Google SecOps CLI 使用手冊
支援的國家/地區:
Google SecOps
SIEM
除了使用 Google Security Operations 圖形使用者介面,進階使用者也可以透過 Google SecOps 指令列介面 (CLI) chronicle_cli 啟動 Google SecOps 工作流程。
您可以使用 Google SecOps CLI 執行下列工作流程:
Google SecOps CLI 指令使用下列語法 (COMMAND 和 ARGUMENT 為必要項目,但 OPTIONS 為選用項目):
$ chronicle_cli COMMAND ARGUMENT [OPTIONS]
舉例來說,如要使用動態饋給管理工作流程建立新的動態饋給,請使用下列指令:
$ chronicle_cli feeds create
事前準備
安裝 Google SecOps CLI 之前,請先完成下列步驟:
- 在環境中安裝 Python 3。詳情請參閱「安裝 Python」一文。
- 建立並啟動虛擬環境。詳情請參閱「使用 pip 和虛擬環境安裝套件」。
- 在主目錄中建立名為
.chronicle_cli的隱藏目錄,並將 Google 開發人員服務帳戶憑證放在該目錄中,名稱為chronicle_credentials.json。Google Security Operations 代表會提供 Google 開發人員服務帳戶憑證。Google 開發人員服務帳戶憑證可讓chronicle_cli與 API 通訊。 如果您打算使用剖析器管理 v2 指令,請務必採取以下做法:
- 將 Google SecOps 執行個體繫結至您擁有的專案。請參閱下列文件:
- 在繫結至 Google SecOps 的專案中建立服務帳戶。詳情請參閱「建立及管理服務帳戶金鑰」。
- 將 Chronicle API 管理員 (
roles/chronicle.admin) 角色授予服務帳戶。
安裝
本節說明如何在環境中安裝 Google SecOps CLI。
建立並啟動虛擬環境
venv。使用下列指令複製存放區:
git clone https://github.com/chronicle/cli.git開啟終端機,然後執行下列指令,在虛擬環境中安裝所有必要的依附元件套件:
$ cd cli $ (env) pip install -r requirements.txt執行下列指令,安裝 Google SecOps 二進位檔:
$ (env) python3 -m pip install --editable .執行下列指令,確認安裝是否成功:
$ chronicle_cli --help
輸出範例
Usage: chronicle_cli [OPTIONS] COMMAND [ARGS]...
Google SecOps CLI is a CLI tool for managing Google SecOps user workflows for e.g.
Feed Management workflows.
Options:
-h, --help Show this message and exit.
Commands:
feeds Feed Management Workflows
選項
執行指令時,您可以提供其他旗標來覆寫預設設定。
設定預設區域 (--region)
您可以透過指令傳遞 --region 旗標來選取地區,API 呼叫會傳送至適當的 Chronicle 地區後端。
您可以設定下列區域:
ASIA-NORTHEAST1ASIA-SOUTH1ASIA-SOUTHEAST1AUSTRALIA-SOUTHEAST1EUROPEEUROPE-WEST2EUROPE-WEST3EUROPE-WEST6EUROPE-WEST9EUROPE-WEST12ME-CENTRAL1ME-CENTRAL2ME-WEST1NORTHAMERICA-NORTHEAST2SOUTHAMERICA-EAST1US
如未指定區域,預設區域會設為 US。
動態饋給管理工作流程
您可以使用 Google SecOps CLI,為 Google SecOps 執行個體建立及管理資料動態饋給。
指令
feeds 指令
feeds 指令會採用下列引數:
createupdategetlistdeleteenabledisable
使用語法:
$ chronicle_cli feeds ARGUMENT [OPTIONS]
引數
create 引數
建立新的動態饋給。
用法示範
$ chronicle_cli feeds create --help
Usage: chronicle_cli feeds create [OPTIONS]
Create a feed
Options:
--url TEXT Base URL to be used for API calls.
--region
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
- 適用於 Windows 平台
====================================
========== Set Properties ==========
====================================
List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API
[Source type] Enter your choice: 7
You have selected Third party API
List of Log types:
(i) How to select log type?
- Press ENTER key (scrolls one line at a time) or SPACEBAR key (display next screen).
- Note down the choice number for the log type that you want to select.
- Press 'q' to quit and enter that choice number.
=============================================================================
1. Anomali
2. Azure AD
3. Azure AD Directory Audit
4. Azure AD Organizational Context
5. Cloud Passage
6. Duo Auth
7. Duo User Context
8. Fox-IT
9. Imperva
10. Microsoft Graph API Alerts:
[Log type] Enter your choice: 7
You have selected Duo User Context
Enter feed display name: my_duo_user_context_feed
======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as)
=> USERNAME
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> api-xxxxxxxx.duosecurity.com
Feed created successfully with Feed ID: 9cfce415-97df-413b-8e38-e7c747f9ed38
- 適用於其他平台,例如 Linux/Ubuntu/CentOS/MacOS
====================================
========== Set Properties ==========
====================================
List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API
[Source type] Enter your choice: 7
You have selected Third party API
List of Log types:
(i) How to select log type?
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific log type, press '/' key, enter text and press enter.
- Note down the choice number for the log type that you want to select.
- Press 'q' to quit and enter that choice number.
- Press `h` for all the available options to navigate the list.
=============================================================================
1. Anomali
2. Azure AD
3. Azure AD Directory Audit
4. Azure AD Organizational Context
5. Cloud Passage
6. Duo Auth
7. Duo User Context
8. Fox-IT
9. Imperva:
[Log type] Enter your choice: 7
You have selected Duo User Context
======================================
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as)
=> USERNAME
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> api-xxxxxxxx.duosecurity.com
Feed created successfully with Feed ID: 9cfce415-97df-413b-8e38-e7c747f9ed38
如果動態消息建立失敗,系統下次會要求你重試。 你可以選擇重試,或繼續建立新的動態饋給。重試機制可讓您以互動方式變更先前嘗試失敗時提供的值。在動態饋給建立流程中,按 Enter 鍵即可重複使用選項的相同值。
輸出範例
====================================
========== Set Properties ==========
====================================
List of Source types:
1. Amazon S3
2. Amazon SQS
3. Google Cloud Storage
4. HTTP(S) URI
5. Microsoft Azure Blob Storage
6. SFTP
7. Third party API
[Source type] Enter your choice: 7
You have selected Third party API
[Log type] Enter your choice: 6
You have selected Duo Auth
Enter feed display name: my_duo_auth_feed
======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as)
=> test
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com")
=> test.com
Error occurred while creating feed.
Response Code: 400.
Error: generic::invalid_argument: failed to create feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to create feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to create feed because of the following errors in the request: generic::invalid_argument: for Duo feeds, 'hostname' must be specified as "api-xxxxxxxx.duosecurity.com", e.g. "api-eval.duosecurity.com"
$ chronicle_cli feeds create
Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?
======================================
=========== Input Parameters =========
======================================
(*) - Required fields.
Password/secret inputs are hidden.
(*) Username (Username to authenticate as) [test]
=>
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [test.com]
=> api-xxxxxxxx.duosecurity.com
Feed created successfully with Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
get 引數
取得現有動態饋給的詳細資料。
用法示範
$ chronicle_cli feeds get --help
Usage: main feeds get [OPTIONS]
Get feed details using Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
你必須以互動方式輸入動態饋給 ID,才能取得動態饋給詳細資料。
輸出範例
Enter Feed ID: 72d9b843-b387-4b17-ab2d-a8497313c89c
Feed Details:
ID: 72d9b843-b387-4b17-ab2d-a8497313c89c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Salesforce
State: ACTIVE
Feed Settings:
API Hostname: myinstance.salesforce.com
list 引數
列出所有動態饋給。這個指令用於擷取所有動態饋給的詳細資料。
用法示範
$ chronicle_cli feeds list --help
Usage: chronicle_cli feeds list [OPTIONS]
List all feeds
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Feed Details:
ID: 29259301-156b-4b60-ae91-855d15c39f6a
Source type: Third party API
Log type: Anomali
State: INACTIVE
============================================================
Feed Details:
ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Duo Auth
State: ACTIVE
Feed Settings:
API hostname: api-test.duosecurity.com
============================================================
Feed Details:
ID: 0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65
Source type: Third party API
Log type: Workspace Activities
State: ACTIVE
Feed Settings:
Customer ID: C12abc
Applications: ['drive', 'login']
============================================================
如要匯出資料,可以指定要匯出檔案的絕對/相對路徑,以及檔案格式 (CSV/TXT/JSON)。預設檔案格式為 CSV。
輸出範例
Feed Details:
ID: 29259301-156b-4b60-ae91-855d15c39f6a
Source type: Third party API
Log type: Anomali
State: INACTIVE
============================================================
Feed Details:
ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Duo Auth
State: ACTIVE
Feed Settings:
API hostname: api-test.duosecurity.com
============================================================
Feed Details:
ID: 0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65
Source type: Third party API
Log type: Workspace Activities
State: ACTIVE
Feed Settings:
Customer ID: C12abc
Applications: ['drive', 'login']
============================================================
Feed list details exported successfully to: /usr/local/google/home/<user>/out/chronicle-cli/output.txt
update 引數
更新現有的動態饋給。
用法示範
$ chronicle_cli feeds update
Usage: chronicle_cli feeds update [OPTIONS]
Update feed details using Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
執行指令後,請再次輸入動態饋給 ID 和所有欄位值。 按 Enter 鍵即可重複使用舊值。
輸出範例
Enter Feed ID: ea28d66b-d81b-4b4d-ae16-3b1cd98132ca
Press Enter if you don't want to update.
