat parser {command} .Kode Respons: {status code} Error: {error message} |
Alur kerja pengguna pengelolaan penerusan
Google SecOps CLI dapat digunakan untuk mengelola forwarder dan kolektor terkait menggunakan perintah berikut:
Perintah
forwarders
perintah
Perintah forwarders
menggunakan argumen berikut:
create
update
get
list
delete
generate_files
collectors
Sintaksis penggunaan:
$ chronicle_cli forwarders ARGUMENT [OPTIONS]
collectors
perintah
Perintah collectors
menggunakan argumen berikut:
create
update
get
list
delete
Sintaksis penggunaan:
$ chronicle_cli forwarders collectors ARGUMENT [OPTIONS]
Argumen
Semua alur kerja pengguna Pengelolaan Pengirim di Google SecOps CLI bersifat interaktif. Anda akan diminta untuk memilih opsi saat diperlukan.
Argumen create
Untuk membuat forwarder baru dan mengonfigurasi kolektor untuknya, gunakan perintah berikut:
$ chronicle_cli forwarders create --help
Usage: main forwarders create [OPTIONS]
Create a Forwarder
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
$ chronicle_cli forwarders create
================================================================================
Press Enter if you want to use the default value mentioned besides field description in [] brackets.
================================================================================
(*) Forwarder Display Name : test_display_name
========================================
======== Forwarder Configuration =======
========================================
Upload Compression (Determines if uploaded data will be compressed) [Y/n]: y
Do you want to proceed with Forwarder Metadata? [y/N]: y
========================================
========== Forwarder Metadata ==========
========================================
Asset Namespace: test_namespace
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2
Do you want to proceed with Forwarder Regex Filters? [y/N]: y
========================================
======= Forwarder Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why): desc1
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1
You have selected allow
Do you want to add more Forwarder Regex Filters [y/N]: y
Filter Description (Describes what is being filtered and why): desc2
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 2
You have selected block
Do you want to add more Forwarder Regex Filters [y/N]: n
Do you want to proceed with Server Settings? [y/N]: y
========================================
=========== Server Settings ===========
========================================
Server State (Server State for Collector)
Choose:
1. active
2. suspended
: 1
You have selected active
Graceful Timeout (Number of seconds after which the forwarder returns a bad readiness/health check and still accepts new connections) [15]:
Drain timeout (Number of seconds after which the forwarder waits for active connections to successfully close on their own before being closed by the server) [10]:
Do you want to proceed with HTTP-specific server settings? [y/N]: y
========================================
==== HTTP-specific server settings ====
========================================
Host (IP address, or hostname that can be resolved to IP addresses, that the server should listen on) [0.0.0.0]: 10.0.14.132
Port (Port number that the HTTP server listens on for health checks from the load balancer) [8080]: 8000
Read Timeout (Maximum amount of time allowed to read the entire request, both the header and the body) [3]:
Read Header Timeout (Maximum amount of time allowed to read request headers) [3]:
Write Timeout (Maximum amount of time allowed to send a response) [3]:
Idle Timeout (Maximum amount of time (in seconds) to wait for the next request when idle connections are enabled) [3]:
Do you want to proceed with Route Settings? [y/N]: y
========================================
============ Route Settings ============
========================================
Available Status Code (Status code returned when a liveness check is received and the forwarder is available) [204]: 200
Ready Status Code (Status code returned when it is ready to accept traffic) [204]: 200
Unready Status Code (Status code returned when it is not ready to accept traffic) [503]: 500
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- behavior: ALLOW
description: desc1
regexp: .*
- behavior: BLOCK
description: desc2
regexp: .*
Server settings:
Drain timeout: 10
Graceful timeout: 15
Http settings:
Host: 10.0.14.132
Idle timeout: 3
Port: 8000
Read header timeout: 3
Read timeout: 3
Do you want to create forwarder with this configuration [y/N]: y
Creating forwarder...
