Guia do usuário da CLI do Chronicle

Como alternativa ao uso da interface gráfica do usuário do Chronicle, os usuários avançados podem usar a interface de linha de comando (CLI) do Chronicle, chronicle_cli, para iniciar fluxos de trabalho do Chronicle.

É possível usar a CLI do Chronicle para estes fluxos de trabalho:

Os comandos da CLI do Chronicle usam a seguinte sintaxe (COMMAND e ARGUMENT são obrigatórios, mas OPTIONS é opcional):

$ chronicle_cli COMMAND ARGUMENT [OPTIONS]

Por exemplo, para criar um novo feed usando os fluxos de trabalho de gerenciamento de feeds, use o seguinte comando:

$ chronicle_cli feeds create

Antes de começar

Antes de instalar a CLI do Chronicle, faça o seguinte:

Instalação

Nesta seção, apresentamos informações sobre como instalar a CLI do Chronicle no seu ambiente.

  1. Crie e ative o ambiente virtual venv.

  2. Clone o repositório usando o seguinte comando:

    git clone https://github.com/chronicle/cli.git
    
  3. Abra um terminal e instale todos os pacotes dependentes necessários no seu ambiente virtual executando o seguinte comando:

    $ cd cli
    $ (env) pip install -r requirements.txt
    
  4. Instale o binário do Chronicle executando o seguinte comando:

    $ (env) python3 -m pip install --editable .
    
  5. Para confirmar que a instalação foi concluída, execute o seguinte comando:

    $ chronicle_cli --help
    
Exemplo de saída
Usage: chronicle_cli [OPTIONS] COMMAND [ARGS]...

  Chronicle CLI is a CLI tool for managing Chronicle user workflows for e.g.
  Feed Management workflows.

Options:
  -h, --help  Show this message and exit.

Commands:
  feeds  Feed Management Workflows

Opções

Você pode substituir a configuração padrão fornecendo flags adicionais ao executar comandos.

Definir uma região padrão (--region)

Para selecionar uma região, transmita a sinalização --region com o comando. As chamadas de API serão feitas para o back-end apropriado do Chronicle.

É possível definir as seguintes regiões:

  • ASIA-NORTHEAST1
  • ASIA-SOUTH1
  • ASIA-SOUTHEAST1
  • AUSTRALIA-SOUTHEAST1
  • EUROPE
  • EUROPE-WEST2
  • EUROPE-WEST3
  • EUROPE-WEST6
  • ME-CENTRAL2
  • ME-WEST1
  • NORTHAMERICA-NORTHEAST2
  • US

Se você não especificar a região, a padrão será definida como US.

Fluxos de trabalho de gerenciamento de feeds

É possível usar a CLI do Chronicle para criar e gerenciar feeds de dados na instância do Chronicle.

Comandos

Comando feeds

O comando feeds usa estes argumentos:

  • create
  • update
  • get
  • list
  • delete
  • enable
  • disable

Sintaxe de uso:

$ chronicle_cli feeds ARGUMENT [OPTIONS]

Argumentos

argumento create

Cria um novo feed.

Exemplo de uso
$ chronicle_cli feeds create --help
Usage: chronicle_cli feeds create [OPTIONS]

  Create a feed

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
  • Para a plataforma Windows
====================================
========== Set Properties ==========
====================================

List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API

[Source type] Enter your choice: 7

You have selected Third party API

List of Log types:

(i) How to select log type?
  - Press ENTER key (scrolls one line at a time) or SPACEBAR key (display next screen).
  - Note down the choice number for the log type that you want to select.
  - Press 'q' to quit and enter that choice number.
=============================================================================
1. Anomali
2. Azure AD
3. Azure AD Directory Audit
4. Azure AD Organizational Context
5. Cloud Passage
6. Duo Auth
7. Duo User Context
8. Fox-IT
9. Imperva
10. Microsoft Graph API Alerts:

[Log type] Enter your choice: 7

You have selected Duo User Context

Enter feed display name: my_duo_user_context_feed

======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.

(*) Username (Username to authenticate as)
=> USERNAME

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> api-xxxxxxxx.duosecurity.com

Feed created successfully with Feed ID: 9cfce415-97df-413b-8e38-e7c747f9ed38
  • Para outras plataformas, como Linux/Ubuntu/CentOS/MacOS
====================================
========== Set Properties ==========
====================================

List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API

[Source type] Enter your choice: 7

You have selected Third party API

List of Log types:

(i) How to select log type?
  - Press Up/b or Down/z keys to paginate.
  - To switch case-sensitivity, press '-i' and press enter. By default, search
    is case-sensitive.
  - To search for specific log type, press '/' key, enter text and press enter.
  - Note down the choice number for the log type that you want to select.
  - Press 'q' to quit and enter that choice number.
  - Press `h` for all the available options to navigate the list.
=============================================================================
1. Anomali
2. Azure AD
3. Azure AD Directory Audit
4. Azure AD Organizational Context
5. Cloud Passage
6. Duo Auth
7. Duo User Context
8. Fox-IT
9. Imperva:

[Log type] Enter your choice: 7

You have selected Duo User Context
======================================
======================================
(*) - Required fields.
Password/secret inputs are hidden.

(*) Username (Username to authenticate as)
=> USERNAME

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> api-xxxxxxxx.duosecurity.com

Feed created successfully with Feed ID: 9cfce415-97df-413b-8e38-e7c747f9ed38

Se a criação do feed falhar, na próxima vez que você precisar tentar novamente, Você pode tentar novamente ou continuar criando um novo feed. O mecanismo de nova tentativa permite que você altere interativamente os valores fornecidos na tentativa anterior com falha. Pressione Enter se quiser reutilizar o mesmo valor em uma opção no fluxo de criação de feed.

Exemplo de saída
====================================
========== Set Properties ==========
====================================

List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API

[Source type] Enter your choice: 7

You have selected Third party API

[Log type] Enter your choice: 6

You have selected Duo Auth

Enter feed display name: my_duo_auth_feed

======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.

(*) Username (Username to authenticate as)
=> test

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> test.com

Error occurred while creating feed.
Response Code: 400.
Error: generic::invalid_argument: failed to create feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to create feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to create feed because of the following errors in the request: generic::invalid_argument: for Duo feeds, 'hostname' must be specified as "api-xxxxxxxx.duosecurity.com", e.g. "api-eval.duosecurity.com"

$ chronicle_cli feeds create

Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?

======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.

(*) Username (Username to authenticate as) [test]
=>

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [test.com]
=> api-xxxxxxxx.duosecurity.com

Feed created successfully with Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6

argumento get

Recebe detalhes de um feed existente.

Exemplo de uso
$ chronicle_cli feeds get --help
Usage: main feeds get [OPTIONS]

  Get feed details using Feed ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
  -h, --help                      Show this message and exit.

Você precisa inserir o ID do feed de maneira interativa para ver os detalhes.

Exemplo de saída
Enter Feed ID: 72d9b843-b387-4b17-ab2d-a8497313c89c

Feed Details:
  ID: 72d9b843-b387-4b17-ab2d-a8497313c89c
  Display Name: my_duo_auth_feed
  Source type: Third party API
  Log type: Salesforce
  State: ACTIVE
  Feed Settings:
    API Hostname: myinstance.salesforce.com

argumento list

Lista todos os feeds. Esse comando é usado para buscar os detalhes de todos os feeds.

Exemplo de uso
$ chronicle_cli feeds list --help
Usage: chronicle_cli feeds list [OPTIONS]

List all feeds

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  --export TEXT                   Export output to specified file path.
  --file-format [TXT|CSV|JSON]    Format of the file to be exported.
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Feed Details:
  ID: 29259301-156b-4b60-ae91-855d15c39f6a
  Source type: Third party API
  Log type: Anomali
  State: INACTIVE
============================================================

Feed Details:
  ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
  Display Name: my_duo_auth_feed
  Source type: Third party API
  Log type: Duo Auth
  State: ACTIVE
  Feed Settings:
    API hostname: api-test.duosecurity.com

============================================================

Feed Details:
  ID: 0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65
  Source type: Third party API
  Log type: Workspace Activities
  State: ACTIVE
  Feed Settings:
    Customer ID: C12abc
    Applications: ['drive', 'login']

============================================================

Se você quiser exportar os dados, poderá especificar o caminho absoluto/relativo do arquivo a ser exportado com o formato do arquivo (CSV/TXT/JSON). O formato de arquivo padrão é CSV.

Exemplo de saída
Feed Details:
  ID: 29259301-156b-4b60-ae91-855d15c39f6a
  Source type: Third party API
  Log type: Anomali
  State: INACTIVE
============================================================

Feed Details:
  ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
  Display Name: my_duo_auth_feed
  Source type: Third party API
  Log type: Duo Auth
  State: ACTIVE
  Feed Settings:
    API hostname: api-test.duosecurity.com

============================================================

Feed Details:
  ID: 0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65
  Source type: Third party API
  Log type: Workspace Activities
  State: ACTIVE
  Feed Settings:
    Customer ID: C12abc
    Applications: ['drive', 'login']

============================================================
Feed list details exported successfully to: /usr/local/google/home/<user>/out/chronicle-cli/output.txt

argumento update

Atualiza um feed existente.

Exemplo de uso
$ chronicle_cli feeds update
Usage: chronicle_cli feeds update [OPTIONS]

  Update feed details using Feed ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
  -h, --help                      Show this message and exit.

Depois de executar o comando, insira o ID do feed e todos os valores dos campos novamente. Pressione Enter para reutilizar o valor antigo.

Exemplo de saída
Enter Feed ID: ea28d66b-d81b-4b4d-ae16-3b1cd98132ca
Press Enter if you don't want to update.

Enter feed display name[old_display_name]:

(*) Username (Username to authenticate as)
=> USERNAME

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [api-xxxxxxxx.duosecurity.com]
=>

Feed updated successfully with Feed ID: ea28d66b-d81b-4b4d-ae16-3b1cd98132ca
Enter Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
Press Enter if you don't want to update.

Enter feed display name[]: my_feed_display_name

(*) Username (Username to authenticate as)
=> test1

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [api-xxxxxxxx.duosecurity.com]
=> test.com

Error occurred while updating feed. Response code: 400.
Error: generic::invalid_argument: failed to update feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to edit feed because of the following errors in the request: generic::invalid_argument: for Duo feeds, 'hostname' must be specified as "api-xxxxxxxx.duosecurity.com", e.g. "api-eval.duosecurity.com"

$ chronicle_cli feeds update
Enter Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6

Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?

Press Enter if you don't want to update.