Enter feed display name[old_display_name]:
(*) Username (Username to authenticate as)
=> USERNAME
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [api-xxxxxxxx.duosecurity.com]
=>
Feed updated successfully with Feed ID: ea28d66b-d81b-4b4d-ae16-3b1cd98132ca
Enter Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
Press Enter if you don't want to update.
Enter feed display name[]: my_feed_display_name
(*) Username (Username to authenticate as)
=> test1
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [api-xxxxxxxx.duosecurity.com]
=> test.com
Error occurred while updating feed. Response code: 400.
Error: generic::invalid_argument: failed to update feed for the customer (ID: ed19f037-2354-43df-bfbf-350362b45844): failed to edit feed because of the following errors in the request: generic::invalid_argument: for Duo feeds, 'hostname' must be specified as "api-xxxxxxxx.duosecurity.com", e.g. "api-eval.duosecurity.com"
$ chronicle_cli feeds update
Enter Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?
Press Enter if you don't want to update.
(*) Username (Username to authenticate as) [test1]
=>
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [test.com]
=> api-devtest.duosecurity.com
Feed updated successfully with Feed ID: 29a2f967-6f6e-4521-bebf-6fb6c7383df6
如果動態饋給更新失敗,且你輸入相同的動態饋給 ID,系統會顯示提示,要求你重試失敗的動態饋給或重新啟動程序。如果輸入的動態饋給 ID 與失敗的動態饋給 ID 不符,系統就不會顯示重試選項,並繼續進行動態饋給更新的正常程序。重試機制可讓您以互動方式,變更先前嘗試失敗時提供的選項值。按下 Enter 鍵,即可在動態饋給更新流程中重複使用選項的相同值。
輸出範例
Enter Feed ID: 51574667-dee6-408b-a5fc-0e07d3e9a429
Looks like there was a failed feed create/update attempt with source type: Third party API and log type: Duo Auth.
Would you like to retry?
Press Enter if you don't want to update.
Enter feed display name[old_display_name]:
(*) Username (Username to authenticate as) [TEEST]
=> TEST
(*) Secret (Secret to authenticate with)
=>
(*) API hostname (The fully qualified domain name for your instance of the API, having the form "api-xxxxxxxx.duosecurity.com") [asd]
=> api-xxxxxxxx.duosecurity.com
Feed updated successfully with Feed ID: 51574667-dee6-408b-a5fc-0e07d3e9a429
delete 引數
使用這個引數,透過動態饋給 ID 刪除動態饋給。執行時,系統會要求提供要刪除的動態饋給 ID。
用法示範
$ chronicle_cli feeds delete --help
Usage: chronicle_cli feeds delete [OPTIONS]
Delete a feed
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Enter Feed ID: b0798c54-ed84-44e7-96d5-cbe208f28e49
Feed (ID: b0798c54-ed84-44e7-96d5-cbe208f28e49) deleted successfully.
enable 引數
啟用動態饋給。
用法示範
$ chronicle_cli feeds enable --help
Usage: main feeds enable [OPTIONS]
Enable feed for the given Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
你必須輸入動態消息 ID 才能啟用動態消息。
輸出範例
Enter Feed ID: 29259301-156b-4b60-ae91-855d15c39f6a
Feed with ID: 29259301-156b-4b60-ae91-855d15c39f6a enabled successfully.
disable 引數
停用動態饋給。
用法示範
$ chronicle_cli feeds disable --help
Usage: main feeds disable [OPTIONS]
Disable feed for the given Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
你必須輸入動態消息 ID 才能停用動態消息。
輸出範例
Enter Feed ID: 29259301-156b-4b60-ae91-855d15c39f6a
Feed with ID: 29259301-156b-4b60-ae91-855d15c39f6a disabled successfully.
選項
說明 (-h / --help)
使用 -h 或 --help 選項,查看任何指令/選項的用法/說明。
用法示範
$ chronicle_cli feeds get -h
Usage: main feeds get [OPTIONS]
Get feed details using Feed ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console
-c, --credential-path TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli/chron
icle_credentials.json
-h, --help Show this message and exit.
憑證路徑 (-c 或 --credential-path)
這個選項可指定用於驗證的服務帳戶憑證路徑。如果未指定這個選項,Google SecOps CLI 會在預設路徑 (即主目錄下名為 .chronicle_cli 的隱藏目錄中的 ~/.chronicle_cli) 尋找憑證。
用法示範
$ chronicle_cli feeds list --credential-path=C:\chronicle_credentials.json
詳細 (--verbose)
使用這個標記時,Google SecOps CLI 會在控制台中列印更多詳細資料,例如 HTTP 要求和回應。
用法示範
$ chronicle_cli feeds list --verbose
匯出 (--export)
這個選項可讓您指定要匯出 list 指令輸出內容的檔案路徑。支援相對路徑和絕對路徑。
用法示範
$ chronicle_cli feeds list --export=$HOME/listFeedsResponse.txt
檔案格式 (--file-format)
這個選項可讓您指定使用 list 指令匯出內容的檔案格式。支援的格式有三種:CSV、JSON 和 TXT。如果未透過 --export 選項指定這個選項,系統預設會使用 CSV 格式。
用法示範
$ chronicle_cli feeds list --export=$HOME/listFeedsResponse.txt --file-format=TXT
輸出範例
CSV 格式
ID,Display Name,Source type,Log type,State,Feed Settings
29259301-156b-4b60-ae91-855d15c39f6a,,Third party API,Anomali,INACTIVE,
292b7629-0250-476c-9fb2-4c8a738ce42c,my_duo_auth_feed,Third party API,Duo Auth,ACTIVE,API hostname: api-xxxxxxxxabjdsfklsadlfnsafs.duosecurity.com
0d063a7f-34a1-4dd0-9dcf-9c7a0bb03e65,,Third party API,Workspace Activities,ACTIVE,"Customer ID: C12abc Applications: ['drive', 'login']"
TXT 格式
Feed Details:
ID: 29259301-156b-4b60-ae91-855d15c39f6a
Source type: Third party API
Log type: Anomali
State: INACTIVE
============================================================
Feed Details:
ID: 292b7629-0250-476c-9fb2-4c8a738ce42c
Display Name: my_duo_auth_feed
Source type: Third party API
Log type: Duo Auth
State: ACTIVE
Feed Settings:
API hostname: api-test.duosecurity.com
============================================================
JSON 格式
[
{
"name": "feeds/29259301-156b-4b60-ae91-855d15c39f6a",
"details": {
"logType": "ANOMALI_IOC",
"feedSourceType": "API",
"anomaliSettings": {}
},
"feedState": "INACTIVE"
},
{
"name": "feeds/292b7629-0250-476c-9fb2-4c8a738ce42c",
"details": {
"logType": "DUO_AUTH",
"feedSourceType": "API",
"duoAuthSettings": {
"hostname": "api-test.duosecurity.com"
}
},
"feedState": "ACTIVE",
"displayName": "my_duo_auth_feed"
}
]
區域 (--region)
執行指令時,您可以傳遞 --region 旗標來選取區域。
如要進一步瞭解如何設定預設區域,請參閱設定預設區域。
疑難排解
這個專區會顯示控制台的輸出內容,並對照從 API 回應收到的不同類型回應代碼。
get 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 404 | 動態饋給 ID 無效。請輸入有效的動態饋給 ID。 |
| 400 | 動態饋給不存在。 |
| 任何其他回應代碼 | 擷取動態消息時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
list 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 200 以外的任何回應碼 | 擷取動態消息清單時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
| 清單中的任何動態消息都無法擷取 | 主控台輸出內容的結尾會列印清單,其中包含動態饋給 ID 和相應錯誤訊息的詳細資料。 |
create 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 200 以外的任何回應碼 | 建立動態消息時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
update 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 200 以外的任何回應碼 | 更新動態消息時發生錯誤。回應代碼:{status code}
錯誤:{error message}
|
delete 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 404 | 動態饋給 ID 無效。請輸入有效的動態饋給 ID。 |
| 400 | 動態饋給不存在。 |
| 任何其他回應代碼 | 刪除動態消息時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
enable 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 404 | 動態饋給 ID 無效。請輸入有效的動態饋給 ID。 |
| 400 | 動態饋給不存在。 |
| 任何其他回應代碼 | 啟用動態消息時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
disable 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 404 | 動態饋給 ID 無效。請輸入有效的動態饋給 ID。 |
| 400 | 動態饋給不存在。 |
| 任何其他回應代碼 | 停用動態消息時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
其他錯誤或例外狀況
| 例外狀況 | 控制台輸出內容 |
| KeyError | 回應中找不到金鑰 {key name}。
|
| 例外狀況 | 失敗,例外狀況:{exception details}
|
| 缺少憑證檔案 | Failed with exception: [Errno 2] No such file or directory: '/usr/local/google/home/ 您必須將憑證放在預期目錄中。請參閱「安裝」。 |
剖析器管理 v2 使用者工作流程
您可以使用 Google SecOps CLI 管理以設定為準的正規化工具 (CBN) 剖析器。建議使用剖析器管理 v2 CLI 指令。
指令
parsers 指令
parsers 指令會採用下列引數:
list_parserslist_extensionsrun_parsersubmit_parsersubmit_extensiondelete_parserdelete_extensiondeactivate_parseractivate_parserget_parserget_extensionget_validation_report
使用語法:
$ chronicle_cli parsers ARGUMENT [OPTIONS]
引數
Google SecOps CLI 中的所有 CBN 剖析器管理工作流程都是互動式。如有需要,您也可以使用指令選項。
list_parsers 引數
列出所有剖析器。
$ chronicle_cli parsers list_parsers -h
Usage: chronicle_cli parsers list_parsers [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
[New]List all parsers for a given customer
Options:
-s, --state [ALL|ACTIVE|INACTIVE]
Filter on Parser State.
