CLI Commands
CLI Commands
CLI Commands
Restart ESM
Restart APM
# /etc/init.d/apm stop
# /etc/init.d/apm start
tailf /usr/local/ess/data/NitroError.Log
View Rebuild Status of DB Partitions (in addition to ESM System Properties page)
Viewing Sort Files created by ESM (too large can create slowdowns)
# /var/log/ice/crash.log
# cat /var/lib/HealthStatus.data (tac for newest first, cat for oldest first)
cat /var/log/messages* | grep -i “starting ERC” (tac for newest first, cat for oldest first)
less /var/log/messages (type ‘q’ to exit the editor, “Shift + g” to get to the end of the file)
# cat /etc/upgrade.history (tac for newest first, cat for oldest first)
# cat /etc/buildstamp
# cat /proc/version
Use the du command to find out how much data is in each directory.
# du -hc –max-depth=1
This will return the base level directories with the size.
The following command will limit the results to only the Gigabyte size directories:
Sar –d 1 10
TCP dump commands when you do not see the expected DBM data
# tcpdump -s0 -ieth3 -wfile1.pcap host 1.2.3.4 and port 1433 (dump file will be called file1.pcap in the
current directory)
Run the dump for 30, and then press CTRL+C to escape out. Check the file size and repeat. Generally
a few hundred MBs worth of files should be good if you see the expected DB traffic in the tcpdump.
# tcpdump -s0 -ieth3 -wfile1.pcap vlan # host 10.x.x.x and port 1433 (optional to leave the tag number,
for example 130, off if unknown).
# tcpdump -s0 -nnvXi eth1 vlan # and host 172.x.x.x and port 1433 (with vlan tag and shows packet
contents in list form)
# tcpdump -s0 -nnvXi eth1 -wfile3.pcap vlan # and host 172.x.x.x and port 1433 (with vlan tag and
saves tcpdump to pcap file)
# ls /var/log/data/inline/
# /etc/init.d/nitrodbserver restart
# collectorsctl — +laux
# filterctl — +laux
# parsersctl — +laux
# killall -9 wmin
# killall -9 wmip
“Ctrl + C” to exit
# tw_cli show c# (# shown using show command – c2 for ESM’s, c0 on 2250 Receivers and
APM)
# ha_status
# crm status
# tailf /var/log/NPP_c.log
# tailf /var/log/NPP_p.log
Finding and viewing raw logs in stored text file on Receiver (example)
# ls /var/log/data/inline/thirdparty.logs/105/in/
# cat /var/log/data/inline/thirdparty.logs/105/in/data.20121115161524000
# nsql /usr/local/ess/data/connect_esm.sql (To exit the nsql editor type ‘x’ or ‘exit’ and <enter>)
# nsql /usr/local/ess/data/connect_esm.sql (To exit the nsql editor type ‘x’ or ‘exit’ and <enter>)
To get the clutter off of the SSH session and your prompt back to the top of the screen (does not
remove scroll back data on screen)
clear
# cd /root/.ssh
# rm /etc/NitroGuard/thirdparty.*.*
# rm /var/log/data/inline/thirdparty.logs/(1* thru 9*)
ESM Related
Quickest running filters – Very Important!!!!
There are combinations of filters that are specifically tuned to run more quickly. These combinations
have been defined by users who frequently use the filters for quickly drilling down to specific events.
Directory Related
ESM & Receiver Software File Location (for upgrades)
/usr/local/ess/SoftwareUpdates/
/usr/local/NitroGuard
/usr/local/ess/update/archive/
/db1/usr/local/ess/dbbackup/
/data_hd/usr/local/ess/data/
ESM Redundant File Copy Location (For Alert, Connection, and Log files)
/usr/local/ess/dbredund
Commands:
Tcpdump -nni eth0 host <ipaddress of host you want to get a dump from> -vvv -w <path to write dump>
2014/04/09 21:43:01.429 Error 132 opening table with field Alert.ALERTTIM(partition 2406)(data count
= 77427336, index count = 77427320) Index count does not match record count
McAfee-ETM-6000 ~ # cd /usr/local/ess/data
McAfee-ETM-6000 /usr/local/ess/data/copy_ngcp # ls
ngcp.cfd ngcp.cfg
McAfee-ETM-6000 /usr/local/ess/data # ls
Check Database:
1. Cd /usr/local/ess/data
1. Cd /usr/local/ess/data
1. Cd /usr/local/ess/data