(*) Username (Username to authenticate as) [test1]
=>

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [test.com]
=> api-devtest.duosecurity.com

Feed updated successfully with Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6

Se a atualização do feed falhar e você inserir o mesmo ID, uma solicitação será exibida para repetir o feed com falha ou para reiniciar o processo. Se você inserir um ID de feed que não corresponde ao ID que falhou, a opção de tentar novamente não será exibida e o processo normal de atualização do feed continuará. O mecanismo de repetição permite alterar os valores de opção fornecidos na tentativa com falha anterior de maneira interativa. Pressione Enter para reutilizar o mesmo valor em uma opção no fluxo de atualização do feed.

Exemplo de saída
Enter Feed ID: 51574667-dee6-408b-a5fc-0e07d3e9a429

Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?

Press Enter if you don't want to update.

Enter feed display name[old_display_name]:

(*) Username (Username to authenticate as) [TEEST]
=> TEST

(*) Secret (Secret to authenticate with)
=>

(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [asd]
=> api-xxxxxxxx.duosecurity.com

Feed updated successfully with Feed ID: 51574667-dee6-408b-a5fc-0e07d3e9a429

argumento delete

Use esse argumento para excluir um feed usando um ID de feed. Quando executado, ele solicita que o ID do feed seja excluído.

Exemplo de uso
$ chronicle_cli feeds delete --help
Usage: chronicle_cli feeds delete [OPTIONS]

  Delete a feed

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Enter Feed ID: b0798c54-ed84-44e7-96d5-cbe208f28e49

Feed (ID: b0798c54-ed84-44e7-96d5-cbe208f28e49) deleted successfully.

argumento enable

Ativa um feed.

Exemplo de uso
$ chronicle_cli feeds enable --help
Usage: main feeds enable [OPTIONS]

  Enable feed for the given Feed ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.

É necessário inserir o ID do feed para ativá-lo.

Exemplo de saída
Enter Feed ID: 29259301-156b-4b60-ae91-855d15c39f6a
Feed with ID: 29259301-156b-4b60-ae91-855d15c39f6a enabled successfully.

argumento disable

Desativa um feed.

Exemplo de uso
$ chronicle_cli feeds disable --help
Usage: main feeds disable [OPTIONS]

  Disable feed for the given Feed ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.

Insira o ID do feed para desativá-lo.

Exemplo de saída
Enter Feed ID: 29259301-156b-4b60-ae91-855d15c39f6a
Feed with ID: 29259301-156b-4b60-ae91-855d15c39f6a disabled successfully.

Opções

Ajuda (-h / --help)

Use a opção de ajuda -h ou -- para consultar o uso/descrição de qualquer comando/opção.

Exemplo de uso
$ chronicle_cli feeds get -h
Usage: main feeds get [OPTIONS]

  Get feed details using Feed ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console
  -c, --credential-path TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli/chron
                                  icle_credentials.json
  -h, --help                      Show this message and exit.

Caminho das credenciais (-c ou --credential-path)

Essa opção permite especificar o caminho das credenciais da conta de serviço a ser usada para a autenticação. Se essa opção não for especificada, a CLI do Chronicle vai procurar credenciais no caminho padrão, ou seja, ~/.chronicle_cli (dentro de um diretório oculto chamado .chronicle_cli no diretório inicial).

Exemplo de uso
$ chronicle_cli feeds list --credential-path=C:\chronicle_credentials.json

Detalhado (--detalhado)

Quando essa flag é usada, a CLI do Chronicle imprime mais detalhes no console, como solicitações e respostas HTTP.

Exemplo de uso
$ chronicle_cli feeds list --verbose

Exportar (--export)

Essa opção permite especificar o caminho do arquivo em que a saída do comando list será exportada. Há suporte para caminhos relativos e absolutos.

Exemplo de uso
$ chronicle_cli feeds list --export=$HOME/listFeedsResponse.txt

Formato do arquivo (--file-format)

Essa opção permite especificar o formato do arquivo do conteúdo exportado com o comando list. Existem três formatos compatíveis: CSV, JSON e TXT. Se essa opção não for especificada com a opção --export, o formato CSV será usado como padrão.

Exemplo de uso
$ chronicle_cli feeds list --export=$HOME/listFeedsResponse.txt --file-format=TXT
Exemplo de saída
Formato CSV
ID,Display Name,Source type,Log type,State,Feed Settings
29259301-156b-4b60-ae91-855d15c39f6a,,Third party API,Anomali,INACTIVE,
292b7629-0250-476c-9fb2-4c8a738ce42c,my_duo_auth_feed,Third party API,Duo Auth,ACTIVE,API hostname: api-xxxxxxxxabjdsfklsadlfnsafs.duosecurity.com
0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65,,Third party API,Workspace Activities,ACTIVE,"Customer ID: C12abc    Applications: ['drive', 'login']"
Formato TXT
Feed Details:
  ID: 29259301-156b-4b60-ae91-855d15c39f6a
  Source type: Third party API
  Log type: Anomali
  State: INACTIVE
============================================================

Feed Details:
  ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
  Display Name: my_duo_auth_feed
  Source type: Third party API
  Log type: Duo Auth
  State: ACTIVE
  Feed Settings:
    API hostname: api-test.duosecurity.com

============================================================
Formato JSON
[
  {
    "name": "feeds/29259301-156b-4b60-ae91-855d15c39f6a",
    "details": {
      "logType": "ANOMALI_IOC",
      "feedSourceType": "API",
      "anomaliSettings": {}
    },
    "feedState": "INACTIVE"
  },
  {
    "name": "feeds/292b7629-0250-476c-9fb2-4c8a738ce42c",
    "details": {
      "logType": "DUO_AUTH",
      "feedSourceType": "API",
      "duoAuthSettings": {
        "hostname": "api-test.duosecurity.com"
      }
    },
    "feedState": "ACTIVE",
    "displayName": "my_duo_auth_feed"
  }
]

Região (--region)

É possível selecionar a região transmitindo a sinalização --region ao executar um comando. Para mais informações sobre como definir a região padrão, consulte Definir região padrão.

Solução de problemas

Nesta seção, mostramos a saída exibida no console em relação aos diferentes tipos de códigos de resposta recebidos da resposta da API.

Códigos de resposta de argumentos get

Código de resposta Saída do console
404 ID de feed inválido. Insira um ID de feed válido.
400 O feed não existe.
Qualquer outro código de resposta Ocorreu um erro ao buscar o feed. Código da resposta: {status code} Erro: {error message}

Códigos de resposta de argumentos list

Código de resposta Saída do console
Qualquer código de resposta diferente de 200 Erro ao buscar a lista de feeds. Código da resposta: {status code} Erro: {error message}
Falha ao buscar um feed da lista No final da saída do console, será exibida uma lista com os detalhes do ID do feed e a mensagem de erro correspondente.

Códigos de resposta de argumentos create

Código de resposta Saída do console
Qualquer código de resposta diferente de 200 Ocorreu um erro ao criar o feed. Código da resposta: {status code} Erro: {error message}

Códigos de resposta de argumentos update

Código de resposta Saída do console
Qualquer código de resposta diferente de 200 Ocorreu um erro ao atualizar o feed. Código da resposta: {status code} Erro: {error message}

Códigos de resposta de argumentos delete

Código de resposta Saída do console
404 ID de feed inválido. Insira um ID de feed válido.
400 O feed não existe.
Qualquer outro código de resposta Ocorreu um erro ao excluir o feed. Código da resposta: {status code} Erro: {error message}

Códigos de resposta de argumentos enable

Código de resposta Saída do console
404 ID de feed inválido. Insira um ID de feed válido.
400 O feed não existe.
Qualquer outro código de resposta Erro ao ativar o feed. Código da resposta: {status code} Erro: {error message}

Códigos de resposta de argumentos disable

Código de resposta Saída do console
404 ID de feed inválido. Insira um ID de feed válido.
400 O feed não existe.
Qualquer outro código de resposta Ocorreu um erro ao desativar o feed. Código da resposta: {status code} Erro: {error message}

Outros erros ou exceções

Exceção Saída do console
KeyError Não foi possível encontrar a chave {key name} na resposta.
Exceção Falha com a exceção: {exception details}
Arquivo de credencial ausente Falha com exceção: [Errno 2] Arquivo ou diretório inexistente: '/usr/local/google/home//.chronicle_cli/chronicle_credentials.json'

Você precisa colocar as credenciais no diretório esperado. Consulte Instalação.

Fluxos de trabalho do usuário para gerenciamento do analisador v2

Você pode usar a CLI do Chronicle para gerenciar analisadores de normalizador baseado em configuração (CBN, na sigla em inglês). Recomendamos o uso dos comandos da CLI de gerenciamento de analisador v2.

Comandos

Comando parsers

O comando parsers usa estes argumentos:

  • list_parsers
  • list_extensions
  • run_parser
  • submit_parser
  • submit_extension
  • delete_parser
  • delete_extension
  • deactivate_parser
  • activate_parser
  • get_parser
  • get_extension
  • get_validation_report

Sintaxe de uso:

$ chronicle_cli parsers ARGUMENT [OPTIONS]

Argumentos

Todos os fluxos de trabalho de gerenciamento de analisadores do CBN na CLI do Chronicle são interativos. Se necessário, também é possível usar as opções de comando.

argumento list_parsers

Lista todos os analisadores.

$ chronicle_cli parsers list_parsers -h
Usage: chronicle_cli parsers list_parsers [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE

  [New]List all parsers for a given customer

Options:
  -s, --state [ALL|ACTIVE|INACTIVE]
                                  Filter on Parser State.
  -f, --file-format [TXT|JSON]    Format of the file to be exported.
  --export TEXT                   Export output to specified file path.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Fetching list of parsers...

Parser Details:
  Parser ID: 1242538299340357633
  Log type: GCP_CLOUDAUDIT
  State: INACTIVE
  Type: CUSTOM
  Author: -
  Validation Report ID: 44684d8a-1d01-4e69-ab50-2e2d6e3ef3b2
  Create Time: 2023-07-05T05:36:31.121236Z

============================================================

Parser Details:
  Parser ID: 3840440184193679361
  Log type: GCP_CLOUDAUDIT
  State: INACTIVE
  Type: CUSTOM
  Author: -
  Validation Report ID: 3d2e1bdb-2793-48d1-a485-4f4748095cb8
  Create Time: 2023-04-14T09:15:13.718842Z

============================================================

Parser Details:
  Parser ID: 3651720008402206721
  Log type: GCP_SECURITYCENTER_ERROR
  State: ACTIVE
  Type: CUSTOM
  Author: -
  Validation Report ID: -
  Create Time: 2023-03-30T09:54:20.414510Z

============================================================

argumento list_extensions

Lista todas as extensões do analisador.