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Fetching list of parsers... Parser Details: Parser ID: 1242538299340357633 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: 44684d8a-1d01-4e69-ab50-2e2d6e3ef3b2 Create Time: 2023-07-05T05:36:31.121236Z ============================================================ Parser Details: Parser ID: 3840440184193679361 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: 3d2e1bdb-2793-48d1-a485-4f4748095cb8 Create Time: 2023-04-14T09:15:13.718842Z ============================================================ Parser Details: Parser ID: 3651720008402206721 Log type: GCP_SECURITYCENTER_ERROR State: ACTIVE Type: CUSTOM Author: - Validation Report ID: - Create Time: 2023-03-30T09:54:20.414510Z ============================================================
list_extensions 引數
列出所有剖析器擴充功能。
$ chronicle_cli parsers list_extensions -h
Usage: chronicle_cli parsers list_extensions [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
[New]List all extensions for a given customer
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Fetching list of Parser Extensions... ParserExtension Details: ParserExtension ID: 7b948bfb-d3f5-4922-9153-a20e75085990 Log type: BRO_DNS State: VALIDATED Validation Report ID: 6ef30ad9-db89-4f30-80f3-0f79758ff3c2 Create Time: 2023-07-06T03:58:26.594863Z State Last Changed Time: 2023-07-06T03:58:26.667151Z Last Live Time: 2023-07-06T03:58:28.019050Z ============================================================ ParserExtension Details: ParserExtension ID: 0fd9129b-d02b-42f7-912a-04b0bba0e0a7 Log type: GCP_DNS State: LIVE Validation Report ID: 1965880f-7cd7-4943-9adf-4bff0041793d Create Time: 2023-05-12T08:12:17.090559Z State Last Changed Time: 2023-05-12T08:12:17.271615Z Last Live Time: 2023-05-12T08:12:27.244342Z ============================================================ ParserExtension Details: ParserExtension ID: d9df9d75-bb3a-4c28-b18d-69a608762ecc Log type: GCP_VPC_FLOW State: REJECTED Validation Report ID: c59ef2ab-4a70-4373-bdc8-067c39ca5a40 Create Time: 2023-04-13T04:43:12.884287Z State Last Changed Time: 2023-04-13T04:43:13.288338Z Last Live Time: - ============================================================
run_parser 引數
如要根據指定記錄驗證剖析器,請使用下列指令:
$ chronicle_cli parsers run_parser -h
Usage: chronicle_cli parsers run_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_CONFIG_FILE LOG_FILE
[New]Run a parser(with extension) against given logs
Options:
--parserextension_config_file TEXT
Path to extension config file.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Running parser(with extension) against given logs...
{"host_ip": "1.1.1.1"}
{'events': [{'event': {'metadata': {'eventTimestamp': '2023-06-26T08:45:10Z', 'eventType': 'GENERIC_EVENT', 'logType': 'BRO_DNS'}, 'principal': {'ip': ['1.1.1.1']}}}]}
some thing
{}
Runtime: 1.2396s
submit_parser 引數
提交新的剖析器。系統會驗證提交的剖析器,並將現有剖析器升級為回溯候選版本。
$ chronicle_cli parsers submit_parser -h
Usage: main parsers submit_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
CONFIG_FILE [AUTHOR]
[New]Submit a new parser
Options:
--skip_validation_on_no_logs Skip validation if no logs are found.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Submitting Parser... Parser Details: Parser ID: 12774126091501569 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: - Create Time: 2023-07-06T13:58:10.475391Z ============================================================
submit_extension 引數
提交新的剖析器擴充功能。系統會驗證提交的剖析器擴充功能。如果驗證通過,系統會建立新的剖析器擴充功能。
$ chronicle_cli parsers submit_extension -h
Usage: chronicle_cli parsers submit_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
CONFIG_FILE LOG_FILE
[New]Submit a new extension
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Submitting Parser Extension... ParserExtension Details: ParserExtension ID: 88907461-c115-4204-8391-425b7a9cfb2c Log type: WORKSPACE_CHROMEOS State: NEW Validation Report ID: - Create Time: 2023-07-06T13:58:10.475391Z State Last Changed Time: - Last Live Time: - ============================================================
delete_parser 引數
刪除自訂剖析器。您可以開始使用指定記錄類型的預先建構剖析器。
$ chronicle_cli parsers delete_parser -h
Usage: chronicle_cli parsers delete_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_ID
[New]Delete a parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Deleting Parser… Parser deleted successfully.
delete_extension 引數
刪除自訂剖析器。您可以開始使用指定記錄類型的預先建構剖析器。
$ chronicle_cli parsers delete_extension -h
Usage: chronicle_cli parsers delete_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSEREXTENSION_ID
[New]Delete an extension
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Deleting Parser Extension… ParserExtension deleted successfully.
deactivate_parser 引數
停用有效的自訂剖析器。如果停用成功,您就可以開始使用指定記錄類型預先建構的剖析器。
$ chronicle_cli parsers deactivate_parser -h
Usage: chronicle_cli parsers deactivate_parser [OPTIONS] PROJECT_ID CUSTOMER_ID
LOG_TYPE PARSER_ID
[New]Deactivate a parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Deactivating Parser… Parser deactivated successfully.
activate_parser 引數
啟用自訂剖析器。您可以開始使用有效的剖析器。
$ chronicle_cli parsers activate_parser -h
Usage: chronicle_cli parsers activate_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_ID
[New]Activate a parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Activating Parser… Parser activated successfully.
get_parser 引數
擷取指定剖析器 ID 和記錄檔類型的詳細資料。
$ chronicle_cli parsers get_parser -h
Usage: chronicle_cli parsers get_parser [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSER_ID
[New]Get details of a parser
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Fetching Parser details... Parser Details: Parser ID: 3840440184193679361 Log type: GCP_CLOUDAUDIT State: INACTIVE Type: CUSTOM Author: - Validation Report ID: 3d2e1bdb-2793-48d1-a485-4f4748095cb8 Create Time: 2023-04-14T09:15:13.718842Z ============================================================
get_extension 引數
擷取指定剖析器 ID 和記錄檔類型的設定。
$ chronicle_cli parsers get_extension -h
Usage: chronicle_cli parsers get_extension [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
PARSEREXTENSION_ID
[New]Get details of an extension
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Fetching Parser Extension details... ParserExtension Details: ParserExtension ID: 7b948bfb-d3f5-4922-9153-a20e75085990 Log type: BRO_DNS State: VALIDATED Validation Report ID: 6ef30ad9-db89-4f30-80f3-0f79758ff3c2 Create Time: 2023-07-06T03:58:26.594863Z State Last Changed Time: 2023-07-06T03:58:26.667151Z Last Live Time: 2023-07-06T03:58:28.019050Z ============================================================
get_validation_report 引數
擷取剖析器或擴充功能的驗證報告。
$ chronicle_cli parsers get_validation_report [OPTIONS] PROJECT_ID CUSTOMER_ID
LOG_TYPE VALIDATION_REPORT_ID
[New]Get validation report for a parser/extension
Options:
--parser_id TEXT ID of the parser.
--parserextension_id TEXT ID of the parser extension.
--env [prod|test] Optional: Specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select a region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
輸出範例
Fetching Validation report for ParserExtension...
Validation Report:
Verdict: PASS
Stats:
LogEntry Count: 10000
Successfully Normalized Log Count: 10000
Failed Log Count: 0
Invalid Log Count: 0
On Error Count: 153938
Event Count: 10000
Generic Event Count: 0
Event Category:
Valid_event: 10000
Drop Tag:
-
Max Parse Duration: 0.274677769s
Avg Parse Duration: 0.010s
Normalization percent: 100
Generic Event percent: 0
Errors: -
選項
說明 (-h / --help)
使用 -h 或 --help 選項,查看任何指令的使用方式和說明。
用法範例:
$ chronicle_cli parsers list_parsers -h
Usage: chronicle_cli parsers list_parsers [OPTIONS] PROJECT_ID CUSTOMER_ID LOG_TYPE
[New]List all parsers for a given customer
Options:
-s, --state [ALL|ACTIVE|INACTIVE]
Filter on Parser State.
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli
/chronicle_credentials.json
--v2 Enable v2 commands.
-h, --help Show this message and exit.
