Command Line Utilities
There are many linux shell scripts that assist with administration of LogZilla. Where appropriate those scripts are referred to elsewhere in the documentation. This section gives the entire list of scripts and their parameters.
These scripts are run via logzilla scriptname [action name] [arguments].
LogZilla Scripts
Note that all of these scripts accept a -h argument to give help on the script and any script actions.
archives
manage archives of LogZilla event data
| action name |
description |
archive |
archive selected date range of events |
remove |
remove archived data for the selected date range |
migrate |
migrate old archives (older than v6.10) to the latest version to allow running queries without restore |
| example command |
example description |
logzilla archives archive -E 5 |
archive events for the last five days |
logzilla archives remove --ts-from 4/1/2020 --ts-to 5/1/2020 |
remove archived events from 4/1/2020 up to but not including 5/1/2020 |
logzilla archives migrate --ts-from 4/1/2020 --ts-to 5/1/2020 |
migrate archived events from 4/1/2020 to 5/1/2020 to current format so that queries can be run without restore |
authtoken
Create or revoke LogZilla user token
| action name |
description |
create |
create an authorization token |
revoke |
revoke an authorization token |
info |
show details for the specified token |
list |
show list of all authtokens |
| example command |
example description |
logzilla authtoken create -U someuser |
create authorization token for user someuser |
logzilla authtoken revoke dfcf2dee6113b33f89bbfc0be3ced0c02db2b9e28bf36499 |
revoke previously-created authorization token by token id |
logzilla authtoken info dfcf2dee6113b33f89bbfc0be3ced0c02db2b9e28bf36499 |
show details for token with that id |
logzilla authtoken list |
show all authtokens |
config (also configmanager)
Manage LogZilla configuration settings
| action name |
description |
| (none) |
list configuration settings |
setting_name |
display setting |
setting_ name (value) |
add or change value of setting |
| example command |
example description |
logzilla config TIME_ZONE |
display configuration setting for time zone |
logzilla config TIME_ZONE EST |
set configuration setting for time zone to EST |
dashboards
LogZilla dashboard import/export (or dashboard widgets)
| action name |
description |
list |
list all dashboards |
export |
export dashboards |
import |
import dashboards (format must be yaml) |
performance |
run dashboard/widgets live-update benchmarks |
remove |
delete specified dashboard(s) |
| example command |
example description |
logzilla dashboards list *windows* |
list dashboards with title containing windows |
logzilla dashboards list -w --dashboard-id 120 |
list the widgets on dashboard 120 |
logzilla dashboards list --widget-id 874 |
list just the widget for widget id 874 |
logzilla dashboards export -O my_dashboards.json -F json --owner myname |
write (complete) dashboards for owner myname as JSON to file my_dashboards.json |
logzilla dashboards import --owner myname -I my_dashboards.yaml -p 1 |
import dashboards from file my_dashboards.yaml as belonging to user myname and set to public |
logzilla dashboards performance |
list performance metrics for each dashboard by widget |
logzilla dashboards remove mydashboard |
delete specified dashboard |
download
Download LogZilla images
| action name |
description |
offline_dir |
directory to save compressed images to |
| example command |
example description |
logzilla download /tmp/down |
download logzilla images to /tmp/down |
events
Manage LogZilla event data
| action name |
description |
stats |
show # events, counters, deduplication |
parser-stats |
show # processed events and throughput |
cardinality |
show fields indexed and # values |
fix-cardinality |
recalculate cardinality values |
values |
show events fields and values |
fix |
fix chunks for selected data range |
tester |
test event flow |
| example command |
example description |
logzilla events stats --ts-from 4/1/2020 --ts-to 5/1/2020 |
show # events, # counters, % dedup, and # dropped |
logzilla events fix --ts-from 4/1/2020 --ts-to 5/1/2020 |
fix broken storage chunks (as indicated in logs) |
forwarder
Manage LogZilla event forwarder
| action name |
description |
print |
display current configuration |
print-files |
display current configuration per files |
import |
display configuration from given file |
stats |
display forward statistics per target |
| example command |
example description |
logzilla forwarder stats --ts-from 4/1/2020 --ts-to 5/1/2020 |
show # events, % dedup by target |
https
Manage Logzilla HTTPS configuration
| action name |
description |
--on |
enable HTTPS |
--off |
disable HTTPS |
| example command |
example description |
logzilla https --on ~/certs/ssl.key ~/certs/ssl.cert |
enable HTTPS with given key & cert files for forwarding of events |
inspect-dump
Do not use.
