Learn more about remotely connecting to a Cortex XDR Broker VM.
Cortex XDR enables you to remotely connect to a Broker VM directly from the Cortex XDR console.
In Cortex XDR, select Settings → Configurations → Data Broker → Broker VMs table.
Locate the Broker VM you want to connect to, right-click and select Open Live Terminal.
Cortex XDR opens a CLI window where you can perform the following commands:
Broker VM logs located are located in
/data/logs/ folderand contain the applet name in file name.Example 6.Folder
/data/logs/[applet name], containingcontainer_ctrl_[applet name].logThe Broker VM allows commands which do not require Sudo.
Example 7.routeorifconfig -aBroker VM supports the command listed in the following table. All the commands are located in the
/home/admin/sbinfolder.Cortex XDR requires you use the following values when running commands:
CSV Collector—
file_collectorDatabase Collector—
db_collectorFiles and Folders Collector—
log_collectorFTP Collector—
ftp_collectorKafka Collector—
kafka_collectorLocal Agent Settings—
tms_proxyNetFlow Collector—
netflow_collectorNetwork Mapper—
network_mapperPathfinder—
odysseusSyslog Collector—
anubisWindows Event Collector—
wec
Upgrade—
zenith_upgradeFrontend service—
webuiSync with Cortex XDR —
cloud_syncInternal messaging service (RabbitMQ)—
rabbitmq-serverUpload metrics to Cortex XDR —
metrics_uploaderPrometheus node exporter—
node_exporterBackend service—
backend
The following table displays the available commands in alphabetical order.
Command
Description
Example
applets_restartRestarts one or more applets.
sudo ./applets_restart wecapplets_startStart one or more applets.
sudo ./applets_start wecapplets_statusCheck the status of one or more applets.
sudo ./applets_status wecapplets_stopStop one or more applets.
sudo ./applets_stop wechostnamectlCheck and update the machine hostname on a Linux operating system.
sudo ./hostnamectl set-hostname <new_host_name>Restart machine after running command.
killLinux kill command.
sudo ./kill [some pid]restart_routesInvoke a restart of the routing service after updating your static network route configuration file,
/etc/network/routes.The
/etc/network/routesconfiguration file is a standard Ubuntu routes configuration file and can be edited directly. The admin user that you logged in with, when using the remote terminal or via SSH, has read/write permissions to this file.sudo ./restart_routesNote
You can either
restart_routesor reboot the Broker VM for the changes in the/etc/network/routesfile to take affect.routeModify your IP address routing.
sudo ./routeservices_restartRestarts one or more services. OS services are not supported.
sudo ./services_restart cloud_syncservices_startStart one or more services
sudo ./services_start cloud_syncservices_statusCheck the status of one or more services.
sudo ./services_status cloud_syncservices_stopStop one or more services.
sudo ./services_restart cloud_syncset_ui_password.shChange the password of the Broker VM Web UI.
Run the command, enter the new password followed by Ctrl+D.
sudo ./set_ui_password.shsquid_tailDisplay the Proxy applet Squid log file in real-time.
sudo ./squid_tail