$ chronicle_cli parsers list_extensions -h
Usage: chronicle_cli parsers list_extensions [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE

  [New]List all extensions for a given customer

Options:
  -f, --file-format [TXT|JSON]    Format of the file to be exported.
  --export TEXT                   Export output to specified file path.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Fetching list of Parser Extensions...

ParserExtension Details:
  ParserExtension ID: 7b948bfb-d3f5-4922-9153-a20e75085990
  Log type: BRO_DNS
  State: VALIDATED
  Validation Report ID: 6ef30ad9-db89-4f30-80f3-0f79758ff3c2
  Create Time: 2023-07-06T03:58:26.594863Z
  State Last Changed Time: 2023-07-06T03:58:26.667151Z
  Last Live Time: 2023-07-06T03:58:28.019050Z

============================================================

ParserExtension Details:
  ParserExtension ID: 0fd9129b-d02b-42f7-912a-04b0bba0e0a7
  Log type: GCP_DNS
  State: LIVE
  Validation Report ID: 1965880f-7cd7-4943-9adf-4bff0041793d
  Create Time: 2023-05-12T08:12:17.090559Z
  State Last Changed Time: 2023-05-12T08:12:17.271615Z
  Last Live Time: 2023-05-12T08:12:27.244342Z

============================================================

ParserExtension Details:
  ParserExtension ID: d9df9d75-bb3a-4c28-b18d-69a608762ecc
  Log type: GCP_VPC_FLOW
  State: REJECTED
  Validation Report ID: c59ef2ab-4a70-4373-bdc8-067c39ca5a40
  Create Time: 2023-04-13T04:43:12.884287Z
  State Last Changed Time: 2023-04-13T04:43:13.288338Z
  Last Live Time: -

============================================================

argumento run_parser

Para validar o analisador em relação a determinados registros, use o seguinte comando:

$ chronicle_cli parsers run_parser -h
Usage: chronicle_cli parsers run_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                               PARSER_CONFIG_FILE LOG_FILE

  [New]Run a parser(with extension) against given logs

Options:
  --parserextension_config_file TEXT
                                  Path to extension config file.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Running parser(with extension) against given logs...

{"host_ip": "1.1.1.1"}
{'events': [{'event': {'metadata': {'eventTimestamp': '2023-06-26T08:45:10Z', 'eventType': 'GENERIC_EVENT', 'logType': 'BRO_DNS'}, 'principal': {'ip': ['1.1.1.1']}}}]}
some thing
{}

Runtime: 1.2396s

argumento submit_parser

Envia um novo analisador. O analisador enviado passa por validação, e o analisador existente é promovido a um candidato a reversão.

$ chronicle_cli parsers submit_parser -h
Usage: main parsers submit_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                                  CONFIG_FILE [AUTHOR]

  [New]Submit a new parser

Options:
  --skip_validation_on_no_logs    Skip validation if no logs are found.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Submitting Parser...

Parser Details:
  Parser ID: 12774126091501569
  Log type: GCP_CLOUDAUDIT
  State: INACTIVE
  Type: CUSTOM
  Author: -
  Validation Report ID: -
  Create Time: 2023-07-06T13:58:10.475391Z

============================================================

argumento submit_extension

Envia uma nova extensão de analisador. A extensão do analisador enviada passará por validação. Se a validação for aprovada, uma nova extensão do analisador será criada.

$ chronicle_cli parsers submit_extension -h
Usage: chronicle_cli parsers submit_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                                     CONFIG_FILE LOG_FILE

  [New]Submit a new extension

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Submitting Parser Extension...

ParserExtension Details:
  ParserExtension ID: 88907461-c115-4204-8391-425b7a9cfb2c
  Log type: WORKSPACE_CHROMEOS
  State: NEW
  Validation Report ID: -
  Create Time: 2023-07-06T13:58:10.475391Z
  State Last Changed Time: -
  Last Live Time: -

============================================================

argumento delete_parser

Exclui um analisador personalizado. Você pode começar a usar o analisador pré-criado para o tipo de registro especificado.

$ chronicle_cli parsers delete_parser -h
Usage: chronicle_cli parsers delete_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                                  PARSER_ID

  [New]Delete a parser

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Deleting Parser…
Parser deleted successfully.

argumento delete_extension

Exclui um analisador personalizado. Você pode começar a usar o analisador pré-criado para o tipo de registro especificado.

$ chronicle_cli parsers delete_extension -h
Usage: chronicle_cli parsers delete_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                                     PARSEREXTENSION_ID

  [New]Delete an extension

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Deleting Parser Extension…
ParserExtension deleted successfully.

argumento deactivate_parser

Desativa um analisador personalizado ativo. Se a desativação for bem-sucedida, você poderá começar a usar o analisador pré-criado para o tipo de registro especificado.

$ chronicle_cli parsers deactivate_parser -h
Usage: chronicle_cli parsers deactivate_parser [OPTIONS] PROJECT_ID CUSTOMER_ID
                                      LOG_TYPE PARSER_ID

  [New]Deactivate a parser

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Deactivating Parser…
Parser deactivated successfully.

argumento activate_parser

Ativa um analisador personalizado. Você pode começar a usar um analisador ativo.

$ chronicle_cli parsers activate_parser -h
Usage: chronicle_cli parsers activate_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                                    PARSER_ID

  [New]Activate a parser

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Activating Parser…
Parser activated successfully.

argumento get_parser

Busca os detalhes do ID do analisador e do tipo de registro fornecidos.

$ chronicle_cli parsers get_parser -h
Usage: chronicle_cli parsers get_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                               PARSER_ID

  [New]Get details of a parser

Options:
  -f, --file-format [TXT|JSON]    Format of the file to be exported.
  --export TEXT                   Export output to specified file path.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Fetching Parser details...

Parser Details:
  Parser ID: 3840440184193679361
  Log type: GCP_CLOUDAUDIT
  State: INACTIVE
  Type: CUSTOM
  Author: -
  Validation Report ID: 3d2e1bdb-2793-48d1-a485-4f4748095cb8
  Create Time: 2023-04-14T09:15:13.718842Z

============================================================

argumento get_extension

Busca a configuração do ID do analisador e do tipo de registro fornecidos.

$ chronicle_cli parsers get_extension -h
Usage: chronicle_cli parsers get_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
                                  PARSEREXTENSION_ID

  [New]Get details of an extension

Options:
  -f, --file-format [TXT|JSON]    Format of the file to be exported.
  --export TEXT                   Export output to specified file path.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.

Exemplo de saída
Fetching Parser Extension details...

ParserExtension Details:
  ParserExtension ID: 7b948bfb-d3f5-4922-9153-a20e75085990
  Log type: BRO_DNS
  State: VALIDATED
  Validation Report ID: 6ef30ad9-db89-4f30-80f3-0f79758ff3c2
  Create Time: 2023-07-06T03:58:26.594863Z
  State Last Changed Time: 2023-07-06T03:58:26.667151Z
  Last Live Time: 2023-07-06T03:58:28.019050Z

============================================================

argumento get_validation_report

Busca o relatório de validação para um analisador ou uma extensão.

$ chronicle_cli parsers get_validation_report [OPTIONS] PROJECT_ID CUSTOMER_ID
                                          LOG_TYPE VALIDATION_REPORT_ID

  [New]Get validation report for a parser/extension

Options:
  --parser_id TEXT                ID of the parser.
  --parserextension_id TEXT       ID of the parser extension.
  --env [prod|test]               Optional: Specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select a region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.
Exemplo de saída
Fetching Validation report for ParserExtension...

Validation Report:
  Verdict: PASS
  Stats:
    LogEntry Count: 10000
    Successfully Normalized Log Count: 10000
    Failed Log Count: 0
    Invalid Log Count: 0
    On Error Count: 153938
    Event Count: 10000
    Generic Event Count: 0
    Event Category:
      Valid_event: 10000
    Drop Tag:
      -
    Max Parse Duration: 0.274677769s
    Avg Parse Duration: 0.010s
    Normalization percent: 100
    Generic Event percent: 0
  Errors: -
  

Opções

Ajuda (-h / --help)

Utilize a opção -h ou --help para visualizar o uso com descrição de qualquer comando.

Exemplo de uso:
$ chronicle_cli parsers list_parsers -h
Usage: chronicle_cli parsers list_parsers [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE

  [New]List all parsers for a given customer

Options:
  -s, --state [ALL|ACTIVE|INACTIVE]
                                  Filter on Parser State.
  -f, --file-format [TXT|JSON]    Format of the file to be exported.
  --export TEXT                   Export output to specified file path.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli
                                  /chronicle_credentials.json
  --v2                            Enable v2 commands.
  -h, --help                      Show this message and exit.

Ambiente (--env)

Para selecionar o ambiente, transmita a sinalização --env com o comando. Assim, as chamadas de API serão executadas. É possível selecionar um valor de ambiente entre as opções prod e test. Se você não especificar essa opção, o padrão será definido como prod.

Arquivo de credenciais (-c ou --credential_file)

Essa opção permite especificar o caminho para as credenciais da conta de serviço a ser usada para autenticação. Se essa opção não for especificada, a CLI do Chronicle vai procurar credenciais no caminho padrão, ou seja, ~/.chronicle_cli (dentro de um diretório oculto chamado .chronicle_cli no diretório inicial).

Exemplo de uso:
$ chronicle_cli parsers list_parsers --credential_file=C:\chronicle_credentials.json

Região (--region)

É possível selecionar a região transmitindo a sinalização --region ao executar um comando. Para mais informações sobre como definir a região padrão, consulte Definir região padrão.

Detalhado (--detalhado)

Essa opção permite imprimir os detalhes da solicitação HTTP feita e da Resposta recebida.

Exemplo de uso:
$ chronicle_cli parsers list_parsers --verbose

Exportar (--export)

Esta opção permite especificar o caminho do arquivo em que a saída do comando list ou list_errors será exportada. Há suporte para caminhos relativos e absolutos.

Exemplo de uso:
$ chronicle_cli parsers list_parsers --export=parser_list

Formato do arquivo (--file-format)

Essa opção permite especificar o formato do arquivo do conteúdo exportado com o comando list ou list_errors. Dois formatos são aceitos: JSON e TXT. Se essa opção não for especificada com --export, o formato TXT será usado como padrão.

Exemplo de uso:
$ chronicle_cli parsers list_parsers --export=parser_list --file-format=JSON

Fluxos de trabalho do usuário para gerenciamento do analisador

A CLI do Chronicle pode ser usada para gerenciar os analisadores de CBN com os comandos a seguir. No entanto, é recomendado usar os comandos da CLI de gerenciamento do analisador v2.

