Keepthelogs Wiki

User Tools

Site Tools

Trace:
section:algosec:documentation:usefullcommands

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
section:algosec:documentation:usefullcommands [2021/12/22 12:12] patriksection:algosec:documentation:usefullcommands [2023/09/29 07:01] (current) – external edit 127.0.0.1
Line 808: Line 808:
    -d – used to decrypt the files    -d – used to decrypt the files
    -C – extract in subdirectory named test    -C – extract in subdirectory named test
 +
 +=== How to activate debug mode in ABF ===
 +You need to enable debug mode to troubleshoot BusinessFlow. \\
 +Solution\\ 
 +To enable debug mode in BusinessFlow: \\
 +  1. Log in to AFA as root user using SSH.
 +  2. Edit the following file /home/bflow/config/log4j2.xml:
 +    a. Change the following line:
 +    <property name="algosec-log-level">INFO</property>
 +    to
 +    <property name="algosec-log-level">DEBUG</property>
 +  (( 3. Restart the apache-tomcat service. )) ###usually not needed
 +
 +=== Boostmode on and off ===
 +Script download: https://algosec.sharefile.com/d-s62142b58f5b4210b \\
 +\\
 +\\
 +To install boostmode, perform the following, unzip the script and move it to the system under /tmp/ (this can be applied on GEO’s, Slaves, HA secondaries, all necessary boxes). \\
 +\\
 +As root:
 +  cp /tmp/boostmode /etc/init.d/boostmode
 +  chmod 755 /etc/init.d/boostmode
 +  chkconfig boostmode on
 +  service boostmode start # this may take a few minutes
 +
 +After the service has started, you must restart all the relevant services:
 +  service activemq restart
 +  service apache-tomcat restart
 +  service algosec-ms restart
 +  service postgresql reload
 +  restart_fireflow
 +
 +It’s important to communicate to the customer that they will also need to perform the following steps after applying any hotfixes or patches in the future – as these can overwrite some of the boostmode settings. \\
 +After successfully installing hotfixes the following should be run as root:\\
 +
 +  service boostmode start 
 +  service activemq restart
 +  service apache-tomcat restart
 +  service algosec-ms restart
 +
 +  service postgresql reload
 +  restart_fireflow
 +
 +Boost mode can be disabled just by running:
 +  service boostmode stop
 +
 +Stopping the service will roll back all the changes. \\
 +
 +Before
 +  -------
 +  [root@algosec-RA ~]# swapon -s
 +  Filename                                Type            Size    Used    Priority
 +  /dev/dm-1                               partition       7688188 0       -1
 +  [root@algosec-RA ~]#
 +
 +After
 +  ------
 +  [root@algosec ~]# swapon -s
 +  Filename                                Type            Size    Used    Priority
 +  /dev/zram0                              partition       3087552 0       100
 +  /dev/zram1                              partition       3087552 0       100
 +  /dev/zram2                              partition       3087552 0       100
 +  /dev/zram3                              partition       3087552 0       100
 +  [root@algosec ~]#
 +
 +=== Cluster node suddanly removed from cluster ===
 +Problem: \\
 +On node in the cluster removed from the cluster. \\
 +\\
 +Logs: \\
 +HA logs (/var/log/algosec_hadr/ several logs i this location) \\
 +Messages log (/var/log/message) \\
 +\\
 +Low disk space: \\
 +On one node, in ha logs (collect from ha menue (algosec_conf 13)). Or in HA logs, there will be a entry of low disk space and that cluster will be broken due to that.  Log of this is on the node that was removed from the cluster. \\
 +To low disk space is less that 10% free space (on any partition? Maby but surely on the /data partition)\\
 +
 +=== How the user field in ABF flows work ===
 +The field is populated from either the ABF database OR the supported firewall. (like Palo Alto/Panorama). \\
 +You cannot combine the two source of users, like rest of the produkt. Only one or the other is used at one or the other time. \\
 +Also the users possibly to populate the user field needs to be present in the firewall. More test on this should be done to verify. \\
 +Settings to change this is found uder:\\
 +ABF => [name in upper right corner] => Administration => Configuration => User Awareness Support => USer validation via LDAP is Currently [on/off] \\
 +\\
 +If on = get from firewall \\
 +If off = get from ABF user database \\
 +
 +=== How to get a session id ===
 +GUI: 
 +  1. Go to the AFA home page (the portion displaying graphs).
 +  2. In the Web browser box, type ?"!session!" .
 +  3. Click Enter.
 +  A popup displays a unique session ID. 
 +
 +CLI: 
 +  1. Go to the CLI and type the following command:ls -ltr /home/afa/public_html/algosec | tail
 +  A list of session IDs displays.
 +  2. Make a note of the latest session ID.
 +
 +=== How to look into .tar, .zip, .bz2 files without unpacking them ===