環境 (--env)
您可以傳送 --env 標記和指令來選取環境,系統會據此執行 API 呼叫。
您可以從下列項目選取 env 值:prod、test。
如未指定此選項,系統會預設為 prod。
憑證檔案 (-c 或 --credential_file)
這個選項可指定用於驗證的服務帳戶憑證路徑。
如果未指定這個選項,Google SecOps CLI 會在預設路徑 (即主目錄下名為 .chronicle_cli 的隱藏目錄中的 ~/.chronicle_cli) 尋找憑證。
用法範例:
$ chronicle_cli parsers list_parsers --credential_file=C:\chronicle_credentials.json
區域 (--region)
執行指令時,您可以傳遞 --region 旗標來選取區域。
如要進一步瞭解如何設定預設區域,請參閱設定預設區域。
詳細 (--verbose)
這個選項可讓您列印發出的 HTTP 要求和收到的回應詳細資料。
用法範例:
$ chronicle_cli parsers list_parsers --verbose
匯出 (--export)
這個選項可讓您指定檔案路徑,以便匯出 list 或 list_errors 指令的輸出內容。支援相對路徑和絕對路徑。
用法範例:
$ chronicle_cli parsers list_parsers --export=parser_list
檔案格式 (--file-format)
這個選項可讓您指定使用 list 或 list_errors 指令匯出內容的檔案格式。系統支援兩種格式:JSON 和 TXT。如果未透過 --export 選項指定此選項,系統預設會使用 TXT 格式。
用法範例:
$ chronicle_cli parsers list_parsers --export=parser_list --file-format=JSON
剖析器管理使用者工作流程
您可以使用下列指令,透過 Google SecOps CLI 管理 CBN 剖析器。 不過,建議使用剖析器管理 v2 CLI 指令。
指令
parsers 指令
parsers 指令會採用下列引數:
archivedownloadgeneratehistorylistlist_errorsrunstatussubmit
使用語法:
$ chronicle_cli parsers ARGUMENT [OPTIONS]
引數
Google SecOps CLI 中的所有 CBN 剖析器管理工作流程都是互動式。如果指令需要選項,系統會提示您輸入。
list 引數
如要列出所有剖析器的詳細資料,請使用下列指令:
$ chronicle_cli parsers list -h
Usage: main parsers list [OPTIONS]
List all parsers of a given customer
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Fetching list of parsers...
Parser Details:
Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
Log type: WINDOWS_SYSMON
State: LIVE
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: <user>@test.com
Submit Time: 2022-08-26T09:57:10.644351Z
State Last Changed Time: 2022-08-26T09:58:23.809636Z
Last Live Time: 2022-08-26T09:58:23.809636Z
============================================================
Parser Details:
Config ID: 7f2ae1f5-8f0c-43f9-bb02-299e7c8b9e82
Log type: BOX
State: LIVE
SHA256: 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: <user>@test.com
Submit Time: 2022-08-25T07:33:31.026399Z
State Last Changed Time: 2022-08-25T07:33:32.263754Z
Last Live Time: 2022-08-25T07:33:32.263754Z
============================================================
generate 引數
如要為特定記錄類型產生記錄範例,請使用下列指令:
$ chronicle_cli parsers generate -h
Usage: main parsers generate [OPTIONS]
Generate sample logs for a given log type
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
這個指令會在 <root>/chronicle_cli/cbn/<log_type>/ 下的根目錄中,建立三個分別含有 1、10 和 1,000 個範例記錄的檔案。
輸出範例
Enter Start Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-17T10:00:00Z
Enter End Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-23T10:00:00Z
Enter Log Type: WINDOWS_DHCP
Generating sample size: 1...
Generating sample size: 10...
Generating sample size: 1k...
Generated sample data (WINDOWS_DHCP); run this to go there:
cd /usr/local/home/<user>/cbn/windows_dhcp
history 引數
如要取得特定記錄類型的所有剖析器提交詳細資料清單,請使用下列指令:
$ chronicle_cli parsers history -h
Usage: main parsers history [OPTIONS]
History retrieves all parsers submissions given a log type
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Enter Log Type: WINDOWS_SYSMON
Fetching history for parser...
Parser History:
Config ID: 8d9f5b1c-4689-4ca3-ae9b-863ce78dd123
Log type: WINDOWS_SYSMON
State: LIVE
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: author@test.com
Submit Time: 2022-08-26T12:37:55.187407Z
State Last Changed Time: 2022-08-26T12:39:12.198587Z
Last Live Time: 2022-08-26T12:39:12.198587Z
============================================================
Parser History:
Config ID: 29bbf14b-2ffb-411a-bb37-911b13437123
Log type: WINDOWS_SYSMON
State: ARCHIVED
SHA256: 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: author@test.com
Submit Time: 2022-08-26T12:05:34.421743Z
State Last Changed Time: 2022-08-26T12:39:12.198587Z
Last Live Time: 2022-08-26T12:06:55.495269Z
============================================================
list_errors 引數
如要列出特定時間戳記之間的記錄類型錯誤,請使用下列指令:
$ chronicle_cli parsers list_errors -h
Usage: main parsers list_errors [OPTIONS]
List errors of a log type between specific timestamps
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Enter Log Type: CISCO_ASA_FIREWALL
Enter Start Date (Format: yyyy-mm-ddThh:mm:ssZ): 2021-01-16T00:00:00Z
Enter End Date (Format: yyyy-mm-ddThh:mm:ssZ): 2022-08-21T12:00:00Z
Getting parser errors...
Error Details:
Error ID: f9eb72cb-f320-dd5a-a098-00bcaa76a35d
Config ID: N/A
Log type: CISCO_ASA_FIREWALL
Error Time: 2022-08-18T10:57:56.898883208Z
Error Category: CBN_parsers_GENERATED_INVALID_EVENT
Error Message: generic::invalid_argument: diff event timestamp ("seconds:1630106465") and create timestamp ("seconds:1660820265 nanos:202151000"): 8531h36m40.202151s, larger than allowed (4320h0m0s)
Logs:
<190>Aug 27 2020 23:21:05 TEST : %ASA-6-106012: Deny IP from 1.2.3.4 to 5.6.7.8, IP options: Test user
============================================================
Error Details:
Error ID: f9eb72cb-f320-dd5a-a098-00bcaa76a35d
Config ID: N/A
Log type: CISCO_ASA_FIREWALL
Error Time: 2022-08-18T10:57:56.898883208Z
Error Category: CBN_parsers_GENERATED_INVALID_EVENT
Error Message: generic::invalid_argument: diff event timestamp ("seconds:1630106465") and create timestamp ("seconds:1660820265 nanos:202151000"): 8531h36m40.202151s, larger than allowed (4320h0m0s)
Logs:
<190>Aug 27 2020 23:21:05 TEST : %ASA-6-106012: Deny IP from 1.2.3.4 to 5.6.7.8, IP options: Demo user
run 引數
如要根據指定記錄驗證剖析器,請使用下列指令:
$ chronicle_cli parsers run -h
Usage: main parsers run [OPTIONS]
Run the parser against given logs
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Enter path for conf file: /usr/local/home/Desktop/windows_sysmon.conf
Enter path for log file: /usr/local/home/Desktop/windows_sysmon.log
Running Validation…
Runtime: 2.4914s
submit 引數
如要提交新的剖析器,請使用下列指令:
$ chronicle_cli parsers submit -h
Usage: main parsers submit [OPTIONS]
Submit new parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Enter Log type: CISCO_ASA_FIREWALL
Enter Config file path: /usr/local/Desktop/windows_sysmon.conf
Enter author: test
Submitting parser...
Submitted Parser Details:
Config ID: 9ba20930-9733-4fcd-badf-18fedb9f8123
Log type: CISCO_ASA_FIREWALL
State: NEW
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: test
Submit Time: 2022-08-30T06:49:54.005119Z
State Last Changed Time: 2022-08-30T06:49:54.005119Z
Parser submitted successfully. To get status of the parser, run this command using following Config ID - 9ba20930-9733-4fcd-badf-18fedb9f8123:
chronicle_cli parsers status
status 引數
如要取得已提交剖析器的狀態,請使用下列指令:
$ chronicle_cli parsers status -h
Usage: main parsers status [OPTIONS]
Get status of a submitted parser
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Enter Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
Getting parser...
Parser Details:
Config ID: 1cb402d9-eab2-4f6b-b402-20b1211675ed
Log type: WINDOWS_SYSMON
State: ARCHIVED
SHA256: 79ac67c15ffb047a152be2fb2a3391cbe18b2d183e9e6a402eb2fe53a6666b17
Author: test
Submit Time: 2022-08-26T09:57:10.644351Z
State Last Changed Time: 2022-08-26T09:58:23.809636Z
Last Live Time: 2022-08-26T09:58:23.809636Z
archive 引數
如要封存現有剖析器,請使用下列指令:
$ chronicle_cli parsers archive -h
Usage: main parsers archive [OPTIONS]
Archives a parser given the config ID.
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
Enter Config ID: 1cb402d9-eab2-4f6b-b402-20b121167123
Archiving parser...
Parser archived Successfully.