Comandos

Comando parsers

O comando parsers usa estes argumentos:

  • archive
  • download
  • generate
  • history
  • list
  • list_errors
  • run
  • status
  • submit

Sintaxe de uso:

$ chronicle_cli parsers ARGUMENT [OPTIONS]

Argumentos

Todos os fluxos de trabalho de gerenciamento de analisadores do CBN na CLI do Chronicle são interativos. Você vai receber uma solicitação para inserir opções quando elas forem necessárias para os comandos.

argumento list

Para listar os detalhes de todos os analisadores, use o seguinte comando:

$ chronicle_cli parsers list -h
Usage: main parsers list [OPTIONS]

  List all parsers of a given customer

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --export TEXT                   Export output to specified file path.
  --file-format [TXT|CSV|JSON]    Format of the file to be exported.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Fetching list of parsers...

Parser Details:
  Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
  Log type: WINDOWS_SYSMON
  State: LIVE
  SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
  Author: <user>@test.com
  Submit Time: 2022-08-26T09:57:10.644351Z
  State Last Changed Time: 2022-08-26T09:58:23.809636Z
  Last Live Time: 2022-08-26T09:58:23.809636Z
============================================================

Parser Details:
  Config ID: 7f2ae1f5-8f0c-43f9-bb02-299e7c8b9e82
  Log type: BOX
  State: LIVE
  SHA256: 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
  Author: <user>@test.com
  Submit Time: 2022-08-25T07:33:31.026399Z
  State Last Changed Time: 2022-08-25T07:33:32.263754Z
  Last Live Time: 2022-08-25T07:33:32.263754Z
============================================================

argumento generate

Para gerar registros de amostra para um determinado tipo de registro, use o seguinte comando:

$ chronicle_cli parsers generate -h
Usage: main parsers generate [OPTIONS]

  Generate sample logs for a given log type

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.

O comando cria três arquivos com 1, 10 e 1.000 registros de amostra no diretório raiz em <root>/chronicle_cli/cbn/<log_type>/.

Exemplo de saída
Enter Start Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-17T10:00:00Z
Enter End Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-23T10:00:00Z
Enter Log Type: WINDOWS_DHCP

Generating sample size: 1...
Generating sample size: 10...
Generating sample size: 1k...
Generated sample data (WINDOWS_DHCP); run this to go there:
cd /usr/local/home/<user>/cbn/windows_dhcp

argumento history

Para conferir a lista de todos os detalhes de envio dos analisadores para um determinado tipo de registro, use o seguinte comando:

$ chronicle_cli parsers history -h
Usage: main parsers history [OPTIONS]

  History retrieves all parsers submissions given a log type

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Enter Log Type: WINDOWS_SYSMON
Fetching history for parser...

Parser History:
  Config ID: 8d9f5b1c-4689-4ca3-ae9b-863ce78dd123
  Log type: WINDOWS_SYSMON
  State: LIVE
  SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
  Author: author@test.com
  Submit Time: 2022-08-26T12:37:55.187407Z
  State Last Changed Time: 2022-08-26T12:39:12.198587Z
  Last Live Time: 2022-08-26T12:39:12.198587Z

============================================================

Parser History:
  Config ID: 29bbf14b-2ffb-411a-bb37-911b13437123
  Log type: WINDOWS_SYSMON
  State: ARCHIVED
  SHA256: 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
  Author: author@test.com
  Submit Time: 2022-08-26T12:05:34.421743Z
  State Last Changed Time: 2022-08-26T12:39:12.198587Z
  Last Live Time: 2022-08-26T12:06:55.495269Z

============================================================

argumento list_errors

Para listar erros de um tipo de registro entre carimbos de data/hora específicos, use o seguinte comando:

$ chronicle_cli parsers list_errors -h
Usage: main parsers list_errors [OPTIONS]

  List errors of a log type between specific timestamps

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --export TEXT                   Export output to specified file path.
  --file-format [TXT|CSV|JSON]    Format of the file to be exported.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Enter Log Type: CISCO_ASA_FIREWALL
Enter Start Date (Format: yyyy-mm-ddThh:mm:ssZ): 2021-01-16T00:00:00Z
Enter End Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-21T12:00:00Z
Getting parser errors...
Error Details:
  Error ID: f9eb72cb-f320-dd5a-a098-00bcaa76a35d
  Config ID: N/A
  Log type: CISCO_ASA_FIREWALL
  Error Time: 2022-08-18T10:57:56.898883208Z
  Error Category: CBN_parsers_GENERATED_INVALID_EVENT
  Error Message: generic::invalid_argument: diff event timestamp ("seconds:1630106465") and create timestamp ("seconds:1660820265 nanos:202151000"): 8531h36m40.202151s, larger than allowed (4320h0m0s)
  Logs:
      <190>Aug 27 2020 23:21:05 TEST : %ASA-6-106012: Deny IP from 1.2.3.4 to 5.6.7.8, IP options: Test user
============================================================

Error Details:
  Error ID: f9eb72cb-f320-dd5a-a098-00bcaa76a35d
  Config ID: N/A
  Log type: CISCO_ASA_FIREWALL
  Error Time: 2022-08-18T10:57:56.898883208Z
  Error Category: CBN_parsers_GENERATED_INVALID_EVENT
  Error Message: generic::invalid_argument: diff event timestamp ("seconds:1630106465") and create timestamp ("seconds:1660820265 nanos:202151000"): 8531h36m40.202151s, larger than allowed (4320h0m0s)
  Logs:
      <190>Aug 27 2020 23:21:05 TEST : %ASA-6-106012: Deny IP from 1.2.3.4 to 5.6.7.8, IP options: Demo user

argumento run

Para validar o analisador em relação a determinados registros, use o seguinte comando:

$ chronicle_cli parsers run -h
Usage: main parsers run [OPTIONS]

  Run the parser against given logs

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Enter path for conf file: /usr/local/home/Desktop/windows_sysmon.conf
Enter path for log file: /usr/local/home/Desktop/windows_sysmon.log
Running Validation…
Runtime: 2.4914s

argumento submit

Para enviar um novo analisador, use o seguinte comando:

$ chronicle_cli parsers submit -h
Usage: main parsers submit [OPTIONS]

  Submit new parser

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Enter Log type: CISCO_ASA_FIREWALL
Enter Config file path: /usr/local/Desktop/windows_sysmon.conf
Enter author: test
Submitting parser...

Submitted Parser Details:
  Config ID: 9ba20930-9733-4fcd-badf-18fedb9f8123
  Log type: CISCO_ASA_FIREWALL
  State: NEW
  SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
  Author: test
  Submit Time: 2022-08-30T06:49:54.005119Z
  State Last Changed Time: 2022-08-30T06:49:54.005119Z

Parser submitted successfully. To get status of the parser, run this command using following Config ID - 9ba20930-9733-4fcd-badf-18fedb9f8123:
chronicle_cli parsers status

argumento status

Para conferir o status de um analisador enviado, use o seguinte comando:

$ chronicle_cli parsers status -h
Usage: main parsers status [OPTIONS]

  Get status of a submitted parser

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Enter Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed

Getting parser...

Parser Details:
  Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
  Log type: WINDOWS_SYSMON
  State: ARCHIVED
  SHA256: 79ac67c15ffb047a152be2fb2a3391cbe18b2d183e9e6a402eb2fe53a6666b17
  Author: test
  Submit Time: 2022-08-26T09:57:10.644351Z
  State Last Changed Time: 2022-08-26T09:58:23.809636Z
  Last Live Time: 2022-08-26T09:58:23.809636Z

argumento archive

Para arquivar um analisador existente, use o seguinte comando:

$ chronicle_cli parsers archive -h
Usage: main parsers archive [OPTIONS]

  Archives a parser given the config ID.

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
Enter Config ID: 1cb402d9-eab2-4f6b-b402-20b121167123
Archiving parser...

Parser archived Successfully.

Parser Details:
  Config ID: 1cb402d9-eab2-4f6b-b402-20b121167123
  Log type: WINDOWS_SYSMON
  State: ARCHIVED
  SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
  Author: test
  Submit Time: 2022-08-26T09:57:10.644351Z
  State Last Changed Time: 2022-08-26T09:58:23.809636Z
  Last Live Time: 2022-08-26T09:58:23.809636Z

argumento download

Para fazer o download do arquivo de configuração (.conf) para um determinado tipo de registro ou ID de configuração, use o seguinte comando:

$ chronicle_cli parsers download -h
Usage: main parsers download [OPTIONS]

  Download parser code by given Config ID or Log type.

Options:
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
  • Uso do ID de configuração.
Note: If you want to download parser by log type then skip the config ID.
Enter config ID: 9d1474ab-eff2-4855-ba57-4f0c458e3ac2
Downloading parser...
Writing parser to: CISCO_ASA_FIREWALL_20220825131911.conf
  • Usar o tipo de registro.
Note: If you want to download parser by log type then skip the config ID.
Enter config ID:
Enter Log Type: CISCO_ASA_FIREWALL
Downloading parser...
Writing parser to: CISCO_ASA_FIREWALL_20220825132011.conf

Opções

Ajuda (-h / --help)

Utilize a opção -h ou --help para visualizar o uso com descrição de qualquer comando.

Exemplo de uso:
$ chronicle_cli parsers list -h
Usage: main parsers list [OPTIONS]

  List all parsers of a given customer

Options:
  -f, --file-format [TXT|JSON]    Format of the file to be exported.
  --export TEXT                   Export output to specified file path.
  --env [prod|test]               Optionally specify the environment for API
                                  calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/home/<user>/.chronicle_cli/chro
                                  nicle_credentials.json
  -h, --help                      Show this message and exit.

Ambiente (--env)

Para selecionar o ambiente, transmita a sinalização --env com o comando. Assim, as chamadas de API serão executadas. É possível selecionar um valor de ambiente entre as opções prod e test. Se você não especificar essa opção, o padrão será definido como "prod".

Arquivo de credenciais (-c ou --credential_file)

Essa opção permite especificar o caminho das credenciais da conta de serviço a ser usada para a autenticação do usuário. Se essa opção não for especificada, a CLI do Chronicle vai procurar credenciais no caminho padrão, ou seja, ~/.chronicle_cli (dentro de um diretório oculto chamado .chronicle_cli no diretório inicial).

Exemplo de uso:
$ chronicle_cli parsers list --credential_file=C:\chronicle_credentials.json

Região (--region)

É possível selecionar a região transmitindo a sinalização --region ao executar um comando. Para mais informações sobre como definir a região padrão, consulte Definir região padrão.