Forwarder created successfully with Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Would you like to configure collectors for this forwarder? [y/N]: y
(*) Collector Display Name: collector_1
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected): WINDOWS_DNS
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace: test_namespace
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why): desc1
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1
You have selected allow
Do you want to add more Collector Regex Filters [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: y
========================================
======== Collector Disk Buffer ========
========================================
Disk Buffer State (Disk buffering state for collector)
Choose:
1. active
2. suspended
: 1
You have selected active
Directory Path (Directory path for files written): path/to/file.txt
Max File Buffer Bytes (Maximum buffered file size): 45
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
: 1
File Path (Path of file to monitor): path/to/file.txt
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
Disk buffer:
Directory path: path/to/file.txt
Max file buffer bytes: 45
State: ACTIVE
File settings:
File path: path/to/file.txt
Log type: WINDOWS_DNS
Max bytes per batch: 1048576
Max seconds per batch: 10
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
Behavior: ALLOW
Description: desc1
Regexp: .*
Display name: collector_1
Do you want to create collector with this configuration [y/N]: y
Creating collector...
Collector created successfully with Collector ID: 1f72f9ab-3ae3-4c5f-955e-86c982587937
Would you like to add more collectors? [y/N]: n
Jika pembuatan forwarder gagal, dan Anda memasukkan ID forwarder yang sama, Anda akan diminta untuk mencoba kembali forwarder yang gagal atau memulai ulang proses. Jika ID penerusan yang Anda masukkan tidak cocok dengan ID penerusan yang gagal, Anda tidak akan diminta untuk mencoba lagi dan proses normal pembuatan penerusan akan dilanjutkan.
Contoh output
...
Creating forwarder...
Error occurred while creating forwarder.
Response Code: 500.
Error: ZERO_APP::1: create forwarder due to validation errors in request: generic::invalid_argument: filter's description is not specified
$ chronicle_cli forwarders create
Looks like there was a failed create/update attempt for test.
Would you like to retry?
(*) Forwarder Display Name [test]:
Do you want to create forwarder with this configuration [y/N]: y
Creating forwarder...
Forwarder created successfully with Forwarder ID: ab7af569-d957-44a3-99a8-aa70ffdc6458
Would you like to configure collectors for this forwarder? [y/N]: n
Argumen get
Untuk mendapatkan detail forwarder yang ada dan kolektor masing-masing, gunakan perintah berikut:
$ chronicle_cli forwarders get --help
Usage: main forwarders get [OPTIONS]
Get forwarder details using Forwarder ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Anda harus memasukkan ID pengirim untuk mendapatkan detail pengirim.
$ chronicle_cli forwarders get
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Fetching forwarder and its all associated collectors...
Forwarder Details:
ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8000
Host: 10.0.14.132
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 200
Ready status code: 200
Unready status code: 500
State: ACTIVE
Collectors:
Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
Display name: collector_1
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/file.txt
Max file buffer bytes: '45'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
Argumen list
Untuk menampilkan daftar semua forwarder dan kolektor masing-masing, gunakan perintah berikut:
$ chronicle_cli forwarders list --help
Usage: main forwarders list [OPTIONS]
List all forwarders
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path
--file-format [TXT|CSV|JSON] Format of the file to be exported
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Perintah digunakan untuk mengambil detail semua pengirim dan kolektor.
Contoh output
$ chronicle_cli forwarders list
Fetching list of forwarders...
Forwarder Details:
ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8000
Host: 10.0.14.132
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 200
Ready status code: 200
Unready status code: 500
State: ACTIVE
Collectors:
Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
Display name: collector_1
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/file.txt
Max file buffer bytes: '45'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
Forwarder Details:
ID: ddcca884-cdc6-4ac2-ad30-05a28e6cf35a
Display name: test
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v2
Regex filters:
- description: hh
regexp: hh
behavior: ALLOW
- description: gg
regexp: gg
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8080
Host: 0.0.0.0
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 204
Ready status code: 204
Unready status code: 503
State: ACTIVE
Collectors:
Message: No collectors found for this forwarder.