Parser Details:
Config ID: 1cb402d9-eab2-4f6b-b402-20b121167123
Log type: WINDOWS_SYSMON
State: ARCHIVED
SHA256: 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
Author: test
Submit Time: 2022-08-26T09:57:10.644351Z
State Last Changed Time: 2022-08-26T09:58:23.809636Z
Last Live Time: 2022-08-26T09:58:23.809636Z
download 引數
如要下載特定記錄類型或設定 ID 的設定 (.conf) 檔案,請使用下列指令:
$ chronicle_cli parsers download -h
Usage: main parsers download [OPTIONS]
Download parser code by given Config ID or Log type.
Options:
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
輸出範例
使用設定 ID。
Note: If you want to download parser by config ID, then enter it at the Enter config ID prompt, and skip the Enter Log Type prompt. Enter config ID: 9d1474ab-eff2-4855-ba57-4f0c458e3ac2 Downloading parser... Writing parser to: CISCO_ASA_FIREWALL_20220825131911.conf使用記錄類型。
Note: If you want to download parser by log type, then enter the log type at the Enter config ID prompt, and skip the Enter Log Type prompt. Enter config ID: CISCO_ASA_FIREWALL Enter Log Type: Downloading parser... Writing parser to: CISCO_ASA_FIREWALL_20220825132011.conf
選項
說明 (-h / --help)
使用 -h 或 --help 選項,查看任何指令的使用方式和說明。
用法範例:
$ chronicle_cli parsers list -h
Usage: main parsers list [OPTIONS]
List all parsers of a given customer
Options:
-f, --file-format [TXT|JSON] Format of the file to be exported.
--export TEXT Export output to specified file path.
--env [prod|test] Optionally specify the environment for API
calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/home/<user>/.chronicle_cli/chro
nicle_credentials.json
-h, --help Show this message and exit.
環境 (--env)
您可以傳送 --env 標記和指令來選取環境,系統會據此執行 API 呼叫。
您可以從下列項目選取 env 值:prod、test。
如果未指定此選項,預設值會設為 prod。
憑證檔案 (-c 或 --credential_file)
這個選項可指定用於驗證使用者的服務帳戶憑證路徑。如果未指定這個選項,Google SecOps CLI 會在預設路徑 (即主目錄下名為 .chronicle_cli 的隱藏目錄內的 ~/.chronicle_cli) 中尋找憑證。
用法範例:
$ chronicle_cli parsers list --credential_file=C:\chronicle_credentials.json
區域 (--region)
執行指令時,您可以傳遞 --region 旗標來選取區域。
如要進一步瞭解如何設定預設區域,請參閱設定預設區域。
詳細 (--verbose)
這個選項可讓您列印發出的 HTTP 要求和收到的回應詳細資料。
用法範例:
$ chronicle_cli parsers list --verbose
匯出 (--export)
這個選項可讓您指定檔案路徑,以便匯出 list 或 list_errors 指令的輸出內容。支援相對路徑和絕對路徑。
用法範例:
$ chronicle_cli parsers list --export=parsers_list
檔案格式 (--file-format)
這個選項可讓您指定使用 list 或 list_errors 指令匯出內容的檔案格式。支援的格式有三種:JSON 和 TXT。
如果未透過 --export 選項指定此選項,系統預設會使用 TXT 格式。
用法範例:
$ chronicle_cli parsers list --export=parsers_list --file-format=JSON
疑難排解
CBN 剖析器管理錯誤代碼
本節會顯示控制台的輸出內容,以及從 API 回應收到的不同類型回應代碼。
請參閱下表,查看各項指令的輸出內容:
| 回應代碼 | 指令 | 控制台輸出內容 |
| 200 以外的任何回應碼 | {command}[archive, download, generate, history, list_errors, run, status, list, submit] |
{command}剖析器發生錯誤。回應代碼: {status code}錯誤:{error message} |
轉寄者管理使用者工作流程
您可以使用下列指令,透過 Google SecOps CLI 管理轉送器及其相關聯的收集器:
指令
forwarders 指令
forwarders 指令會採用下列引數:
createupdategetlistdeletegenerate_filescollectors
使用語法:
$ chronicle_cli forwarders ARGUMENT [OPTIONS]
collectors 指令
collectors 指令會採用下列引數:
createupdategetlistdelete
使用語法:
$ chronicle_cli forwarders collectors ARGUMENT [OPTIONS]
引數
Google SecOps CLI 中的所有轉送器管理使用者工作流程都是互動式。系統會在需要時提示您選擇選項。
create 引數
如要建立新的轉送器並為其設定收集器,請使用下列指令:
$ chronicle_cli forwarders create --help
Usage: main forwarders create [OPTIONS]
Create a Forwarder
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
$ chronicle_cli forwarders create
================================================================================
Press Enter if you want to use the default value mentioned besides field description in [] brackets.
================================================================================
(*) Forwarder Display Name : test_display_name
========================================
======== Forwarder Configuration =======
========================================
Upload Compression (Determines if uploaded data will be compressed) [Y/n]: y
Do you want to proceed with Forwarder Metadata? [y/N]: y
========================================
========== Forwarder Metadata ==========
========================================
Asset Namespace: test_namespace
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2
Do you want to proceed with Forwarder Regex Filters? [y/N]: y
========================================
======= Forwarder Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why): desc1
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1
You have selected allow
Do you want to add more Forwarder Regex Filters [y/N]: y
Filter Description (Describes what is being filtered and why): desc2
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 2
You have selected block
Do you want to add more Forwarder Regex Filters [y/N]: n
Do you want to proceed with Server Settings? [y/N]: y
========================================
=========== Server Settings ===========
========================================
Server State (Server State for Collector)
Choose:
1. active
2. suspended
: 1
You have selected active
Graceful Timeout (Number of seconds after which the forwarder returns a bad readiness/health check and still accepts new connections) [15]:
Drain timeout (Number of seconds after which the forwarder waits for active connections to successfully close on their own before being closed by the server) [10]:
Do you want to proceed with HTTP-specific server settings? [y/N]: y
========================================
==== HTTP-specific server settings ====
========================================
Host (IP address, or hostname that can be resolved to IP addresses, that the server should listen on) [0.0.0.0]: 10.0.14.132
Port (Port number that the HTTP server listens on for health checks from the load balancer) [8080]: 8000
Read Timeout (Maximum amount of time allowed to read the entire request, both the header and the body) [3]:
Read Header Timeout (Maximum amount of time allowed to read request headers) [3]:
Write Timeout (Maximum amount of time allowed to send a response) [3]:
Idle Timeout (Maximum amount of time (in seconds) to wait for the next request when idle connections are enabled) [3]:
Do you want to proceed with Route Settings? [y/N]: y
========================================
============ Route Settings ============
========================================
Available Status Code (Status code returned when a liveness check is received and the forwarder is available) [204]: 200
Ready Status Code (Status code returned when it is ready to accept traffic) [204]: 200
Unready Status Code (Status code returned when it is not ready to accept traffic) [503]: 500
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- behavior: ALLOW
description: desc1
regexp: .*
- behavior: BLOCK
description: desc2
regexp: .*
Server settings:
Drain timeout: 10
Graceful timeout: 15
Http settings:
Host: 10.0.14.132
Idle timeout: 3
Port: 8000
Read header timeout: 3
Read timeout: 3
Do you want to create forwarder with this configuration [y/N]: y
Creating forwarder...
Forwarder created successfully with Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Would you like to configure collectors for this forwarder? [y/N]: y
(*) Collector Display Name: collector_1
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected): WINDOWS_DNS
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace: test_namespace
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why): desc1
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1
You have selected allow
Do you want to add more Collector Regex Filters [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: y
========================================
======== Collector Disk Buffer ========
========================================
Disk Buffer State (Disk buffering state for collector)
Choose:
1. active
2. suspended
: 1
You have selected active
Directory Path (Directory path for files written): path/to/file.txt
Max File Buffer Bytes (Maximum buffered file size): 45
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
: 1
File Path (Path of file to monitor): path/to/file.txt
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
Disk buffer:
Directory path: path/to/file.txt
Max file buffer bytes: 45
State: ACTIVE
File settings:
File path: path/to/file.txt
Log type: WINDOWS_DNS
Max bytes per batch: 1048576
Max seconds per batch: 10
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
Behavior: ALLOW
Description: desc1
Regexp: .*
Display name: collector_1
Do you want to create collector with this configuration [y/N]: y
Creating collector...
Collector created successfully with Collector ID: 1f72f9ab-3ae3-4c5f-955e-86c982587937
Would you like to add more collectors? [y/N]: n
如果轉送者建立失敗,且您輸入相同的轉送者 ID,系統會提示您重試失敗的轉送者或重新啟動程序。如果輸入的轉寄者 ID 與失敗的轉寄者 ID 不符,系統就不會提示您重試,而是繼續建立轉寄者。
輸出範例
...
Creating forwarder...
Error occurred while creating forwarder.
Response Code: 500.
Error: ZERO_APP::1: create forwarder due to validation errors in request: generic::invalid_argument: filter's description is not specified
$ chronicle_cli forwarders create
Looks like there was a failed create/update attempt for test.
Would you like to retry?
(*) Forwarder Display Name [test]:
Do you want to create forwarder with this configuration [y/N]: y
Creating forwarder...