Detalhado (--detalhado)

Essa opção permite imprimir os detalhes da solicitação HTTP feita e da Resposta recebida.

Exemplo de uso:
$ chronicle_cli parsers list --verbose

Exportar (--export)

Essa opção permite especificar o caminho do arquivo em que a saída do comando list ou list_errors será exportada. Há suporte para caminhos relativos e absolutos.

Exemplo de uso:
$ chronicle_cli parsers list --export=parsers_list

Formato do arquivo (--file-format)

Essa opção permite especificar o formato de arquivo do conteúdo exportado com o comando list ou list_errors. Há três formatos compatíveis: JSON e TXT. Se essa opção não for especificada com a opção --export, o formato TXT será usado como padrão.

Exemplo de uso:
$ chronicle_cli parsers list --export=parsers_list --file-format=JSON

Solução de problemas

Códigos de erro do gerenciamento do analisador de CBN

Esta seção mostra a saída exibida no console em relação aos diferentes tipos de código de resposta recebidos da resposta da API.

Consulte a tabela abaixo para ver a saída de cada comando:

Código de resposta Comando Saída do console
Qualquer código de resposta diferente de 200 {command}[archive, download, generate, history, list_errors, run, status, list, submit] Erro ao analisar o analisador {command}.
Código de resposta: {status code}
Erro: {error message}

Fluxos de trabalho do usuário para o gerenciamento de encaminhadores

A CLI do Chronicle pode ser usada para gerenciar encaminhadores e os coletores associados usando os seguintes comandos:

Comandos

Comando forwarders

O comando forwarders usa estes argumentos:

  • create
  • update
  • get
  • list
  • delete
  • generate_files
  • collectors

Sintaxe de uso:

$ chronicle_cli forwarders ARGUMENT [OPTIONS]

Comando collectors

O comando collectors usa estes argumentos:

  • create
  • update
  • get
  • list
  • delete

Sintaxe de uso:

$ chronicle_cli forwarders collectors ARGUMENT [OPTIONS]

Argumentos

Todos os fluxos de trabalho do usuário do gerenciamento de encaminhamento na CLI do Chronicle são interativos. As opções são solicitadas quando e quando necessário.

argumento create

Para criar um novo encaminhador e configurar coletores para ele, use o seguinte comando:

$ chronicle_cli forwarders create --help
Usage: main forwarders create [OPTIONS]

  Create a Forwarder

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
$ chronicle_cli forwarders create
================================================================================
Press Enter if you want to use the default value mentioned besides field description in [] brackets.
================================================================================

(*) Forwarder Display Name : test_display_name

========================================
======== Forwarder Configuration =======
========================================

Upload Compression (Determines if uploaded data will be compressed) [Y/n]: y

Do you want to proceed with Forwarder Metadata? [y/N]: y

========================================
========== Forwarder Metadata ==========
========================================

Asset Namespace: test_namespace

========================================
=========== Forwarder Labels ===========
========================================

Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2

Do you want to proceed with Forwarder Regex Filters? [y/N]: y

========================================
======= Forwarder Regex Filters =======
========================================

Filter Description (Describes what is being filtered and why): desc1

Filter Regexp (The regular expression used to match against each incoming line): .*

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1

You have selected allow

Do you want to add more Forwarder Regex Filters [y/N]: y

Filter Description (Describes what is being filtered and why): desc2

Filter Regexp (The regular expression used to match against each incoming line): .*

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 2

You have selected block

Do you want to add more Forwarder Regex Filters [y/N]: n

Do you want to proceed with Server Settings? [y/N]: y

========================================
=========== Server Settings ===========
========================================

Server State (Server State for Collector)
Choose:
1. active
2. suspended
: 1

You have selected active

Graceful Timeout (Number of seconds after which the forwarder returns a bad readiness/health check and still accepts new connections) [15]:

Drain timeout (Number of seconds after which the forwarder waits for active connections to successfully close on their own before being closed by the server) [10]:

Do you want to proceed with HTTP-specific server settings? [y/N]: y

========================================
==== HTTP-specific server settings ====
========================================

Host (IP address, or hostname that can be resolved to IP addresses, that the server should listen on) [0.0.0.0]: 10.0.14.132

Port (Port number that the HTTP server listens on for health checks from the load balancer) [8080]: 8000

Read Timeout (Maximum amount of time allowed to read the entire request, both the header and the body) [3]:

Read Header Timeout (Maximum amount of time allowed to read request headers) [3]:

Write Timeout (Maximum amount of time allowed to send a response) [3]:

Idle Timeout (Maximum amount of time (in seconds) to wait for the next request when idle connections are enabled) [3]:

Do you want to proceed with Route Settings? [y/N]: y

========================================
============ Route Settings ============
========================================

Available Status Code (Status code returned when a liveness check is received and the forwarder is available) [204]: 200

Ready Status Code (Status code returned when it is ready to accept traffic) [204]: 200

Unready Status Code (Status code returned when it is not ready to accept traffic) [503]: 500

Preview changes:

  - Press Up/b or Down/z keys to paginate.
  - To switch case-sensitivity, press '-i' and press enter. By default, search
    is case-sensitive.
  - To search for specific field, press '/' key, enter text and press enter.
  - Press 'q' to quit and confirm preview changes.
  - Press `h` for all the available options to navigate the list.
=============================================================================

Config:
  Metadata:
    Asset namespace: test_namespace
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
  - behavior: ALLOW
    description: desc1
    regexp: .*
  - behavior: BLOCK
    description: desc2
    regexp: .*
  Server settings:
    Drain timeout: 10
    Graceful timeout: 15
    Http settings:
      Host: 10.0.14.132
      Idle timeout: 3
      Port: 8000
      Read header timeout: 3
      Read timeout: 3

Do you want to create forwarder with this configuration [y/N]: y

Creating forwarder...
Forwarder created successfully with Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4

Would you like to configure collectors for this forwarder? [y/N]: y

(*) Collector Display Name: collector_1

========================================
======== Collector Configuration ======
========================================

(*) Collector Log Type (Type of logs collected): WINDOWS_DNS

Do you want to proceed with Collector Metadata? [y/N]: y

========================================
========== Collector Metadata ==========
========================================

Asset Namespace: test_namespace

========================================
=========== Forwarder Labels ===========
========================================

Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2

Do you want to proceed with Collector Regex Filters? [y/N]: y

========================================
======= Collector Regex Filters =======
========================================

Filter Description (Describes what is being filtered and why): desc1

Filter Regexp (The regular expression used to match against each incoming line): .*

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1

You have selected allow

Do you want to add more Collector Regex Filters [y/N]: n

Do you want to proceed with Collector Disk Buffer? [y/N]: y

========================================
======== Collector Disk Buffer ========
========================================

Disk Buffer State (Disk buffering state for collector)
Choose:
1. active
2. suspended
: 1

You have selected active

Directory Path (Directory path for files written): path/to/file.txt

Max File Buffer Bytes (Maximum buffered file size): 45

Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:

Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:

========================================
===== Configure Ingestion Settings =====
========================================

Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
: 1

File Path (Path of file to monitor): path/to/file.txt

Preview changes:

  - Press Up/b or Down/z keys to paginate.
  - To switch case-sensitivity, press '-i' and press enter. By default, search
    is case-sensitive.
  - To search for specific field, press '/' key, enter text and press enter.
  - Press 'q' to quit and confirm preview changes.
  - Press `h` for all the available options to navigate the list.
=============================================================================

Config:
  Disk buffer:
    Directory path: path/to/file.txt
    Max file buffer bytes: 45
    State: ACTIVE
  File settings:
    File path: path/to/file.txt
  Log type: WINDOWS_DNS
  Max bytes per batch: 1048576
  Max seconds per batch: 10
  Metadata:
    Asset namespace: test_namespace
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
    Behavior: ALLOW
    Description: desc1
    Regexp: .*
Display name: collector_1

Do you want to create collector with this configuration [y/N]: y

Creating collector...
Collector created successfully with Collector ID: 1f72f9ab-3ae3-4c5f-955e-86c982587937

Would you like to add more collectors? [y/N]: n

Se a criação do encaminhador falhar e você inserir o mesmo ID do encaminhador, será necessário tentar novamente o encaminhador com falha ou reiniciar o processo. Se o ID do encaminhador inserido não corresponder ao ID do encaminhador que falhou, você não receberá uma solicitação para tentar novamente, e o processo normal de criação do encaminhador continuará.

Exemplo de saída
...
Creating forwarder...

Error occurred while creating forwarder.
Response Code: 500.
Error: ZERO_APP::1: create forwarder due to validation errors in request: generic::invalid_argument: filter's description is not specified

$ chronicle_cli forwarders create

Looks like there was a failed create/update attempt for test.
Would you like to retry?

(*) Forwarder Display Name [test]:

Do you want to create forwarder with this configuration [y/N]: y

Creating forwarder...
Forwarder created successfully with Forwarder ID: ab7af569-d957-44a3-99a8-aa70ffdc6458

Would you like to configure collectors for this forwarder? [y/N]: n

argumento get

Para acessar detalhes de um encaminhador e dos respectivos coletores, use o seguinte comando:

$ chronicle_cli forwarders get --help
Usage: main forwarders get [OPTIONS]

  Get forwarder details using Forwarder ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída

É necessário inserir o ID do encaminhador para receber os detalhes dele.

$ chronicle_cli forwarders get
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4

Fetching forwarder and its all associated collectors...

Forwarder Details:

ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
  Upload compression: true
  Metadata:
    Asset namespace: test_namespace
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
  - description: desc1
    regexp: .*
    behavior: ALLOW
  - description: desc2
    regexp: .*
    behavior: BLOCK
  Server settings:
    Graceful timeout: 15
    Drain timeout: 10
    Http settings:
      Port: 8000
      Host: 10.0.14.132
      Read timeout: 3
      Read header timeout: 3
      Write timeout: 3
      Idle timeout: 3
      Route settings:
        Available status code: 200
        Ready status code: 200
        Unready status code: 500
    State: ACTIVE

Collectors:
  Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
    Display name: collector_1
    State: ACTIVE
    Config:
      Log type: WINDOWS_DNS
      Metadata:
        Asset namespace: test_namespace
        Labels:
        - key: key1
          value: value1
        - key: key2
          value: value2
      Regex filters:
      - description: desc1
        regexp: .*
        behavior: ALLOW
      Disk buffer:
        State: ACTIVE
        Directory path: path/to/file.txt
        Max file buffer bytes: '45'
      Max seconds per batch: 10
      Max bytes per batch: '1048576'
      File settings:
        File path: path/to/file.txt

================================================================================

argumento list

Para exibir uma lista de todos os encaminhadores e respectivos coletores, use o seguinte comando:

$ chronicle_cli forwarders list --help
Usage: main forwarders list [OPTIONS]

  List all forwarders

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  --export TEXT                   Export output to specified file path
  --file-format [TXT|CSV|JSON]    Format of the file to be exported
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.

