Learn more about remotely connecting to a Cortex XDR Broker VM.
Cortex XDR enables you to connect remotely to a Broker VM directly from Cortex XDR.
In Cortex XDR, select Settings → Configurations → Data Broker → Broker VMs table.
Locate the Broker VM you want to connect to, right-click and select Open Live Terminal.
Cortex XDR opens a CLI window where you can perform the following commands:
Broker VM logs are located in
/data/logs/folder
and contain the applet name in the file name.Example 41.Folder
/data/logs/[applet name]
, containingcontainer_ctrl_[applet name].log
The Broker VM allows commands which do not require Sudo.
Example 42.route
orifconfig -a
Broker VM supports the command listed in the following table. All the commands are located in the
/home/admin/sbin/home/admin/sbin
folder.Cortex XDR requires you use the following values when running commands:
Notice
The only applet that is available with a Cortex XDR Prevent license is the Local Agent Settings. The rest of the applets are only available with a Cortex XDR Pro license.
CSV Collector:
file_collector
Database Collector:
db_collector
Files and Folders Collector:
log_collector
FTP Collector:
ftp_collector
Kafka Collector:
kafka_collector
Local Agent Settings:
tms_proxy
NetFlow Collector:
netflow_collector
Network Mapper:
network_mapper
Pathfinder:
odysseus
Syslog Collector:
anubis
Windows Event Collector:
wec
Upgrade:
zenith_upgrade
Frontend service:
webui
Sync with Cortex XDR:
cloud_sync
Internal messaging service (RabbitMQ):
rabbitmq-server
Upload metrics to Cortex XDR:
metrics_uploader
Prometheus node exporter:
node_exporter
Backend service:
backend
The following table displays the available commands in alphabetical order:
Command
Description
Example
applets_restart
Restarts one or more applets.
sudo ./applets_restart wec
applets_start
Start one or more applets.
sudo ./applets_start wec
applets_status
Check the status of one or more applets.
sudo ./applets_status wec
applets_stop
Stop one or more applets.
sudo ./applets_stop wec
hostnamectl
Check and update the machine hostname on a Linux operating system.
sudo ./hostnamectl set-hostname <new_host_name>
Restart machine after running command.
kill
Linux kill command.
sudo ./kill [some pid]
restart_routes
Invoke a restart of the routing service after updating your static network route configuration file,
/etc/network/routes
.The
/etc/network/routes
configuration file is a standard Ubuntu routes configuration file and can be edited directly. The admin user that you logged in with, when using the remote terminal or via SSH, has read/write permissions to this file.sudo ./restart_routes
Note
You can either
restart_routes
or reboot the Broker VM for the changes in the/etc/network/routes
file to take affect.route
Modify your IP address routing.
sudo ./route
services_restart
Restarts one or more services. OS services are not supported.
sudo ./services_restart cloud_sync
services_start
Start one or more services.
sudo ./services_start cloud_sync
services_status
Check the status of one or more services.
sudo ./services_status cloud_sync
services_stop
Stop one or more services.
sudo ./services_restart cloud_sync
set_ui_password.sh
Change the password of the Broker VM Web UI.
Run the command, enter the new password followed by Ctrl+D.
sudo ./set_ui_password.sh
squid_tail
Display the Proxy applet Squid log file in real-time.
sudo ./squid_tail
tcpdump
Linux capture network traffic command.
Use the
-w
flag in order to print output to the file.sudo ./tcpdump -i eth0 -w /tmp/packets.pcap