Forwarder created successfully with Forwarder ID: ab7af569-d957-44a3-99a8-aa70ffdc6458
Would you like to configure collectors for this forwarder? [y/N]: n
get 引數
如要取得現有轉送器和相關收集器的詳細資料,請使用下列指令:
$ chronicle_cli forwarders get --help
Usage: main forwarders get [OPTIONS]
Get forwarder details using Forwarder ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
你必須輸入轉寄者 ID,才能取得轉寄者詳細資料。
$ chronicle_cli forwarders get
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Fetching forwarder and its all associated collectors...
Forwarder Details:
ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8000
Host: 10.0.14.132
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 200
Ready status code: 200
Unready status code: 500
State: ACTIVE
Collectors:
Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
Display name: collector_1
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/file.txt
Max file buffer bytes: '45'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
list 引數
如要顯示所有轉送器和對應收集器的清單,請使用下列指令:
$ chronicle_cli forwarders list --help
Usage: main forwarders list [OPTIONS]
List all forwarders
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path
--file-format [TXT|CSV|JSON] Format of the file to be exported
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
這個指令用於擷取所有轉送器和收集器的詳細資料。
輸出範例
$ chronicle_cli forwarders list
Fetching list of forwarders...
Forwarder Details:
ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8000
Host: 10.0.14.132
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 200
Ready status code: 200
Unready status code: 500
State: ACTIVE
Collectors:
Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
Display name: collector_1
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/file.txt
Max file buffer bytes: '45'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
Forwarder Details:
ID: ddcca884-cdc6-4ac2-ad30-05a28e6cf35a
Display name: test
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v2
Regex filters:
- description: hh
regexp: hh
behavior: ALLOW
- description: gg
regexp: gg
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8080
Host: 0.0.0.0
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 204
Ready status code: 204
Unready status code: 503
State: ACTIVE
Collectors:
Message: No collectors found for this forwarder.
================================================================================
如要匯出資料,可以指定要匯出檔案的絕對/相對路徑,以及檔案格式 (CSV/TXT/JSON)。預設檔案格式為 CSV。
輸出範例
$ chronicle_cli forwarders list --export=$HOME/listforwarder --file-format=JSON
Fetching list of forwarders...
Forwarder Details:
ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Display name: test_display_name
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8000
Host: 10.0.14.132
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 200
Ready status code: 200
Unready status code: 500
State: ACTIVE
Collectors:
Collector [1f72f9ab-3ae3-4c5f-955e-86c982587937]:
Display name: collector_1
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/file.txt
Max file buffer bytes: '45'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
Forwarder Details:
ID: ddcca884-cdc6-4ac2-ad30-05a28e6cf35a
Display name: test
State: ACTIVE
Config:
Upload compression: true
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v2
Regex filters:
- description: hh
regexp: hh
behavior: ALLOW
- description: gg
regexp: gg
behavior: BLOCK
Server settings:
Graceful timeout: 15
Drain timeout: 10
Http settings:
Port: 8080
Host: 0.0.0.0
Read timeout: 3
Read header timeout: 3
Write timeout: 3
Idle timeout: 3
Route settings:
Available status code: 204
Ready status code: 204
Unready status code: 503
State: ACTIVE
Collectors:
Message: No collectors found for this forwarder.
================================================================================
Forwarders list details exported successfully to: /usr/local/google/home/<user>/listforwarder.json
update 引數
如要更新現有的轉送器,請使用下列指令:
$ chronicle_cli forwarders update --help
Usage: main forwarders update [OPTIONS]
Update a forwarder using forwarder ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
執行指令後,請再次輸入轉送器 ID 和所有欄位值。按下 Enter 鍵即可重複使用舊值。
輸出範例
$ chronicle_cli forwarders update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Press Enter if you don't want to update.
(*) Forwarder Display Name [test_display_name]:
========================================
======== Forwarder Configuration =======
========================================
Upload Compression (Determines if uploaded data will be compressed) [Y/n]: y
Do you want to proceed with Forwarder Metadata? [y/N]: y
========================================
========== Forwarder Metadata ==========
========================================
Asset Namespace [test_namespace]:
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[[{'key': 'key1', 'value': 'value1'}, {'key': 'key2', 'value': 'value2'}]]
Do you want to proceed with Forwarder Regex Filters? [y/N]: n
Do you want to proceed with Server Settings? [y/N]: n
Do you want to update forwarder with this configuration? [y/N]: y
Updating forwarder...
Forwarder updated successfully with Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
如果轉寄者更新失敗,且您輸入相同的轉寄者,系統會顯示提示,要求您重試失敗的轉寄者或重新啟動程序。如果輸入的轉送者 ID 與失敗的轉送者 ID 不符,系統就不會顯示重試選項,並繼續進行更新轉送者的正常程序。重試機制可讓您以互動方式,變更先前嘗試失敗時提供的選項值。按下 Enter 鍵,即可在轉送器更新流程中重複使用選項的相同值。
delete 引數
使用這個引數,透過轉送器 ID 刪除轉送器。執行時,系統會要求提供要刪除的動態饋給 ID。 如要刪除現有的轉送器,請使用下列指令:
chronicle_cli forwarders delete --help
Usage: main forwarders delete [OPTIONS]
Delete a forwarder using Forwarder ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
$ chronicle_cli forwarders delete
Enter Forwarder ID: 0593ba21-a1c7-4279-b429-bc8df959bd59
Deleting forwarder and all its associated collectors...
Forwarder (ID: 0593ba21-a1c7-4279-b429-bc8df959bd59) deleted successfully with all its associated collectors.
generate_files 引數
使用這個引數,根據轉寄者 ID 產生含有轉寄者資訊的檔案。
如要產生轉送器檔案,請使用下列指令:
$ chronicle_cli forwarders generate_files -h
Usage: main forwarders generate_files [OPTIONS]
Generate forwarder configuration files using Forwarder ID
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-f, --file-path TEXT Download generated forwarder files to the
specified path.
-h, --help Show this message and exit.
輸出範例
$ chronicle_cli forwarders generate_files --file-path=$HOME/GenerateForwarderFile
Enter Forwarder ID: 0768220e-8af6-4ef7-a1dd-73e33963b444
Generating forwarder files ...
Forwarder files generated successfully.
Configuration file: /usr/local/google/home/<user>/GenerateForwarderFile_forwarder.conf
Auth file: /usr/local/google/home/<user>/GenerateForwarderFile_forwarder_auth.conf
收集器子指令
create 引數
使用下列指令,為特定轉送器設定新的收集器。
$ chronicle_cli forwarders collectors create --help
Usage: main forwarders collectors create [OPTIONS]
Create a collector.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
$ chronicle_cli forwarders collectors create
================================================================================
Press Enter if you want to use the default value mentioned besides field description in [] brackets.
================================================================================
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
(*) Collector Display Name: collector_4
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected): WINDOWS_DNS
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace: test_namespace
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
key1:value1
key2:value2
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why): desc1
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 1
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
File Path (Path of file to monitor): path/to/file.txt
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
File settings:
File path: path/to/file.txt
Log type: WINDOWS_DNS
Max bytes per batch: 1048576
Max seconds per batch: 10
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
Behavior: ALLOW
Description: desc1
Regexp: .*
Display name: collector_4
Do you want to create collector with this configuration? [y/N]: y
Creating collector...
Collector created successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
如果建立收集器失敗,且您輸入相同的收集器 ID,系統會顯示提示,要求您重試失敗的收集器或重新啟動程序。如果輸入的收集器 ID 與失敗的收集器 ID 不符,系統就不會顯示重試選項,並繼續執行更新收集器的正常程序。
輸出範例
$ chronicle_cli forwarders collectors create
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Looks like there was a failed create/update attempt for test_display.
Would you like to retry?
(*) Collector Display Name [test_display]:
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace [test]:
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[[{'key': 'k1', 'value': 'v1'}]]
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why)[old_desc]: desc2
Filter Regexp (The regular expression used to match against each incoming line) [.*]:
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
: 1
File Path (Path of file to monitor) [path/to/file.txt]: path/to/file.txt
Preview changes:
- Press Up/b or Down/z keys to paginate.
- To switch case-sensitivity, press '-i' and press enter. By default, search
is case-sensitive.
- To search for specific field, press '/' key, enter text and press enter.
- Press 'q' to quit and confirm preview changes.
- Press `h` for all the available options to navigate the list.
=============================================================================
Config:
File settings:
File path: path/to/file.txt
Log type: WINDOWS_DNS
Max bytes per batch: 1048576
Max seconds per batch: 10
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v1
Regex filters:
Behavior: ALLOW
Description: disc2
Regexp: .*
Display name: test_display
Do you want to create collector with this configuration? [y/N]: y
Creating collector...
Collector created successfully with Collector ID: b50a6b41-5476-41ee-ba7c-ce529ecffa62
get 引數
如要取得現有收集器的詳細資料,請使用下列指令:
$ chronicle_cli forwarders collectors get --help
Usage: main forwarders collectors get [OPTIONS]
Get a collector using collector ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
您必須以互動方式輸入賣家 ID,才能取得賣家詳細資料。
$ chronicle_cli forwarders collectors get
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Fetching collector details...