O comando é usado para buscar os detalhes de todos os encaminhadores e coletores.

Exemplo de saída
$ chronicle_cli forwarders list
Fetching list of forwarders...

Forwarder Details:

ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
  Upload compression: true
  Metadata:
    Asset namespace: test_namespace
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
  - description: desc1
    regexp: .*
    behavior: ALLOW
  - description: desc2
    regexp: .*
    behavior: BLOCK
  Server settings:
    Graceful timeout: 15
    Drain timeout: 10
    Http settings:
      Port: 8000
      Host: 10.0.14.132
      Read timeout: 3
      Read header timeout: 3
      Write timeout: 3
      Idle timeout: 3
      Route settings:
        Available status code: 200
        Ready status code: 200
        Unready status code: 500
    State: ACTIVE

Collectors:
  Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
    Display name: collector_1
    State: ACTIVE
    Config:
      Log type: WINDOWS_DNS
      Metadata:
        Asset namespace: test_namespace
        Labels:
        - key: key1
          value: value1
        - key: key2
          value: value2
      Regex filters:
      - description: desc1
        regexp: .*
        behavior: ALLOW
      Disk buffer:
        State: ACTIVE
        Directory path: path/to/file.txt
        Max file buffer bytes: '45'
      Max seconds per batch: 10
      Max bytes per batch: '1048576'
      File settings:
        File path: path/to/file.txt

================================================================================

Forwarder Details:

ID: ddcca884-cdc6-4ac2-ad30-05a28e6cf35a
Display name: test
State: ACTIVE
Config:
  Upload compression: true
  Metadata:
    Asset namespace: test
    Labels:
    - key: k1
      value: v2
  Regex filters:
  - description: hh
    regexp: hh
    behavior: ALLOW
  - description: gg
    regexp: gg
    behavior: BLOCK
  Server settings:
    Graceful timeout: 15
    Drain timeout: 10
    Http settings:
      Port: 8080
      Host: 0.0.0.0
      Read timeout: 3
      Read header timeout: 3
      Write timeout: 3
      Idle timeout: 3
      Route settings:
        Available status code: 204
        Ready status code: 204
        Unready status code: 503
    State: ACTIVE

Collectors:
  Message: No collectors found for this forwarder.

================================================================================

Se você quiser exportar os dados, poderá especificar o caminho absoluto/relativo do arquivo a ser exportado junto com o formato do arquivo (CSV/TXT/JSON). O formato de arquivo padrão é CSV.

Exemplo de saída
$ chronicle_cli forwarders list --export=$HOME/listforwarder --file-format=JSON
Fetching list of forwarders...

Forwarder Details:

ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
  Upload compression: true
  Metadata:
    Asset namespace: test_namespace
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
  - description: desc1
    regexp: .*
    behavior: ALLOW
  - description: desc2
    regexp: .*
    behavior: BLOCK
  Server settings:
    Graceful timeout: 15
    Drain timeout: 10
    Http settings:
      Port: 8000
      Host: 10.0.14.132
      Read timeout: 3
      Read header timeout: 3
      Write timeout: 3
      Idle timeout: 3
      Route settings:
        Available status code: 200
        Ready status code: 200
        Unready status code: 500
    State: ACTIVE

Collectors:
  Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
    Display name: collector_1
    State: ACTIVE
    Config:
      Log type: WINDOWS_DNS
      Metadata:
        Asset namespace: test_namespace
        Labels:
        - key: key1
          value: value1
        - key: key2
          value: value2
      Regex filters:
      - description: desc1
        regexp: .*
        behavior: ALLOW
      Disk buffer:
        State: ACTIVE
        Directory path: path/to/file.txt
        Max file buffer bytes: '45'
      Max seconds per batch: 10
      Max bytes per batch: '1048576'
      File settings:
        File path: path/to/file.txt

================================================================================

Forwarder Details:

ID: ddcca884-cdc6-4ac2-ad30-05a28e6cf35a
Display name: test
State: ACTIVE
Config:
  Upload compression: true
  Metadata:
    Asset namespace: test
    Labels:
    - key: k1
      value: v2
  Regex filters:
  - description: hh
    regexp: hh
    behavior: ALLOW
  - description: gg
    regexp: gg
    behavior: BLOCK
  Server settings:
    Graceful timeout: 15
    Drain timeout: 10
    Http settings:
      Port: 8080
      Host: 0.0.0.0
      Read timeout: 3
      Read header timeout: 3
      Write timeout: 3
      Idle timeout: 3
      Route settings:
        Available status code: 204
        Ready status code: 204
        Unready status code: 503
    State: ACTIVE

Collectors:
  Message: No collectors found for this forwarder.

================================================================================
Forwarders list details exported successfully to: /usr/local/google/home/<user>/listforwarder.json

argumento update

Para atualizar um encaminhador existente, use o seguinte comando:

$ chronicle_cli forwarders update --help
Usage: main forwarders update [OPTIONS]

  Update a forwarder using forwarder ID.

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.

Depois de executar o comando, insira novamente o ID do encaminhamento e todos os valores dos campos. Para reutilizar os valores antigos, pressione Enter.

Exemplo de saída
$ chronicle_cli forwarders update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Press Enter if you don't want to update.

(*) Forwarder Display Name [test_display_name]:

========================================
======== Forwarder Configuration =======
========================================

Upload Compression (Determines if uploaded data will be compressed) [Y/n]: y

Do you want to proceed with Forwarder Metadata? [y/N]: y

========================================
========== Forwarder Metadata ==========
========================================

Asset Namespace [test_namespace]:

========================================
=========== Forwarder Labels ===========
========================================

Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[[{'key': 'key1', 'value': 'value1'}, {'key': 'key2', 'value': 'value2'}]]

Do you want to proceed with Forwarder Regex Filters? [y/N]: n

Do you want to proceed with Server Settings? [y/N]: n

Do you want to update forwarder with this configuration? [y/N]: y

Updating forwarder...

Forwarder updated successfully with Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4

Se a atualização do encaminhador falhar e você inserir o mesmo encaminhador, uma solicitação será exibida para repetir o encaminhador com falha ou para reiniciar o processo. Se você inserir um ID de encaminhador que não corresponda ao ID de encaminhador com falha, a opção de tentar novamente não será exibida e o processo normal de atualização do encaminhador continuará. O mecanismo de repetição permite alterar os valores de opção fornecidos na tentativa com falha anterior de maneira interativa. Pressione Enter para reutilizar o mesmo valor de uma opção no fluxo de atualização do encaminhador.

argumento delete

Use esse argumento para excluir um encaminhador usando um ID de encaminhador. Quando executado, ele solicita que o ID do feed seja excluído. Para excluir um encaminhador atual, use o seguinte comando:

chronicle_cli forwarders delete --help
Usage: main forwarders delete [OPTIONS]

  Delete a forwarder using Forwarder ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
$ chronicle_cli forwarders delete
Enter Forwarder ID: 0593ba21-a1c7-4279-b429-bc8df959bd59

Deleting forwarder and all its associated collectors...

Forwarder (ID: 0593ba21-a1c7-4279-b429-bc8df959bd59) deleted successfully with all its associated collectors.

argumento generate_files

Use esse argumento para gerar um arquivo com informações sobre o encaminhador usando o ID dele.

Para gerar o arquivo do encaminhador, use o seguinte comando:

$ chronicle_cli forwarders generate_files -h
Usage: main forwarders generate_files [OPTIONS]

  Generate forwarder configuration files using Forwarder ID

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -f, --file-path TEXT            Download generated forwarder files to the
                                  specified path.
  -h, --help                      Show this message and exit.
Exemplo de saída
$ chronicle_cli forwarders generate_files --file-path=$HOME/GenerateForwarderFile
Enter Forwarder ID: 0768220e-8af6-4ef7-a1dd-73e33963b444
Generating forwarder files ...
Forwarder files generated successfully.
Configuration file: /usr/local/google/home/<user>/GenerateForwarderFile_forwarder.conf
Auth file: /usr/local/google/home/<user>/GenerateForwarderFile_forwarder_auth.conf

Subcomandos do coletor

argumento create

Use o comando a seguir para configurar um novo coletor para um determinado encaminhador.

$ chronicle_cli forwarders collectors create --help
Usage: main forwarders collectors create [OPTIONS]

  Create a collector.

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
$ chronicle_cli forwarders collectors create
================================================================================
Press Enter if you want to use the default value mentioned besides field description in [] brackets.
================================================================================

Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4

(*) Collector Display Name: collector_4

========================================
======== Collector Configuration ======
========================================

(*) Collector Log Type (Type of logs collected): WINDOWS_DNS

Do you want to proceed with Collector Metadata? [y/N]: y

========================================
========== Collector Metadata ==========
========================================

Asset Namespace: test_namespace

========================================
=========== Forwarder Labels ===========
========================================

Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2

Do you want to proceed with Collector Regex Filters? [y/N]: y

========================================
======= Collector Regex Filters =======
========================================

Filter Description (Describes what is being filtered and why): desc1

Filter Regexp (The regular expression used to match against each incoming line): .*

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1

You have selected allow

Do you want to add more Collector Regex Filters? [y/N]: n

Do you want to proceed with Collector Disk Buffer? [y/N]: n

Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:

Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:

========================================
===== Configure Ingestion Settings =====
========================================

Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings

File Path (Path of file to monitor): path/to/file.txt

Preview changes:

  - Press Up/b or Down/z keys to paginate.
  - To switch case-sensitivity, press '-i' and press enter. By default, search
    is case-sensitive.
  - To search for specific field, press '/' key, enter text and press enter.
  - Press 'q' to quit and confirm preview changes.
  - Press `h` for all the available options to navigate the list.
=============================================================================

Config:
  File settings:
    File path: path/to/file.txt
  Log type: WINDOWS_DNS
  Max bytes per batch: 1048576
  Max seconds per batch: 10
  Metadata:
    Asset namespace: test_namespace
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
    Behavior: ALLOW
    Description: desc1
    Regexp: .*
Display name: collector_4

Do you want to create collector with this configuration? [y/N]: y

Creating collector...
Collector created successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f

Se a criação do coletor falhar e você inserir o mesmo ID do coletor, uma solicitação será exibida para repetir o coletor com falha ou reiniciar o processo. Se você inserir um ID do coletor que não corresponde ao ID do coletor com falha, a opção de nova tentativa não será exibida e o processo normal de atualização do coletor continuará.