================================================================================
Jika ingin mengekspor data, Anda dapat menentukan jalur absolut/relatif file yang akan diekspor beserta format file (CSV/TXT/JSON). Format file default-nya adalah CSV.
Contoh output
$ chronicle_cli forwarders list --export=$HOME/listforwarder --file-format=JSON
Fetching list of forwarders...
Forwarder Details:
ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8000
Host: 10.0.14.132
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 200
Ready status code: 200
Unready status code: 500
State: ACTIVE
Collectors:
Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
Display name: collector_1
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/file.txt
Max file buffer bytes: '45'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
Forwarder Details:
ID: ddcca884-cdc6-4ac2-ad30-05a28e6cf35a
Display name: test
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v2
Regex filters:
- description: hh
regexp: hh
behavior: ALLOW
- description: gg
regexp: gg
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8080
Host: 0.0.0.0
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 204
Ready status code: 204
Unready status code: 503
State: ACTIVE
Collectors:
Message: No collectors found for this forwarder.
================================================================================
Forwarders list details exported successfully to: /usr/local/google/home/<user>/listforwarder.json
Argumen update
Untuk memperbarui forwarder yang ada, gunakan perintah berikut:
$ chronicle_cli forwarders update --help
Usage: main forwarders update [OPTIONS]
Update a forwarder using forwarder ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Setelah menjalankan perintah, masukkan ID Pengirim dan semua nilai kolom lagi. Anda dapat menggunakan kembali nilai lama dengan menekan Enter.
Contoh output
$ chronicle_cli forwarders update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Press Enter if you don't want to update.
(*) Forwarder Display Name [test_display_name]:
========================================
======== Forwarder Configuration =======
========================================
Upload Compression (Determines if uploaded data will be compressed) [Y/n]: y
Do you want to proceed with Forwarder Metadata? [y/N]: y
========================================
========== Forwarder Metadata ==========
========================================
Asset Namespace [test_namespace]:
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[[{'key': 'key1', 'value': 'value1'}, {'key': 'key2', 'value': 'value2'}]]
Do you want to proceed with Forwarder Regex Filters? [y/N]: n
Do you want to proceed with Server Settings? [y/N]: n
Do you want to update forwarder with this configuration? [y/N]: y
Updating forwarder...
Forwarder updated successfully with Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Jika pembaruan forwarder gagal dan Anda memasukkan forwarder yang sama, perintah akan ditampilkan untuk mencoba kembali forwarder yang gagal atau memulai ulang proses. Jika Anda memasukkan ID pengirim yang tidak cocok dengan ID pengirim yang gagal, opsi untuk mencoba lagi tidak akan ditampilkan dan proses normal pembaruan pengirim akan dilanjutkan. Mekanisme percobaan ulang memungkinkan Anda mengubah nilai opsi yang diberikan dalam upaya yang gagal sebelumnya dengan cara interaktif. Tekan Enter untuk menggunakan kembali nilai yang sama untuk opsi dalam alur pembaruan penerusan.
Argumen delete
Gunakan argumen ini untuk menghapus pengirim menggunakan ID pengirim. Saat dieksekusi, tindakan ini akan meminta ID feed yang akan dihapus. Untuk menghapus penerusan yang ada, gunakan perintah berikut:
chronicle_cli forwarders delete --help
Usage: main forwarders delete [OPTIONS]
Delete a forwarder using Forwarder ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
$ chronicle_cli forwarders delete
Enter Forwarder ID: 0593ba21-a1c7-4279-b429-bc8df959bd59
Deleting forwarder and all its associated collectors...
Forwarder (ID: 0593ba21-a1c7-4279-b429-bc8df959bd59) deleted successfully with all its associated collectors.
Argumen generate_files
Gunakan argumen ini untuk membuat file yang memiliki informasi tentang pengirim menggunakan ID pengirim.
Untuk membuat file forwarder, gunakan perintah berikut:
$ chronicle_cli forwarders generate_files -h
Usage: main forwarders generate_files [OPTIONS]
Generate forwarder configuration files using Forwarder ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-f, --file-path TEXT Download generated forwarder files to the
specified path.