install
Download and install or update LogZilla image files
| action name |
description |
| (n/a) |
no named actions |
kinesis
Manage LogZilla kinesis agent
| action name |
description |
start |
start kinesis container |
stop |
stop kinesis container |
restart |
restart kinesis container |
set-properties |
set kinesis properties |
import |
import kinesis properties |
export |
export kinesis properties |
set-aws-credentials |
set kinesis AWS credentials |
| example command |
example description |
logzilla kinesis set-properties --streamName "lz_kinesis_staging_stream" |
set the kinesis stream name for the LogZilla event stream |
logzilla kinesis set-aws-credentials --aws-access-key dfcf2dee6113b33f89bb --aws-secret-key fc0be3ced0c02db2b9e28bf36499 |
set the AWS access tokens for kinesis |
ldap
Manage LogZilla LDAP configuration
| action name |
description |
init |
initialize LDAP config |
enable |
validate config file and enable LDAP |
disable |
disable LDAP |
test |
test current LDAP configuration settings |
license
Manage LogZilla license
| action name |
description |
load |
load license from file |
download |
download license |
key |
print host key |
verify |
verify license |
| example command |
example description |
logzilla license load ~/logzilla/license.txt |
load the LogZilla license |
logs
Deprecated. Use tail -f /var/log/logzilla/logzilla.log .
passwd (also password)
Set password for given user
| action name |
description |
| (username) |
username to set password for |
| example command |
example description |
logzilla passwd johndoe |
be prompted for new password for user johndoe |
query
LogZilla action-line querying tool
| action name |
alternate |
description |
-d |
--debug |
debug mode |
-q |
--quiet |
notify only on warnings and errors (be quiet) |
--timezone |
|
specify the timezone for time-range parameters and exported data date formats (default: 'UTC') |
-c |
--config |
path to config file, defaults to ~/.lz5query |
-cu |
--config_update |
update config file with given user/password/base-url |
-u |
--user |
username to authenticate |
-p |
--password |
password to authenticate |
-a |
--authtoken |
auth token to authenticate |
-bu |
--base-url |
base url to the API |
-t |
--type |
type of query to perform |
-st |
--show-types |
show available query types |
-P |
--params |
path to json file with query params |
-O |
--output-file |
path to output file (format specified by --format) |
--format |
|
output file format. If omitted, guesses from extension or defaults to JSON |
| example command |
example description |
logzilla query --show-types |
show the types of queries that can be performed |
logzilla query --config /tmp/tmpconfig.txt -t System_CPU --output-file /tmp/cpu_stats.json |
|
logzilla query -P /tmp/params.json /tmp/params.json -t LastN |
show query results for type LastN using criteria in /tmp/params.json |
Example config file (/tmp/tmpconfig.txt)
[lz5query]
user=myusername
password=mypassword
base_url=http://front/api
Example params file (/tmp/params.json)
{
"field": "host",
"limit": 5,
"filter": [],
"show_other": false,
"time_range": {
"preset": "last_3_days"
}
}
restart
Restart LogZilla
| action name |
description |
| (n/a) |
no named actions |
rules
Manage LogZilla rewrite rules
| action name |
description |
list |
list rewrite rules |
reload |
reload rewrite rules |
add |
add rewrite rule (accepts .yaml, .json, .lua file) |
remove |
remove rewrite rule |
export |
export rewrite rule |
enable |
enable rewrite rule |
disable |
disable rewrite rule |
errors |
shows which rules are erroring and how many times |
performance |
benchmark rules single-thread performance |
test |
test rule(s) (against test files) for errors |
| example command |
example description |
logzilla rules add newrule.yaml --name Unity |
add new rule from file with given name |
logzilla rules test 100-existing-rule |
test existing rule for errors |
logzilla rules test --path 100-new-rule.lua |
test new/not-loaded rule for errors |
Example rule file for adding (newrule.yaml):
rewrite_rules:
- match:
field: message
op: =*
value: product="UnityOne"
rewrite:
program: UnityOne
tag:
Tipping Point Actions: $act
Tipping Point App: $app
Tipping Point Block Category: $act
Tipping Point DHost: $dhost
Tipping Point Device: $dvchost
script
Do not use.