Exemplo de saída
$ chronicle_cli forwarders collectors create
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4

Looks like there was a failed create/update attempt for test_display.
Would you like to retry?

(*) Collector Display Name [test_display]:

========================================
======== Collector Configuration ======
========================================

(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:

Do you want to proceed with Collector Metadata? [y/N]: y

========================================
========== Collector Metadata ==========
========================================

Asset Namespace [test]:

========================================
=========== Forwarder Labels ===========
========================================

Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[[{'key': 'k1', 'value': 'v1'}]]

Do you want to proceed with Collector Regex Filters? [y/N]: y

========================================
======= Collector Regex Filters =======
========================================

Filter Description (Describes what is being filtered and why)[old_desc]: desc2

Filter Regexp (The regular expression used to match against each incoming line) [.*]:

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block

You have selected allow

Do you want to add more Collector Regex Filters? [y/N]: n

Do you want to proceed with Collector Disk Buffer? [y/N]: n

Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:

Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:

========================================
===== Configure Ingestion Settings =====
========================================

Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
: 1

File Path (Path of file to monitor) [path/to/file.txt]: path/to/file.txt

Preview changes:

  - Press Up/b or Down/z keys to paginate.
  - To switch case-sensitivity, press '-i' and press enter. By default, search
    is case-sensitive.
  - To search for specific field, press '/' key, enter text and press enter.
  - Press 'q' to quit and confirm preview changes.
  - Press `h` for all the available options to navigate the list.
=============================================================================

Config:
  File settings:
    File path: path/to/file.txt
  Log type: WINDOWS_DNS
  Max bytes per batch: 1048576
  Max seconds per batch: 10
  Metadata:
    Asset namespace: test
    Labels:
    - key: k1
      value: v1
  Regex filters:
    Behavior: ALLOW
    Description: disc2
    Regexp: .*
Display name: test_display

Do you want to create collector with this configuration? [y/N]: y

Creating collector...
Collector created successfully with Collector ID: b50a6b41-5476-41ee-ba7c-ce529ecffa62

argumento get

Para acessar detalhes de um coletor atual, use o seguinte comando:

$ chronicle_cli forwarders collectors get --help
Usage: main forwarders collectors get [OPTIONS]

  Get a collector using collector ID.

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída

Insira o ID do coletor interativamente para receber os detalhes do coletor.

$ chronicle_cli forwarders collectors get
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f

Fetching collector details...

Collector Details:

ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Display name: collector_4
State: ACTIVE
Config:
  Log type: WINDOWS_DNS
  Metadata:
    Asset namespace: test_namespace
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
  - description: desc1
    regexp: .*
    behavior: ALLOW
  - description: desc2
    regexp: .*
    behavior: BLOCK
  Max seconds per batch: 10
  Max bytes per batch: '1048576'
  File settings:
    File path: path/to/file.txt

argumento list

Para exibir a lista de todos os coletores, use o seguinte comando:

chronicle_cli forwarders collectors list --help
Usage: main forwarders collectors list [OPTIONS]

  List all collectors.

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  --export TEXT                   Export output to specified file path.
  --file-format [TXT|CSV|JSON]    Format of the file to be exported.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
$ chronicle_cli forwarders collectors list
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4

Collector Details:

ID: 153e4077-cd49-4ce5-87aa-254d239b9dda
Display name: collector_2
State: ACTIVE
Config:
  Log type: WINDOWS_DNS
  Metadata:
    Asset namespace: test
    Labels:
    - key: key1
      value: value1
    - key: key2
      value: value2
  Regex filters:
  - description: desc1
    regexp: .*
    behavior: ALLOW
  Disk buffer:
    State: ACTIVE
    Directory path: path/to/dir
    Max file buffer bytes: '209'
  Max seconds per batch: 10
  Max bytes per batch: '1048576'
  File settings:
    File path: path/to/file.txt

================================================================================

Collector Details:

ID: b50a6b41-5476-41ee-ba7c-ce529ecffa62
Display name: test_display
State: ACTIVE
Config:
  Log type: WINDOWS_DNS
  Metadata:
    Asset namespace: test
    Labels:
    - key: k1
      value: v1
  Regex filters:
  - description: disc2
    regexp: .*
    behavior: ALLOW
  - description: test
    regexp: test
    behavior: BLOCK
  Disk buffer:
    State: ACTIVE
    Directory path: test
    Max file buffer bytes: '55'
  Max seconds per batch: 5
  Max bytes per batch: '556676'
  Syslog settings:
    Protocol: TCP
    Address: 1.2.3.4
    Port: 3456
    Buffer size: '65536'
    Connection timeout: 60
    Tls settings:
      Certificate: test
      Certificate key: test
      Minimum tls version: '56'
      Insecure skip verify: true

================================================================================

argumento update

Para atualizar um coletor atual, use o seguinte comando:

$ chronicle_cli forwarders collectors update --help
Usage: main forwarders collectors update [OPTIONS]

  Update a collector using collector ID.

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
$ chronicle_cli forwarders collectors update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f

(*) Collector Display Name [collector_4]:

========================================
======== Collector Configuration ======
========================================

(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:

Do you want to proceed with Collector Metadata? [y/N]: y

========================================
========== Collector Metadata ==========
========================================

Asset Namespace [test_namespace]:

========================================
=========== Forwarder Labels ===========
========================================

Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[{'key1':'value1'},{'key2':'value2'}]

Do you want to proceed with Collector Regex Filters? [y/N]: y

========================================
======= Collector Regex Filters =======
========================================

Filter Description (Describes what is being filtered and why)[old_desc]: desc1

Filter Regexp (The regular expression used to match against each incoming line)[.*]: .*

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block

You have selected allow

Do you want to add more Collector Regex Filters? [y/N]: y

Filter Description (Describes what is being filtered and why): desc2

Filter Regexp (The regular expression used to match against each incoming line): .*

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 2

You have selected block

Do you want to add more Collector Regex Filters? [y/N]: n

Do you want to proceed with Collector Disk Buffer? [y/N]: n

Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:

Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:

========================================
===== Configure Ingestion Settings =====
========================================

Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings

File Path (Path of file to monitor) [path/to/file.txt]: path/to/file.txt

Do you want to update collector with this configuration? [y/N]: y

Updating collector...

Collector updated successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f

Se a atualização do coletor falhar e você inserir o mesmo ID do coletor, uma solicitação será exibida para repetir o coletor com falha ou para reiniciar o processo. Se você inserir um ID do coletor que não corresponde ao ID do coletor com falha, a opção de nova tentativa não será exibida e o processo normal de atualização do coletor continuará. O mecanismo de repetição permite alterar os valores de opção fornecidos na tentativa com falha anterior de maneira interativa. Pressione Enter para reutilizar o mesmo valor de uma opção no fluxo de atualização do coletor.

...
Updating collector...

Do you want to update collector with this configuration? [y/N]: y

Error occurred while updating collector.
Response Code: 400.
Error: generic::invalid_argument: update collector (id: 3a74b289-ccb4-4cee-9713-611a3362f48f) for forwarder (id: a7e59660-959b-44e7-aa7e-baec820d01f4) for customer (id: ed19f037-2354-43df-bfbf-350362b45844): validation errors in request: generic::invalid_argument: filter's description is not specified: invalid argument

$ chronicle_cli forwarders collectors update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f

Looks like there was a failed create/update attempt for collector_4.
Would you like to retry?

(*) Collector Display Name [collector_4]:

========================================
======== Collector Configuration ======
========================================

(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:

Do you want to proceed with Collector Metadata? [y/N]: n

Do you want to proceed with Collector Regex Filters? [y/N]: y

========================================
======= Collector Regex Filters =======
========================================

Filter Description (Describes what is being filtered and why)[old_desc]: desc1

Filter Regexp (The regular expression used to match against each incoming line) [.*]:

Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block

You have selected allow

Do you want to add more Collector Regex Filters? [y/N]: n

Do you want to proceed with Collector Disk Buffer? [y/N]: n

Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:

Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:

========================================
===== Configure Ingestion Settings =====
========================================

Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
[1]:

File Path (Path of file to monitor) [path/to/file.txt]:

Do you want to update collector with this configuration? [y/N]: y

Updating collector...

Collector updated successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f

argumento delete

Use esse argumento para excluir um coletor usando um ID do coletor. Na execução, ele solicita que o ID do coletor seja excluído.

Para excluir um coletor atual, use o seguinte comando:

$ chronicle_cli forwarders collectors delete --help
Usage: main forwarders collectors delete [OPTIONS]

  Delete a collector using collector ID.

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.
Exemplo de saída
$ chronicle_cli forwarders collectors delete
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f

Collector (ID: 3a74b289-ccb4-4cee-9713-611a3362f48f) deleted successfully.

Opções

Ajuda (-h / --help)

Use a opção -h ou --help para visualizar o uso/descrição de qualquer comando/opção.

Exemplo de uso
$ chronicle_cli forwarders list -h
Usage: main forwarders list [OPTIONS]

  List all forwarders

Options:
  --url TEXT                      Base URL to be used for API calls.
  --region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|US]
                                  Select region.
  --verbose                       Prints verbose output to the console.
  --export TEXT                   Export output to specified file path.
  --file-format [TXT|CSV|JSON]    Format of the file to be exported.
  -c, --credential_file TEXT      Path of Service Account JSON. Default: /usr/
                                  local/google/home/<user>/.chronicle_cl
                                  i/chronicle_credentials.json
  -h, --help                      Show this message and exit.

Caminho das credenciais (-c ou --credential-path)

Essa opção permite especificar o caminho das credenciais da conta de serviço a ser usada para a autenticação do usuário. Se essa opção não for especificada, a CLI do Chronicle vai procurar credenciais no caminho padrão, ou seja, ~/.chronicle_cli (dentro de um diretório oculto chamado .chronicle_cli no diretório inicial).

Exemplo de uso
$ chronicle_cli forwarders list --credential-path=C:\chronicle_credentials.json

Detalhado (--detalhado)

Essa opção permite imprimir os detalhes da solicitação HTTP feita e da Resposta recebida.

Exemplo de uso
$ chronicle_cli forwarders list --verbose

Exportar (--export)

Essa opção permite especificar o caminho do arquivo em que a saída do comando list será exportada. Há suporte para caminhos relativos e absolutos.

Exemplo de uso
$ chronicle_cli forwarders list --export=$HOME/listForwarderssResponse

Formato do arquivo (--file-format)

Essa opção permite especificar o formato do arquivo do conteúdo exportado com o comando list. Existem três formatos compatíveis: CSV, JSON e TXT. Se essa opção não for especificada com a opção --export, o formato CSV será usado como padrão.