-h, --help Show this message and exit.
Contoh output
$ chronicle_cli forwarders generate_files --file-path=$HOME/GenerateForwarderFile
Enter Forwarder ID: 0768220e-8af6-4ef7-a1dd-73e33963b444
Generating forwarder files ...
Forwarder files generated successfully.
Configuration file: /usr/local/google/home/<user>/GenerateForwarderFile_forwarder.conf
Auth file: /usr/local/google/home/<user>/GenerateForwarderFile_forwarder_auth.conf
Sub-perintah kolektor
Argumen create
Gunakan perintah berikut untuk mengonfigurasi kolektor baru untuk forwarder tertentu.
$ chronicle_cli forwarders collectors create --help
Usage: main forwarders collectors create [OPTIONS]
Create a collector.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
$ chronicle_cli forwarders collectors create
================================================================================
Press Enter if you want to use the default value mentioned besides field description in [] brackets.
================================================================================
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
(*) Collector Display Name: collector_4
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected): WINDOWS_DNS
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace: test_namespace
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why): desc1
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
File Path (Path of file to monitor): path/to/file.txt
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
File settings:
File path: path/to/file.txt
Log type: WINDOWS_DNS
Max bytes per batch: 1048576
Max seconds per batch: 10
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
Behavior: ALLOW
Description: desc1
Regexp: .*
Display name: collector_4
Do you want to create collector with this configuration? [y/N]: y
Creating collector...
Collector created successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Jika pembuatan kolektor gagal, dan Anda memasukkan ID kolektor yang sama, perintah akan ditampilkan untuk mencoba kembali kolektor yang gagal atau memulai ulang proses. Jika Anda memasukkan ID kolektor yang tidak cocok dengan ID kolektor yang gagal, opsi untuk mencoba lagi tidak ditampilkan dan proses normal pembaruan kolektor akan dilanjutkan.
Contoh output
$ chronicle_cli forwarders collectors create
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Looks like there was a failed create/update attempt for test_display.
Would you like to retry?
(*) Collector Display Name [test_display]:
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace [test]:
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[[{'key': 'k1', 'value': 'v1'}]]
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why)[old_desc]: desc2
Filter Regexp (The regular expression used to match against each incoming line) [.*]:
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
: 1
File Path (Path of file to monitor) [path/to/file.txt]: path/to/file.txt
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
File settings:
File path: path/to/file.txt
Log type: WINDOWS_DNS
Max bytes per batch: 1048576
Max seconds per batch: 10
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v1
Regex filters:
Behavior: ALLOW
Description: disc2
Regexp: .*
Display name: test_display
Do you want to create collector with this configuration? [y/N]: y
Creating collector...
Collector created successfully with Collector ID: b50a6b41-5476-41ee-ba7c-ce529ecffa62
Argumen get
Untuk mendapatkan detail kolektor yang ada, gunakan perintah berikut:
$ chronicle_cli forwarders collectors get --help
Usage: main forwarders collectors get [OPTIONS]
Get a collector using collector ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
Anda harus memasukkan ID kolektor secara interaktif untuk mendapatkan detail kolektor.
$ chronicle_cli forwarders collectors get
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Fetching collector details...
