Learn more about remotely connecting to a Cortex XDR Broker VM.
Cortex XDR enables you to remotely connect to a Broker VM directly from the Cortex XDR console.
In Cortex XDR, select Settings → Configurations → Data Broker → Broker VMs table.
Locate the Broker VM you want to connect to, right-click and select Open Live Terminal.
Cortex XDR opens a CLI window where you can perform the following commands:
Broker VM logs located are located in
/data/logs/ folder
and contain the applet name in file name. For example, folder/data/logs/[applet name]/data/logs/[applet name]
, containingc
The Broker VM allows commands which do not require Sudo. For example,
route
orifconfig -a
.Broker VM supports the command listed in the following table. All the commands are located in the
/home/admin/sbin/home/admin/sbin
folder.Cortex XDR requires you use the following values when running commands:
CSV Collector—
file_collector
Database Collector—
db_collector
Files and Folders Collector—
log_collector
FTP Collector—
ftp_collector
Kafka Collector—
kafka_collector
Local Agent Settings—
tms_proxy
NetFlow Collector—
netflow_collector
Network Mapper—
network_mapper
Pathfinder—
odysseus
Syslog Collector—
anubis
Windows Event Collector—
wec
Upgrade—
zenith_upgrade
Frontend service—
webui
Sync with Cortex XDR —
cloud_sync
Internal messaging service (RabbitMQ)—
rabbitmq-server
Upload metrics to Cortex XDR —
metrics_uploader
Prometheus node exporter—
node_exporter
Backend service—
backend
The following table displays the available commands in alphabetical order.
Command
Description
Example
applets_restart
Restarts one or more applets.
sudo ./applets_restart wec
applets_start
Start one or more applets.
sudo ./applets_start wec
applets_status
Check the status of one or more applets.
sudo ./applets_status wec
applets_stop
Stop one or more applets.
sudo ./applets_stop wec
hostnamectl
Check and update the machine hostname on a Linux operating system.
sudo ./hostnamectl set-hostname <new_host_name>
Restart machine after running command.
kill
Linux kill command.
sudo ./kill [some pid]
restart_routes
Invoke a restart of the routing service after updating your static network route configuration file,
/etc/network/routes
.The
/etc/network/routes
configuration file is a standard Ubuntu routes configuration file and can be edited directly. The admin user that you logged in with, when using the remote terminal or via SSH, has read/write permissions to this file.sudo ./restart_routes
Note
You can either
restart_routes
or reboot the Broker VM for the changes in the/etc/network/routes
file to take affect.route
Modify your IP address routing.
sudo ./route
services_restart
Restarts one or more services. OS services are not supported.
sudo ./services_restart cloud_sync
services_start
Start one or more services
sudo ./services_start cloud_sync
services_status
Check the status of one or more services.
sudo ./services_status cloud_sync
services_stop
Stop one or more services.
sudo ./services_restart cloud_sync
set_ui_password.sh
Change the password of the Broker VM Web UI.
Run the command, enter the new password followed by Ctrl+D.
sudo ./set_ui_password.sh
squid_tail
Display the Proxy applet Squid log file in real-time.
sudo ./squid_tail
tcpdump
Linux capture network traffic command.
You must use
-w
flag in order to print output to file.sudo ./tcpdump -i eth0 -w /tmp/packets.pcap