Collector Details:
ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Display name: collector_4
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test_namespace
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
- description: desc2
regexp: .*
behavior: BLOCK
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
list 引數
如要顯示所有收集器的清單,請使用下列指令:
chronicle_cli forwarders collectors list --help
Usage: main forwarders collectors list [OPTIONS]
List all collectors.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
$ chronicle_cli forwarders collectors list
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Collector Details:
ID: 153e4077-cd49-4ce5-87aa-254d239b9dda
Display name: collector_2
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test
Labels:
- key: key1
value: value1
- key: key2
value: value2
Regex filters:
- description: desc1
regexp: .*
behavior: ALLOW
Disk buffer:
State: ACTIVE
Directory path: path/to/dir
Max file buffer bytes: '209'
Max seconds per batch: 10
Max bytes per batch: '1048576'
File settings:
File path: path/to/file.txt
================================================================================
Collector Details:
ID: b50a6b41-5476-41ee-ba7c-ce529ecffa62
Display name: test_display
State: ACTIVE
Config:
Log type: WINDOWS_DNS
Metadata:
Asset namespace: test
Labels:
- key: k1
value: v1
Regex filters:
- description: disc2
regexp: .*
behavior: ALLOW
- description: test
regexp: test
behavior: BLOCK
Disk buffer:
State: ACTIVE
Directory path: test
Max file buffer bytes: '55'
Max seconds per batch: 5
Max bytes per batch: '556676'
Syslog settings:
Protocol: TCP
Address: 1.2.3.4
Port: 3456
Buffer size: '65536'
Connection timeout: 60
Tls settings:
Certificate: test
Certificate key: test
Minimum tls version: '56'
Insecure skip verify: true
================================================================================
update 引數
如要更新現有收集器,請使用下列指令:
$ chronicle_cli forwarders collectors update --help
Usage: main forwarders collectors update [OPTIONS]
Update a collector using collector ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
$ chronicle_cli forwarders collectors update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
(*) Collector Display Name [collector_4]:
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:
Do you want to proceed with Collector Metadata? [y/N]: y
========================================
========== Collector Metadata ==========
========================================
Asset Namespace [test_namespace]:
========================================
=========== Forwarder Labels ===========
========================================
Labels (The ingestion metadata labels in 'key:value' format to apply to all logs ingested through this forwarder, as well as the resulting normalized data.)
Enter/Paste your content. On a new line, press Ctrl-D (Linux) / [Ctrl-Z + Enter (Windows)] to save it:
[{'key1':'value1'},{'key2':'value2'}]
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why)[old_desc]: desc1
Filter Regexp (The regular expression used to match against each incoming line)[.*]: .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: y
Filter Description (Describes what is being filtered and why): desc2
Filter Regexp (The regular expression used to match against each incoming line): .*
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
: 2
You have selected block
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
File Path (Path of file to monitor) [path/to/file.txt]: path/to/file.txt
Do you want to update collector with this configuration? [y/N]: y
Updating collector...
Collector updated successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
如果收集器更新失敗,且您輸入相同的收集器 ID,系統會顯示提示,要求您重試失敗的收集器或重新啟動程序。如果輸入的收集器 ID 與失敗的收集器 ID 不符,系統就不會顯示重試選項,而是繼續進行更新收集器的正常程序。重試機制可讓您以互動方式,變更先前嘗試失敗時提供的選項值。按下 Enter 鍵,即可在收集器更新流程中,為選項重複使用相同的值。
...
Updating collector...
Do you want to update collector with this configuration? [y/N]: y
Error occurred while updating collector.
Response Code: 400.
Error: generic::invalid_argument: update collector (id: 3a74b289-ccb4-4cee-9713-611a3362f48f) for forwarder (id: a7e59660-959b-44e7-aa7e-baec820d01f4) for customer (id: ed19f037-2354-43df-bfbf-350362b45844): validation errors in request: generic::invalid_argument: filter's description is not specified: invalid argument
$ chronicle_cli forwarders collectors update
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Looks like there was a failed create/update attempt for collector_4.
Would you like to retry?
(*) Collector Display Name [collector_4]:
========================================
======== Collector Configuration ======
========================================
(*) Collector Log Type (Type of logs collected) [WINDOWS_DNS]:
Do you want to proceed with Collector Metadata? [y/N]: n
Do you want to proceed with Collector Regex Filters? [y/N]: y
========================================
======= Collector Regex Filters =======
========================================
Filter Description (Describes what is being filtered and why)[old_desc]: desc1
Filter Regexp (The regular expression used to match against each incoming line) [.*]:
Filter Behavior (Filter behavior to apply when a match is found)
Choose:
1. allow
2. block
You have selected allow
Do you want to add more Collector Regex Filters? [y/N]: n
Do you want to proceed with Collector Disk Buffer? [y/N]: n
Maximum Seconds per Batch (Maximum number of seconds between forwarder batch uploads) [10]:
Maximum Bytes per Batch (Maximum number of bytes queued before forwarder batch upload) [1048576]:
========================================
===== Configure Ingestion Settings =====
========================================
Choose:
1. File Settings
2. Kafka Settings
3. Pcap Settings
4. Splunk Settings
5. Syslog Settings
[1]:
File Path (Path of file to monitor) [path/to/file.txt]:
Do you want to update collector with this configuration? [y/N]: y
Updating collector...
Collector updated successfully with Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
delete 引數
使用這個引數,透過收集器 ID 刪除收集器。執行時,系統會要求輸入要刪除的收集器 ID。
如要刪除現有收集器,請使用下列指令:
$ chronicle_cli forwarders collectors delete --help
Usage: main forwarders collectors delete [OPTIONS]
Delete a collector using collector ID.
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
輸出範例
$ chronicle_cli forwarders collectors delete
Enter Forwarder ID: a7e59660-959b-44e7-aa7e-baec820d01f4
Enter Collector ID: 3a74b289-ccb4-4cee-9713-611a3362f48f
Collector (ID: 3a74b289-ccb4-4cee-9713-611a3362f48f) deleted successfully.
選項
說明 (-h / --help)
使用 -h 或 --help 選項,查看任何指令/選項的用法/說明。
使用範例
$ chronicle_cli forwarders list -h
Usage: main forwarders list [OPTIONS]
List all forwarders
Options:
--url TEXT Base URL to be used for API calls.
--region [ASIA-NORTHEAST1|ASIA-SOUTH1|ASIA-SOUTHEAST1|AUSTRALIA-SOUTHEAST1|EUROPE|EUROPE-WEST2|EUROPE-WEST3|EUROPE-WEST6|EUROPE-WEST9|EUROPE-WEST12|ME-CENTRAL1|ME-CENTRAL2|ME-WEST1|NORTHAMERICA-NORTHEAST2|SOUTHAMERICA-EAST1|US]
Select region.
--verbose Prints verbose output to the console.
--export TEXT Export output to specified file path.
--file-format [TXT|CSV|JSON] Format of the file to be exported.
-c, --credential_file TEXT Path of Service Account JSON. Default: /usr/
local/google/home/<user>/.chronicle_cl
i/chronicle_credentials.json
-h, --help Show this message and exit.