Collector Details:
ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Display name: collector_4
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
Argumen list
Untuk menampilkan daftar semua kolektor, gunakan perintah berikut:
chronicle_cli forwarders collectors list --help
Usage: main forwarders collectors list [OPTIONS]
List all collectors.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
$ chronicle_cli forwarders collectors list
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Collector Details:
ID: 153e4077-cd49-4ce5-87aa-254d239b9dda
Display name: collector_2
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/dir
Max file buffer bytes: '209'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
Collector Details:
ID: b50a6b41-5476-41ee-ba7c-ce529ecffa62
Display name: test_display
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v1
Regex filters:
- description: disc2
regexp: .*
behavior: ALLOW
- description: test
regexp: test
behavior: BLOCK
Disk buffer:
State: ACTIVE
Directory path: test
Max file buffer bytes: '55'
Max seconds per batch: 5
Max bytes per batch: '556676'
Syslog settings:
Protocol: TCP
Address: 1.2.3.4
Port: 3456
Buffer size: '65536'
Connection timeout: 60
Tls settings:
Certificate: test
Certificate key: test
Minimum tls version: '56'
Insecure skip verify: true
================================================================================
Argumen update
Untuk memperbarui kolektor yang ada, gunakan perintah berikut:
$ chronicle_cli forwarders collectors update --help
Usage: main forwarders collectors update [OPTIONS]
Update a collector using collector ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
$ chronicle_cli forwarders collectors update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
(*) Collector Display Name [collector_4]:
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace [test_namespace]:
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[{'key1':'value1'},{'key2':'value2'}]
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why)[old_desc]: desc1
Filter Regexp (The regular expression used to match against each incoming line)[.*]: .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: y
Filter Description (Describes what is being filtered and why): desc2
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 2
You have selected block
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
File Path (Path of file to monitor) [path/to/file.txt]: path/to/file.txt
Do you want to update collector with this configuration? [y/N]: y
Updating collector...
Collector updated successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Jika pembaruan kolektor gagal dan Anda memasukkan ID kolektor yang sama, perintah akan ditampilkan untuk mencoba kembali kolektor yang gagal atau memulai ulang proses. Jika Anda memasukkan ID kolektor yang tidak cocok dengan ID kolektor yang gagal, opsi untuk mencoba lagi tidak akan ditampilkan dan proses normal pembaruan kolektor akan dilanjutkan. Mekanisme percobaan ulang memungkinkan Anda mengubah nilai opsi yang diberikan dalam upaya yang gagal sebelumnya dengan cara interaktif. Tekan Enter untuk menggunakan kembali nilai yang sama untuk opsi dalam alur pembaruan kolektor.
...
Updating collector...
Do you want to update collector with this configuration? [y/N]: y
Error occurred while updating collector.
Response Code: 400.
Error: generic::invalid_argument: update collector (id: 3a74b289-ccb4-4cee-9713-611a3362f48f) for forwarder (id: a7e59660-959b-44e7-aa7e-baec820d01f4) for customer (id: ed19f037-2354-43df-bfbf-350362b45844): validation errors in request: generic::invalid_argument: filter's description is not specified: invalid argument
$ chronicle_cli forwarders collectors update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Looks like there was a failed create/update attempt for collector_4.
Would you like to retry?
(*) Collector Display Name [collector_4]:
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:
Do you want to proceed with Collector Metadata? [y/N]: n
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why)[old_desc]: desc1
Filter Regexp (The regular expression used to match against each incoming line) [.*]:
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
[1]:
File Path (Path of file to monitor) [path/to/file.txt]:
Do you want to update collector with this configuration? [y/N]: y
Updating collector...
Collector updated successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Argumen delete
Gunakan argumen ini untuk menghapus kolektor menggunakan ID kolektor. Saat dieksekusi, kode ini meminta ID kolektor untuk dihapus.
Untuk menghapus kolektor yang ada, gunakan perintah berikut:
$ chronicle_cli forwarders collectors delete --help
Usage: main forwarders collectors delete [OPTIONS]
Delete a collector using collector ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Contoh output
$ chronicle_cli forwarders collectors delete
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Collector (ID: 3a74b289-ccb4-4cee-9713-611a3362f48f) deleted successfully.
Opsi
Bantuan (-h / --help)
Gunakan opsi -h
atau --help
untuk melihat penggunaan/deskripsi untuk perintah/opsi apa pun.