Exemplo de uso
$ chronicle_cli forwarders list --export=$HOME/listForwardersResponse --file-format=JSON
Exemplo de saída
Formato JSON
{
  "forwarders": [
    {
      "name": "55a77e24-9d16-4638-8940-0ef8071ed849",
      "displayName": "new",
      "config": {
        "uploadCompression": true,
        "metadata": {
          "assetNamespace": "test",
          "labels": [
            {
              "key": "k",
              "value": "v"
            },
            {
              "key": "k1",
              "value": "v1"
            }
          ]
        },
        "regexFilters": [
          {
            "description": "desc1",
            "regexp": ".*",
            "behavior": "ALLOW"
          }
        ],
        "serverSettings": {
          "gracefulTimeout": 15,
          "drainTimeout": 10,
          "httpSettings": {
            "port": 8080,
            "host": "0.0.0.0",
            "readTimeout": 3,
            "readHeaderTimeout": 3,
            "writeTimeout": 3,
            "idleTimeout": 3,
            "routeSettings": {
              "availableStatusCode": 204,
              "readyStatusCode": 204,
              "unreadyStatusCode": 503
            }
          },
          "state": "ACTIVE"
        }
      },
      "state": "ACTIVE",
      "collectors": {
        "Collector [3e8243c3-7ff2-4ede-89fe-16410ffe03bd]": {
          "name": "3e8243c3-7ff2-4ede-89fe-16410ffe03bd",
          "displayName": "cre_test_2",
          "state": "ACTIVE",
          "config": {
            "logType": "WINDOWS_DNS",
            "metadata": {
              "assetNamespace": "test",
              "labels": [
                {
                  "key": "k",
                  "value": "v"
                }
              ]
            },
            "regexFilters": [
              {
                "description": "desc1",
                "regexp": ".*",
                "behavior": "ALLOW"
              }
            ],
            "diskBuffer": {
              "state": "ACTIVE",
              "directoryPath": "23",
              "maxFileBufferBytes": "33"
            },
            "maxSecondsPerBatch": 10,
            "maxBytesPerBatch": "1048576",
            "fileSettings": {
              "filePath": "path/file.txt"
            }
          }
        }
      }
    }
  ]
}
Formato CSV

1. {file_name}_forwarders.csv

2. {file_name}_collectors.csv

Exemplo de conteúdo do arquivo:

{file_name}_forwarders.csv:

Name,Display name,Forwarder state,[CONFIG] Upload compression,[CONFIG][METADATA] Asset namespace,[CONFIG][METADATA] Labels,[CONFIG] Regex filters,[CONFIG][SERVER_SETTINGS] Server state,[CONFIG][SERVER_SETTINGS] Graceful timeout,[CONFIG][SERVER_SETTINGS] Drain timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Port,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Host,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Read timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Read header timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Write timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Idle timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Available status code,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Ready status code,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Unready status code
0593ba21-a1c7-4279-b429-bc8df959bd59,test,ACTIVE,True,test,"k1: v1

k2: v2
",,,,,,,,,,,0,0,0
094c9e41-e7c8-407a-8b9a-eb34d608a609,test,ACTIVE,True,te,"k1: v1

k2: v2
",,,,,,,,,,,0,0,0
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,test,ACTIVE,True,test,"key1: value1

key2: value2
",,ACTIVE,15,10,8080,0.0.0.0,3,4,5,8,204,204,500

{file_name}_collectors.csv

Forwarder ID,Name,Display Name,Collector state,[CONFIG] Log type,[CONFIG] Max seconds per batch,[CONFIG] Max bytes per batch,[CONFIG][METADATA] Asset namespace,[CONFIG][METADATA] Labels,[CONFIG] Regex filters,[CONFIG][DISK_BUFFER] State,[CONFIG][DISK_BUFFER] Directory path,[CONFIG][DISK_BUFFER] Max file buffer bytes,[CONFIG][FILE_SETTINGS] File path,[CONFIG][KAFKA_SETTINGS][AUTHENTICATION] username,[CONFIG][KAFKA_SETTINGS][AUTHENTICATION] password,[CONFIG][KAFKA_SETTINGS] Topic,[CONFIG][KAFKA_SETTINGS] Group id,[CONFIG][KAFKA_SETTINGS] Timeout,[CONFIG][KAFKA_SETTINGS] Brokers,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Certificate,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Certificate key,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Minimum tls version,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Insecure skip verify,[CONFIG][PCAP_SETTINGS] Network interface,[CONFIG][PCAP_SETTINGS] Bpf,[CONFIG][SPLUNK_SETTINGS][AUTHENTICATION] username,[CONFIG][SPLUNK_SETTINGS][AUTHENTICATION] Password,[CONFIG][SPLUNK_SETTINGS] Host,[CONFIG][SPLUNK_SETTINGS] Port,[CONFIG][SPLUNK_SETTINGS] Minimum window size,[CONFIG][SPLUNK_SETTINGS] Maximum windows size,[CONFIG][SPLUNK_SETTINGS] Query string,[CONFIG][SPLUNK_SETTINGS] Query mode,[CONFIG][SPLUNK_SETTINGS] Cert ignored,[CONFIG][SYSLOG_SETTINGS] Protocol,[CONFIG][SYSLOG_SETTINGS] Address,[CONFIG][SYSLOG_SETTINGS] Port,[CONFIG][SYSLOG_SETTINGS] Buffer size,[CONFIG][SYSLOG_SETTINGS] Connection timeout,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Certificate,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Certificate key,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Minimum tls version,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Insecure skip verify
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,03d28371-1bcb-4b28-9364-18412de1f827,collector_2,ACTIVE,WINDOWS_DNS,10,1048576,collector_update,"key1: value1

key2: value2
",,ACTIVE,path/file.txt,23,path/to/file.txt,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,8ba8278c-1eef-4a72-a45a-491463768c70,col_3,ACTIVE,WINDOWS_DNS,10,1048576,test,"k1: v1
",,ACTIVE,path/to/file,233,path,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
55a77e24-9d16-4638-8940-0ef8071ed849,3e8243c3-7ff2-4ede-89fe-16410ffe03bd,cre_test_2,ACTIVE,WINDOWS_DNS,10,1048576,test,"k: v
",,ACTIVE,23,33,path/file.txt,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Região (--region)

É possível selecionar a região transmitindo a sinalização --region ao executar um comando. Para mais informações sobre como definir a região padrão, consulte Definir região padrão.

Solução de problemas

Códigos de erro

Nesta seção, mostramos a saída exibida no console em relação aos diferentes tipos de códigos de resposta recebidos da resposta da API.

Consulte as tabelas a seguir para ver a saída de cada comando:

Comando Get

Código de resposta Saída do console
404 {Forwarder|Collector} não existe.
400 ID de {Forwarder|Collector} inválido. Insira um ID de {Forwarder|Collector} válido.
Qualquer outro código de resposta Erro ao buscar {Forwarder|Collector}. Código da resposta: {status code} Erro: {error message}

Comando List

Código de resposta Saída do console
Qualquer código de resposta diferente de 200 Erro: Código de resposta: {status code} Erro: {error message}

Comando Create

Código de resposta Saída do console
Qualquer código de resposta diferente de 200 Ocorreu um erro ao criar {forwarder|collector} Código de resposta: {status code} Erro: {error message}

Comando Update

Código de resposta Saída do console
Qualquer código de resposta diferente de 200 Ocorreu um erro ao atualizar {forwarder|collector}. Código da resposta: {status code} Erro: {error message}

Comando Delete

Código de resposta Saída do console
404 {Forwarder|Collector} não existe.
400 ID de {Forwarder|Collector} inválido. Insira um ID de {Forwarder|Collector} válido.
Qualquer outro código de resposta Ocorreu um erro ao excluir {Forwarder|Collector}. Código da resposta: {status code} Erro: {error message}

Outros erros ou exceções

Exceção Saída do console
KeyError Não foi possível encontrar a chave {key name} na resposta.
Exceção Falha com a exceção: {exception details}
Arquivo de credencial ausente Falha com exceção: [Errno 2] Arquivo ou diretório inexistente: '/usr/local/google/home//.chronicle_cli/chronicle_credentials.json'

Você precisa colocar as credenciais no diretório esperado. Consulte Instalação.

Para outras dúvidas ou problemas com a CLI do Chronicle, entre em contato com o suporte do Chronicle.

Fluxos de trabalho de acesso aos dados do BigQuery

O Chronicle oferece suporte ao acesso de autoatendimento aos dados do Chronicle no BigQuery. É possível usar a CLI do Chronicle para conceder papéis do Identity and Access Management (IAM) que concedem as permissões abaixo para um e-mail de usuário:

  • roles/bigquery.dataViewer
  • roles/bigquery.jobUser
  • roles/storage.objectViewer

O e-mail precisa ser um endereço de e-mail de usuário da Administração do ID e das Contas do Google (GAIA) de um cliente do Chronicle Security.

Para mais informações sobre esses papéis, consulte Como exportar dados de tabelas.

Comandos

Comando bigquery

O comando bigquery usa o argumento provide_access.

Sintaxe de uso:

$ chronicle_cli bigquery ARGUMENT [OPTIONS]

Argumentos

argumento provide_access

Solicita que você insira um endereço de e-mail do usuário. O e-mail precisa ser de um cliente do Chronicle Security de um cliente da Administração do ID e das Contas do Google (GAIA). O usuário vai receber os papéis do IAM necessários para fazer o seguinte:

  • Ler dados e metadados de tabelas do BigQuery (roles/bigquery.dataViewer)
  • Executar consultas nos dados da tabela do BigQuery (roles/bigquery.jobUser)
  • Ler dados nos buckets do Google Cloud Storage(roles/storage.objectViewer)
Exemplo de uso
$ chronicle_cli bigquery provide_access
$ Enter email: xyz@gmail.com
Resposta de sucesso
Providing BigQuery access...
Access provided to email: xyz@gmail.com
Resposta de erro
Providing BigQuery access...
Error while providing access:
Response code: 400

Opções

Ajuda (-h / --help)

Use a opção de ajuda -h ou -- para consultar o uso/descrição de qualquer comando/opção.

Solução de problemas

Nesta seção, mostramos a saída exibida no console em relação aos diferentes tipos de códigos de resposta recebidos da resposta da API.

Códigos de resposta de argumentos provide_access

Código de resposta Saída do console
400 O e-mail não existe.
Qualquer outro código de resposta Ocorreu um erro ao buscar o feed. Código da resposta: {status code} Erro: {error message}