 +.tar
 +
 +.zip
 +  zcat [cat]
 +  zmore [more]
 +  zless [less]
 +
 +Or if the .zip contains multiple files
 +  vim [file].zip
 +
 +Example
 +  zcat testfile.zip
 +  vim testfile.zip
 +
 +*** .bz2
 +  bzcat [cat]
 +  bzless [less]
 +  vim
 +
 +=== How to clean up the session database table in postgres ===
 +In some versions of ASMS the session table just grows and grows. This is a bug! \\
 +To manually empty the database session table do the procedure below. \\
 +
 +  #########################
 +  # Important before synk #
 +  #########################
 +
 +  ++++++++++++++++++++++++++++++++++++++++
 +  + Check the postgres /session db table +
 +  ++++++++++++++++++++++++++++++++++++++++
 +
 +This is the procedure \\
 +\\
 +On the active node (where all services are runnig AFA,AFF,DB) \\
 +Stop services as follows: \\
 +
 +  /usr/share/fireflow/local/sbin/stop_fireflow.sh
 +  service crond stop
 +  service apache-tomcat stop
 +  service algosec-ms stop
 +  service postgresql stop
 +  service activemq stop
 +  service httpd stop
 +  service logstash stop
 +  service elasticsearch stop
 +  service kibana stop
 +  service mongod stop
 +  service aff-boot stop
 +
 +Once all services are stopped bring the postgresql service back up with 'service postgresql restart' \\
 +Once postgres run the following commands from the CLI. \\
 +
 +  psql -U postgres -d rt3 -c 'truncate sessions;'
 +  psql -U postgres -d rt3 -c 'vacuum full verbose sessions;'
 +
 +Once the commands finish bring the rest of the services back online. \\
 +
 +  service crond start
 +  service httpd start
 +  service postgresql start
 +  service activemq start
 +  service apache-tomcat start
 +  service algosec-ms start
 +  service aff-boot start
 +  /usr/share/fireflow/local/sbin/start_fireflow.sh
 +  service logstash start
 +  service elasticsearch start
 +  service kibana start
 +  service mongod start
 +
 +=== Guide for LVM on new setup virtual appliance ===
 +  ################
 +  # Up to A30.20 #
 +  ################
 +
 +Fix the LVM on the devices \\
 +Lists all disks in the system (as fdisk -l) \\
 +  lsblk
 +
 +  parted /dev/sdb
 +  moves from msdos to guided partition table for disks over 2TB
 +
 +  mktable GPT
 +
 +  Creates a partition of 50GB
 +  mkpart 0 1 50000 
 +
 +  Create a partition of the rest of the disk
 +  mkpart 0 50001 100%
 +
 +  Lists all disks in the system (as fdisk -l)
 +  lsblk
 +
 +  Creates the physical volumes of the new partitions
 +  pvcreate /dev/sdb1
 +  pvcreate /dev/sdb2
 +
 +  Extend the volume group /dev/vg_algsoec with the new physical volumes
 +  vgextend /dev/vg_algosec /dev/sdb1
 +  vgextend /dev/vg_algosec /dev/sdb2
 +
 +  Extend the logial volumes with the new partitions (-r will extend automaticly)
 +  lvextend -r /dev/vg_algosec/vg_system /dev/sdb1
 +  lvextend -r /dev/vg_algosec/vg_data /dev/sdb2
 +
 +  if not -r extends the logical volumes automaticly do the following
 +  for ext4 filesystem
 +  resize2fs /dev/vg_algosec/vg_system
 +  resize2fs /dev/vg_algosec/vg_data
 +
 +  for xfs filesystem
 +  xfs_growfs /dev/vg_algosec/vg_system
 +  xfs_growfs /dev/vg_algosec/vg_data
 +
 +  To check the filesystem expends ok via watch per second
 +  screen
 +  watch -n 1 -d "df -hT"
 +  ip addr
 +  watch -n 1 -d "df -hT"
 +
 +  ###################
 +  # For ASMS V32 => #
 +  ###################
 +Differences is that volume group and logical volumes have new names / different locations. \\
 +\\
 +Fix the LVM on the devices\\
 +Lists all disks in the system (as fdisk -l)\\
 +  lsblk
 +
 +
 +  parted /dev/sdb
 +  
 +  moves from msdos to guided partition table for disks over 2TB
 +  mktable GPT
 +
 +  Creates a partition of 50GB
 +  mkpart 0 1 50000 
 +
 +  Create a partition of the rest of the disk
 +  mkpart 0 50001 100%
 +
 +  Lists all disks in the system (as fdisk -l)
 +  lsblk
 +
 +  Creates the physical volumes of the new partitions
 +  pvcreate /dev/sdb1
 +  pvcreate /dev/sdb2
 +
 +  Extend the volume group /dev/vg_algsoec with the new physical volumes
 +  vgextend /dev/centos /dev/sdb1
 +  vgextend /dev/centos /dev/sdb2
 +
 +  Extend the logial volumes with the new partitions (-r will extend automaticly)
 +  lvextend -r /dev/centos/root /dev/sdb1
 +  lvextend -r /dev/centos/data /dev/sdb2
 +
 +  if not -r extends the logical volumes automaticly do the following
 +  for ext4 filesystem
 +  resize2fs /dev/vg_algosec/vg_system
 +  resize2fs /dev/vg_algosec/vg_data
 +
 +  for xfs filesystem
 +  xfs_growfs /dev/vg_algosec/vg_system
 +  xfs_growfs /dev/vg_algosec/vg_data
 +
 +  To check the filesystem expends ok via watch per second
 +  screen
 +  watch -n 1 -d "df -hT"
 +  ip addr
 +  watch -n 1 -d "df -hT"
  
section/algosec/documentation/usefullcommands.1640175165.txt.gz · Last modified: 2023/09/29 07:01 (external edit)