Contoh Penggunaan
$ chronicle_cli forwarders list -h
Usage: main forwarders list [OPTIONS]
List all forwarders
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
Jalur Kredensial (-c atau --credential-path)
Opsi ini memungkinkan Anda menentukan jalur untuk kredensial akun layanan yang akan digunakan untuk autentikasi pengguna. Jika opsi ini tidak ditentukan, Google SecOps CLI akan mencari kredensial di jalur default, yaitu ~/.chronicle_cli
(di dalam direktori tersembunyi bernama .chronicle_cli
di direktori utama).
Contoh Penggunaan
$ chronicle_cli forwarders list --credential-path=C:\chronicle_credentials.json
Panjang (--verbose)
Opsi ini memungkinkan Anda mencetak detail Permintaan HTTP yang dibuat dan Respons yang diterima.
Contoh Penggunaan
$ chronicle_cli forwarders list --verbose
Ekspor (--export)
Opsi ini memungkinkan Anda menentukan jalur file tempat output perintah list
akan diekspor. Jalur relatif dan absolut didukung.
Contoh Penggunaan
$ chronicle_cli forwarders list --export=$HOME/listForwarderssResponse
Format File (--file-format)
Opsi ini memungkinkan Anda menentukan format file konten yang diekspor dengan perintah list
. Ada tiga format yang didukung: CSV, JSON, dan TXT. Jika opsi ini tidak ditentukan dengan opsi --export
, format CSV akan digunakan sebagai default.
Contoh Penggunaan
$ chronicle_cli forwarders list --export=$HOME/listForwardersResponse --file-format=JSON
Contoh output
Format JSON
{
"forwarders": [
{
"name": "55a77e24-9d16-4638-8940-0ef8071ed849",
"displayName": "new",
"config": {
"uploadCompression": true,
"metadata": {
"assetNamespace": "test",
"labels": [
{
"key": "k",
"value": "v"
},
{
"key": "k1",
"value": "v1"
}
]
},
"regexFilters": [
{
"description": "desc1",
"regexp": ".*",
"behavior": "ALLOW"
}
],
"serverSettings": {
"gracefulTimeout": 15,
"drainTimeout": 10,
"httpSettings": {
"port": 8080,
"host": "0.0.0.0",
"readTimeout": 3,
"readHeaderTimeout": 3,
"writeTimeout": 3,
"idleTimeout": 3,
"routeSettings": {
"availableStatusCode": 204,
"readyStatusCode": 204,
"unreadyStatusCode": 503
}
},
"state": "ACTIVE"
}
},
"state": "ACTIVE",
"collectors": {
"Collector [3e8243c3-7ff2-4ede-89fe-16410ffe03bd]": {
"name": "3e8243c3-7ff2-4ede-89fe-16410ffe03bd",
"displayName": "cre_test_2",
"state": "ACTIVE",
"config": {
"logType": "WINDOWS_DNS",
"metadata": {
"assetNamespace": "test",
"labels": [
{
"key": "k",
"value": "v"
}
]
},
"regexFilters": [
{
"description": "desc1",
"regexp": ".*",
"behavior": "ALLOW"
}
],
"diskBuffer": {
"state": "ACTIVE",
"directoryPath": "23",
"maxFileBufferBytes": "33"
},
"maxSecondsPerBatch": 10,
"maxBytesPerBatch": "1048576",
"fileSettings": {
"filePath": "path/file.txt"
}
}
}
}
}
]
}
Format CSV
1. {file_name}_forwarders.csv
2. {file_name}_collectors.csv
Contoh konten file:
{file_name}_forwarders.csv
:
Name,Display name,Forwarder state,[CONFIG] Upload compression,[CONFIG][METADATA] Asset namespace,[CONFIG][METADATA] Labels,[CONFIG] Regex filters,[CONFIG][SERVER_SETTINGS] Server state,[CONFIG][SERVER_SETTINGS] Graceful timeout,[CONFIG][SERVER_SETTINGS] Drain timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Port,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Host,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Read timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Read header timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Write timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Idle timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Available status code,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Ready status code,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Unready status code