憑證路徑 (-c 或 --credential-path)
這個選項可指定用於驗證使用者的服務帳戶憑證路徑。如果未指定這個選項,Google SecOps CLI 會在預設路徑 (即主目錄下名為 .chronicle_cli 的隱藏目錄內的 ~/.chronicle_cli) 中尋找憑證。
使用範例
$ chronicle_cli forwarders list --credential-path=C:\chronicle_credentials.json
詳細 (--verbose)
這個選項可讓您列印發出的 HTTP 要求和收到的回應詳細資料。
使用範例
$ chronicle_cli forwarders list --verbose
匯出 (--export)
這個選項可讓您指定要匯出 list 指令輸出內容的檔案路徑。支援相對路徑和絕對路徑。
使用範例
$ chronicle_cli forwarders list --export=$HOME/listForwarderssResponse
檔案格式 (--file-format)
這個選項可讓您指定使用 list 指令匯出內容的檔案格式。支援的格式有三種:CSV、JSON 和 TXT。如果未透過 --export 選項指定這個選項,系統預設會使用 CSV 格式。
使用範例
$ chronicle_cli forwarders list --export=$HOME/listForwardersResponse --file-format=JSON
輸出範例
JSON 格式
{
"forwarders": [
{
"name": "55a77e24-9d16-4638-8940-0ef8071ed849",
"displayName": "new",
"config": {
"uploadCompression": true,
"metadata": {
"assetNamespace": "test",
"labels": [
{
"key": "k",
"value": "v"
},
{
"key": "k1",
"value": "v1"
}
]
},
"regexFilters": [
{
"description": "desc1",
"regexp": ".*",
"behavior": "ALLOW"
}
],
"serverSettings": {
"gracefulTimeout": 15,
"drainTimeout": 10,
"httpSettings": {
"port": 8080,
"host": "0.0.0.0",
"readTimeout": 3,
"readHeaderTimeout": 3,
"writeTimeout": 3,
"idleTimeout": 3,
"routeSettings": {
"availableStatusCode": 204,
"readyStatusCode": 204,
"unreadyStatusCode": 503
}
},
"state": "ACTIVE"
}
},
"state": "ACTIVE",
"collectors": {
"Collector [3e8243c3-7ff2-4ede-89fe-16410ffe03bd]": {
"name": "3e8243c3-7ff2-4ede-89fe-16410ffe03bd",
"displayName": "cre_test_2",
"state": "ACTIVE",
"config": {
"logType": "WINDOWS_DNS",
"metadata": {
"assetNamespace": "test",
"labels": [
{
"key": "k",
"value": "v"
}
]
},
"regexFilters": [
{
"description": "desc1",
"regexp": ".*",
"behavior": "ALLOW"
}
],
"diskBuffer": {
"state": "ACTIVE",
"directoryPath": "23",
"maxFileBufferBytes": "33"
},
"maxSecondsPerBatch": 10,
"maxBytesPerBatch": "1048576",
"fileSettings": {
"filePath": "path/file.txt"
}
}
}
}
}
]
}
CSV 格式
1. {file_name}_forwarders.csv
2. {file_name}_collectors.csv
檔案內容範例:
{file_name}_forwarders.csv:
Name,Display name,Forwarder state,[CONFIG] Upload compression,[CONFIG][METADATA] Asset namespace,[CONFIG][METADATA] Labels,[CONFIG] Regex filters,[CONFIG][SERVER_SETTINGS] Server state,[CONFIG][SERVER_SETTINGS] Graceful timeout,[CONFIG][SERVER_SETTINGS] Drain timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Port,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Host,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Read timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Read header timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Write timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS] Idle timeout,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Available status code,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Ready status code,[CONFIG][SERVER_SETTINGS][HTTP_SETTINGS][ROUTE_SETTINGS] Unready status code
0593ba21-a1c7-4279-b429-bc8df959bd59,test,ACTIVE,True,test,"k1: v1
k2: v2
",,,,,,,,,,,0,0,0
094c9e41-e7c8-407a-8b9a-eb34d608a609,test,ACTIVE,True,te,"k1: v1
k2: v2
",,,,,,,,,,,0,0,0
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,test,ACTIVE,True,test,"key1: value1
key2: value2
",,ACTIVE,15,10,8080,0.0.0.0,3,4,5,8,204,204,500
{file_name}_collectors.csv
Forwarder ID,Name,Display Name,Collector state,[CONFIG] Log type,[CONFIG] Max seconds per batch,[CONFIG] Max bytes per batch,[CONFIG][METADATA] Asset namespace,[CONFIG][METADATA] Labels,[CONFIG] Regex filters,[CONFIG][DISK_BUFFER] State,[CONFIG][DISK_BUFFER] Directory path,[CONFIG][DISK_BUFFER] Max file buffer bytes,[CONFIG][FILE_SETTINGS] File path,[CONFIG][KAFKA_SETTINGS][AUTHENTICATION] username,[CONFIG][KAFKA_SETTINGS][AUTHENTICATION] password,[CONFIG][KAFKA_SETTINGS] Topic,[CONFIG][KAFKA_SETTINGS] Group id,[CONFIG][KAFKA_SETTINGS] Timeout,[CONFIG][KAFKA_SETTINGS] Brokers,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Certificate,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Certificate key,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Minimum tls version,[CONFIG][KAFKA_SETTINGS][TLS_SETTINGS] Insecure skip verify,[CONFIG][PCAP_SETTINGS] Network interface,[CONFIG][PCAP_SETTINGS] Bpf,[CONFIG][SPLUNK_SETTINGS][AUTHENTICATION] username,[CONFIG][SPLUNK_SETTINGS][AUTHENTICATION] Password,[CONFIG][SPLUNK_SETTINGS] Host,[CONFIG][SPLUNK_SETTINGS] Port,[CONFIG][SPLUNK_SETTINGS] Minimum window size,[CONFIG][SPLUNK_SETTINGS] Maximum windows size,[CONFIG][SPLUNK_SETTINGS] Query string,[CONFIG][SPLUNK_SETTINGS] Query mode,[CONFIG][SPLUNK_SETTINGS] Cert ignored,[CONFIG][SYSLOG_SETTINGS] Protocol,[CONFIG][SYSLOG_SETTINGS] Address,[CONFIG][SYSLOG_SETTINGS] Port,[CONFIG][SYSLOG_SETTINGS] Buffer size,[CONFIG][SYSLOG_SETTINGS] Connection timeout,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Certificate,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Certificate key,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Minimum tls version,[CONFIG][SYSLOG_SETTINGS][TLS_SETTINGS] Insecure skip verify
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,03d28371-1bcb-4b28-9364-18412de1f827,collector_2,ACTIVE,WINDOWS_DNS,10,1048576,collector_update,"key1: value1
key2: value2
",,ACTIVE,path/file.txt,23,path/to/file.txt,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
1189f869-5f3c-4ec7-ba48-9c80e33aadf0,8ba8278c-1eef-4a72-a45a-491463768c70,col_3,ACTIVE,WINDOWS_DNS,10,1048576,test,"k1: v1
",,ACTIVE,path/to/file,233,path,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
55a77e24-9d16-4638-8940-0ef8071ed849,3e8243c3-7ff2-4ede-89fe-16410ffe03bd,cre_test_2,ACTIVE,WINDOWS_DNS,10,1048576,test,"k: v
",,ACTIVE,23,33,path/file.txt,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
區域 (--region)
執行指令時,您可以傳遞 --region 旗標來選取區域。
如要進一步瞭解如何設定預設區域,請參閱設定預設區域。
疑難排解
錯誤代碼
這個專區會顯示控制台的輸出內容,並對照從 API 回應收到的不同類型回應代碼。
請參閱下表,查看每個指令的輸出內容:
Get 指令
| 回應代碼 | 控制台輸出內容 |
| 404 | 「{Forwarder|Collector}」不存在。
|
| 400 | {Forwarder|Collector} ID 無效。請輸入有效的 {Forwarder|Collector} ID。
|
| 任何其他回應代碼 | 擷取 {Forwarder|Collector} 時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
List 指令
| 回應代碼 | 控制台輸出內容 |
| 200 以外的任何回應碼 | 錯誤:
回應代碼:{status code}
錯誤:{error message}
|
Create 指令
| 回應代碼 | 控制台輸出內容 |
| 200 以外的任何回應碼 | 建立 {forwarder|collector} 時發生錯誤
回應代碼:{status code}
錯誤:{error message}
|
Update 指令
| 回應代碼 | 控制台輸出內容 |
| 200 以外的任何回應碼 | 更新 {forwarder|collector} 時發生錯誤。回應代碼:{status code}
錯誤:{error message}
|
Delete 指令
| 回應代碼 | 控制台輸出內容 |
| 404 | 「{Forwarder|Collector}」不存在。
|
| 400 | {Forwarder|Collector} ID 無效。請輸入有效的 {Forwarder|Collector} ID。
|
| 任何其他回應代碼 | 刪除「{Forwarder|Collector}」時發生錯誤。回應代碼:{status code}
錯誤:{error message}
|
其他錯誤或例外狀況
| 例外狀況 | 控制台輸出內容 |
| KeyError | 回應中找不到金鑰 {key name}。
|
| 例外狀況 | 失敗,例外狀況:{exception details}
|
| 缺少憑證檔案 | Failed with exception: [Errno 2] No such file or directory: '/usr/local/google/home/ 您必須將憑證放在預期目錄中。請參閱「安裝」。 |
如有其他疑問或 Google SecOps CLI 問題,請與 Google SecOps 支援團隊聯絡。
BigQuery 資料存取工作流程
Google Security Operations 支援在 BigQuery 中自助存取 Google Security Operations 資料 (包括 SIEM 和 SOAR)。您可以使用 Google Security Operations CLI 授予身分與存取權管理 (IAM) 角色,為使用者電子郵件地址提供下列權限:
roles/bigquery.dataViewerroles/bigquery.jobUserroles/storage.objectViewer
電子郵件地址必須是 Google SecOps 客戶的 Google 帳戶和 ID 管理 (GAIA) 使用者電子郵件地址。
如要進一步瞭解這些角色,請參閱匯出資料表資料一文。
指令
bigquery 指令
bigquery 指令會採用 provide_access 引數。
使用語法:
$ chronicle_cli bigquery ARGUMENT [OPTIONS]
引數
provide_access 引數
提示您輸入使用者電子郵件地址。電子郵件地址必須是 Google SecOps Security 客戶的 Google 帳戶和 ID 管理 (GAIA) 使用者電子郵件地址。使用者會取得必要的 IAM 角色,以便執行下列操作:
- 從 BigQuery 資料表讀取資料和中繼資料 (
roles/bigquery.dataViewer) - 對 BigQuery 資料表資料執行查詢 (
roles/bigquery.jobUser) - 讀取 Google Cloud Storage 值區中的資料(
roles/storage.objectViewer)
用法示範
$ chronicle_cli bigquery provide_access
$ Enter email: xyz@gmail.com
成功回應
Providing BigQuery access...
Access provided to email: xyz@gmail.com
錯誤回應
Providing BigQuery access...
Error while providing access:
Response code: 400
選項
說明 (-h / --help)
使用 -h 或 --help 選項,查看任何指令/選項的用法/說明。
疑難排解
這個專區會顯示控制台的輸出內容,並對照從 API 回應收到的不同類型回應代碼。
provide_access 引數回應代碼
| 回應代碼 | 控制台輸出內容 |
| 400 | 電子郵件不存在。 |
| 任何其他回應代碼 | 擷取動態消息時發生錯誤。
回應代碼:{status code}
錯誤:{error message}
|
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。