sender
Send log data to LogZilla or syslog, either read from file or generated
| action name |
alternate |
arg example |
description |
-z |
--zmq |
(n/a) |
Send data using ZeroMQ protocol |
--zmq-target |
|
=tcp://parsermodule:11411 |
Where to send zmq data (defaults to tcp://parsermodule:11411) |
--zmq-format |
|
=json_lines |
Either json_lines or eventpack (defaults to json_lines) |
--zmq-timeout |
|
=0 |
Send timeout in milliseconds (for ZMQ transport only) |
-s |
--syslog |
(n/a) |
Send data using Syslog protocol (default) |
--syslog-target |
|
=localhost:32514 |
Where to send syslog data (defaults to localhost:32514) |
--syslog-protocol |
|
=bsd |
Either bsd or rfc5424 (default bsd) |
--syslog-transport |
|
=tcp |
Either tcp or udp (default tcp) |
--octet-count |
|
(n/a) |
Use octet counting framing method for sending syslog messages |
-S |
--shuffle |
(n/a) |
Shuffle read/generated data randomly |
-R |
--random |
(n/a) |
Generate fields in random order |
--read-messages |
|
(n/a) |
Read messages from given file (use - for stdin) |
--read-full |
|
(n/a) |
Read full events from given TSV file (use - for stdin). Overrides --read-messages |
--read-format |
|
=bsd |
Given TSV file format. Either bsd or rfc5424 (defaults to bsd) |
-r |
--rate |
=0 0 |
Rate range of sending in packets per second, default 0 0 means no limit |
-w |
--wrap |
(n/a) |
Wrap input data to get endless stream of data |
-t |
--time |
=0 |
Finish sending after given number of seconds (usually used with -w and -r) |
-n |
--number-of-events |
=0 |
Number of messages to generate (defaults to 10, unless reading from file) |
--msg-priority |
|
={{0..191}} |
Fixed priority or list of priorities (numbers 0 to 191, possibly separated by .. or ,) |
--msg-host |
|
={{hosta,hostb,hostc}} |
Fixed host or list of hosts |
--msg-program |
|
={{programa,programb,programc}} |
Fixed program or list of programs |
--msg-body |
|
=Message nr {{1..32}} |
Fixed message body or list of such |
--msg-user-tags |
|
(n/a) |
Fixed user tag or list of user tags (for ZMQ transport only).format: tag1_name=value1,tag2_name=value2 |
--pack-size |
|
=0 |
Pack messages (for ZMQ transport only) in packets of that size |
--dedup-level |
|
=-1 |
Generate extra messages to reach given deduplication level (value in percent, allowed range: 0 - 100 |
--dedup-window |
|
=60 |
Value of dedup window on server, needed only with dedup-level |
-l |
--log |
(n/a) |
Enable usage and counter logging using zmqlog |
-v |
--verbose |
(n/a) |
Verbose mode (show progress while sending) |
-d |
--debug |
(n/a) |
Debug mode (show every message sent) |
--zero-ts |
|
(n/a) |
Set timestamps to zero so they will be set by parser (zmq only) |
| example command |
example description |
logzilla sender --zero-ts --read-full mylog.tsv -w --syslog-target=192.168.10.191:514 --syslog-transport=udp --syslog-protocol=bsd -r 5 10 -v 5 |
send events from given file to given target at specified rate, marking events with current timestamp |
Example events file for sending (mylog.tsv)
7 206.190.60.138 10.0.0.1 62443 80 offset 8 S 832026162 win 8192 blocked sites (Internal Policy)
0 nyc-m500 142 firewall msg_id="3000-0173" Deny 0-External Firebox 52 tcp 20 127 206.190.60.138 10.0.0.1 62443 80 offset 8 S 832026162 win 8192 blocked sites (Internal Policy)
0 nyc-m500 142 firewall msg_id="3000-0173" Deny 0-External Firebox 52 tcp 20 127 206.190.60.138 10.0.0.1 62443 80 offset 8 S 832026162 win 8192 blocked sites (Internal Policy)
shell
Execute given command (default bash) in the specified LogZilla container.
| action name |
alternate |
description |
-c |
--container |
container to attach to |
snapshot
LogZilla configuration backup/restore tool
| action name |
description |
| create |
create snapshot |
| restore |
restore LogZilla from snapshot |
| list |
list existing LogZilla snapshots |
| autoremove |
remove old snapshots |
| example command |
example description |
logzilla snapshot create |
backup current LogZilla configuration |
logzilla snapshot restore --id v6.11.0-dev5_20200601T095908.462993Z |
restore given LogZilla configuration |
speedtest
LogZilla maximum EPS estimator
| action name |
description |
| (n/a) |
no named actions |
| example command |
example description |
logzilla speedtest |
show LogZilla current performance metrics |
start
Start LogZilla
| action name |
description |
| (n/a) |
no named actions |
stop
Stop LogZilla
| action name |
description |
| (n/a) |
no named actions |
triggers
LogZilla triggers import/export tool
| action name |
description |
| list |
list all non-default triggers |
| export |
export triggers |
| import |
import triggers |
| delete |
delete triggers |
| update |
update given trigger |
| performance |
run trigger benchmarks |
example trigger import file:
filter:
- field: message
op: qp
value:
- entered forwarding state
mark_known: true
name: entered forwarding state
send_webhook_method: GET
send_webhook_ssl_verify: true
| example command |
example description |
logzilla triggers list *cisco* |
list triggers containing the word cisco |
logzilla triggers import -I new_trigger.yaml --owner johndoe |
import new trigger with owner johndoe |
uninstall
Uninstall LogZilla
| action name |
description |
| (n/a) |
no named actions |
upgrade
Upgrade LogZilla to latest version
| action name |
description |
| (n/a) |
no named actions |
| example command |
example description |
logzilla upgrade |
upgrade LogZilla to latest version |
logzilla upgrade --version v6.1.0-rc7 |
upgrade LogZilla to a specific version |
version
Show LogZilla version
| action name |
description |
| (n/a) |
no named actions |