0593ba21-a1c7-4279-b429-bc8df959bd59,test,ACTIVE,True,test,"k1: v1
k2: v2
",,,,,,,,,,,0,0,0
094c9e41-e7c8-407a-8b9a-eb34d608a609,test,ACTIVE,True,te,"k1: v1
k2: v2
",,,,,,,,,,,0,0,0
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,test,ACTIVE,True,test,"key1: value1
key2: value2
",,ACTIVE,15,10,8080,0.0.0.0,3,4,5,8,204,204,500
{file_name}_collectors.csv
Forwarder ID,Name,Display Name,Collector state,[CONFIG] Log type,[CONFIG] Max seconds per batch,[CONFIG] Max bytes per batch,[CONFIG][METADATA] Asset namespace,[CONFIG][METADATA] Labels,[CONFIG] Regex filters,[CONFIG][DISK_BUFFER] State,[CONFIG][DISK_BUFFER] Directory path,[CONFIG][DISK_BUFFER] Max file buffer bytes,[CONFIG][FILE_SETTINGS] File path,[CONFIG][KAFKA_SETTINGS][AUTHENTICATION] username,[CONFIG][KAFKA_SETTINGS][AUTHENTICATION] password,[CONFIG][KAFKA_SETTINGS] Topic,[CONFIG][KAFKA_SETTINGS] Group id,[CONFIG][KAFKA_SETTINGS] Timeout,[CONFIG][KAFKA_SETTINGS] Brokers,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Certificate,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Certificate key,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Minimum tls version,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Insecure skip verify,[CONFIG][PCAP_SETTINGS] Network interface,[CONFIG][PCAP_SETTINGS] Bpf,[CONFIG][SPLUNK_SETTINGS][AUTHENTICATION] username,[CONFIG][SPLUNK_SETTINGS][AUTHENTICATION] Password,[CONFIG][SPLUNK_SETTINGS] Host,[CONFIG][SPLUNK_SETTINGS] Port,[CONFIG][SPLUNK_SETTINGS] Minimum window size,[CONFIG][SPLUNK_SETTINGS] Maximum windows size,[CONFIG][SPLUNK_SETTINGS] Query string,[CONFIG][SPLUNK_SETTINGS] Query mode,[CONFIG][SPLUNK_SETTINGS] Cert ignored,[CONFIG][SYSLOG_SETTINGS] Protocol,[CONFIG][SYSLOG_SETTINGS] Address,[CONFIG][SYSLOG_SETTINGS] Port,[CONFIG][SYSLOG_SETTINGS] Buffer size,[CONFIG][SYSLOG_SETTINGS] Connection timeout,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Certificate,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Certificate key,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Minimum tls version,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Insecure skip verify
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,03d28371-1bcb-4b28-9364-18412de1f827,collector_2,ACTIVE,WINDOWS_DNS,10,1048576,collector_update,"key1: value1
key2: value2
",,ACTIVE,path/file.txt,23,path/to/file.txt,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,8ba8278c-1eef-4a72-a45a-491463768c70,col_3,ACTIVE,WINDOWS_DNS,10,1048576,test,"k1: v1
",,ACTIVE,path/to/file,233,path,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
55a77e24-9d16-4638-8940-0ef8071ed849,3e8243c3-7ff2-4ede-89fe-16410ffe03bd,cre_test_2,ACTIVE,WINDOWS_DNS,10,1048576,test,"k: v
",,ACTIVE,23,33,path/file.txt,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Wilayah (--region)
Anda dapat memilih region dengan meneruskan flag --region
saat menjalankan perintah.
Untuk mengetahui informasi selengkapnya tentang cara menetapkan region default, lihat Menetapkan region default.
Pemecahan masalah
Kode Error
Bagian ini menampilkan output yang ditampilkan di konsol terhadap berbagai jenis kode respons yang diterima dari respons API.
Lihat tabel berikut untuk melihat output setiap perintah:
Get
perintah
Kode Respons | Output Konsol |
404 | {Forwarder|Collector} tidak ada.
|
400 | ID {Forwarder|Collector} tidak valid. Masukkan ID {Forwarder|Collector} yang valid.
|
Kode respons lainnya | Terjadi error saat mengambil {Forwarder|Collector} .
Kode Respons: {status code}
Error: {error message}
|
List
perintah
Kode Respons | Output Konsol |
Kode respons apa pun selain 200 | Error:
Kode Respons: {status code}
Error: {error message}
|
Create
perintah
Kode Respons | Output Konsol |
Kode respons apa pun selain 200 | Terjadi error saat membuat {forwarder|collector}
Kode Respons: {status code}
Error: {error message}
|
Update
perintah
Kode Respons | Output Konsol |
Kode respons apa pun selain 200 | Terjadi error saat memperbarui {forwarder|collector} . Kode Respons: {status code}
Error: {error message}
|
Delete
perintah
Kode Respons | Output Konsol |
404 | {Forwarder|Collector} tidak ada.
|
400 | ID {Forwarder|Collector} tidak valid. Masukkan ID {Forwarder|Collector} yang valid.
|
Kode respons lainnya | Terjadi error saat menghapus {Forwarder|Collector} .
Kode Respons: {status code}
Error: {error message}
|
Error atau pengecualian lainnya
Pengecualian | Output Konsol |
KeyError | Gagal menemukan kunci {key name} dalam respons.
|
Pengecualian | Gagal dengan pengecualian: {exception details}
|
File kredensial tidak ada | Gagal dengan pengecualian: [Errno 2] Tidak ada file atau direktori tersebut: '/usr/local/google/home/ Anda harus menempatkan kredensial di direktori yang diharapkan. Lihat Penginstalan. |
Untuk kueri atau masalah lain terkait CLI Google Security Operations, hubungi Dukungan Google Security Operations.
Alur kerja akses data BigQuery
Google Security Operations mendukung akses layanan mandiri ke data Google Security Operations (baik SIEM maupun SOAR) di BigQuery. Anda dapat menggunakan Google Security Operations CLI untuk memberikan peran Identity and Access Management (IAM) yang memberikan izin berikut untuk email pengguna:
roles/bigquery.dataViewer
roles/bigquery.jobUser
roles/storage.objectViewer
Email harus berupa alamat email pengguna Akun Google dan Administrasi ID (GAIA) dari pelanggan Google SecOps.
Untuk informasi selengkapnya tentang peran ini, lihat Mengekspor data tabel.
Perintah
bigquery
perintah
Perintah bigquery
menggunakan argumen provide_access
.
Sintaksis penggunaan:
$ chronicle_cli bigquery ARGUMENT [OPTIONS]
Argumen
Argumen provide_access
Meminta Anda memasukkan alamat email pengguna. Email harus berupa alamat email pengguna Akun Google dan Administrasi ID (GAIA) dari pelanggan Google SecOps Security. Pengguna akan menerima peran IAM yang diperlukan untuk melakukan hal berikut:
- Membaca data dan metadata dari tabel BigQuery (
roles/bigquery.dataViewer
) - Menjalankan kueri pada data tabel BigQuery (
roles/bigquery.jobUser
) - Membaca data di bucket Google Cloud Storage(
roles/storage.objectViewer
)
Contoh penggunaan
$ chronicle_cli bigquery provide_access
$ Enter email: xyz@gmail.com
Respons berhasil
Providing BigQuery access...
Access provided to email: xyz@gmail.com
Respons error
Providing BigQuery access...
Error while providing access:
Response code: 400
Opsi
Bantuan (-h / --help)
Gunakan opsi -
h atau --
help untuk melihat penggunaan/deskripsi untuk perintah/opsi apa pun.
Pemecahan masalah
Bagian ini menampilkan output yang ditampilkan di konsol terhadap berbagai jenis kode respons yang diterima dari respons API.
Kode respons argumen provide_access
Kode Respons | Output Konsol |
400 | Email tidak ada. |
Kode respons lainnya | Terjadi error saat mengambil feed.
Kode Respons: {status code}
Error: {error message}
|