AMINERREMOTECONTROL(1) | logdata-anomaly-miner User Man | AMINERREMOTECONTROL(1) |
NAME¶
AMinerRemoteControl - lightweight tool for log checking, log analysis
SYNOPSIS¶
AMinerRemoteControl --ControlSocket socket [--Exec command] [--ExecFile file] [--Data data] [--StringResponse]
DESCRIPTION¶
This manual page documents briefly the AMinerRemoteControl command. The command executes arbitrary remote control commands in a running AMiner child process. As child process is usually running with lowered privileges or SELinux/AppArmor confinement, you may observe unexpected results when accessing resources outside the child process, e.g. files. For more details see also packaged documentation at /usr/share/doc/logdata-anomaly-miner.
Example usecases:¶
Print a property of the running AMinerConfig:
Print the complete AMinerConfig:
Print a property of the running AMinerConfig, change it and confirm the changed value by printing it again:
OPTIONS¶
with long options starting with two dashes ('-'). A summary of options is included below. For a complete description, see the info(1) files.
--ControlSocket socket
--Exec command
--ExecFile file
--Data data
--StringResponse
Commands¶
change_config_property(analysis_context,property_name,value)
Read more about which properties can be changed in the Valid Property Names section.
change_attribute_of_registered_analysis_component(analysis_context,component_name,attribute,value)
example: AMinerRemoteControl --Exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPath', 'auto_include_flag', False)"
rename_registered_analysis_component(analysis_context,old_component_name,new_component_name)
example: AMinerRemoteControl --Exec "rename_registered_analysis_component(analysis_context,'NewMatchPath','NewMatchPathDetector')"
add_handler_to_atom_filter_and_register_analysis_component(analysis_context,atom_handler,component,component_name)
example: AMinerRemoteControl --Exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, auto_include_flag=True), 'NewMatchPathDet')"
print_config_property(analysis_context,property_name)
example: AMinerRemoteControl --Exec "print_config_property(analysis_context,'NewMatchPath')"
print_attribute_of_registered_analysis_component(analysis_context,component_name, attribute)
example: AMinerRemoteControl --Exec "print_attribute_of_registered_analysis_component(analysis_context,'NewMatchPath', 'auto_include_flag')"
print_current_config(analysis_context)
example: AMinerRemoteControl --Exec "print_current_config(analysis_context)" --StringResponse
save_current_config(analysis_context,destination_file)
example: AMinerRemoteControl --Exec "save_current_config(analysis_context,'/tmp/config.py')"
whitelist_event_in_component(analysis_context,component_name,event_data,whitelisting_data=None)
example: AMinerRemoteControl --Exec "whitelist_event_in_component(analysis_context,'EnhancedNewMatchPathValueComboDetector','new/path')"
example: AMinerRemoteControl --Exec "whitelist_event_in_component(analysis_context,'MissingMatchPathValueDetector','new/path',-11)"
example: AMinerRemoteControl --Exec "whitelist_event_in_component(analysis_context,'NewMatchPathDetector',['new/path'])"
example: AMinerRemoteControl --Exec "whitelist_event_in_component(analysis_context,'NewMatchPathValueComboDetector','new/path')"
dump_events_from_history(analysis_context,history_component_name,dump_event_id)
example: AMinerRemoteControl --Exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',12)"
ignore_events_from_history(analysis_context,history_component_name,event_ids)
example: AMinerRemoteControl --Exec "ignore_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])"
list_events_from_history(analysis_context,history_component_name,max_event_count=None)
example: AMinerRemoteControl --Exec "list_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',600)"
whitelist_events_from_history(analysis_context,history_component_name,id_spec_list,whitelisting_data=None)
example: AMinerRemoteControl --Exec "whitelist_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])"
Valid Property Names¶
MailAlerting.TargetAddress
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'MailAlerting.TargetAddress', 'root@localhost')"
Define a target e-mail address to send alerts to. When undefined, no e-mail notification hooks are added.
MailAlerting.FromAddress
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'MailAlerting.FromAddress', 'root@localhost')"
Sender address of e-mail alerts. When undefined, "sendmail" implementation on host will decide, which sender address should be used.
MailAlerting.SubjectPrefix
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'MailAlerting.SubjectPrefix', 'AMiner Alerts:')"
Define, which text should be prepended to the standard aminer subject. Defaults to "AMiner Alerts:"
MailAlerting.EventCollectTime
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'MailAlerting.EventCollectTime', 10)"
Define how many seconds to wait after a first event triggered the alerting procedure before really sending out the e-mail. In that timespan, events are collected and will be sent all using a single e-mail. Defaults to 10 seconds.
MailAlerting.MinAlertGap
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'MailAlerting.MinAlertGap', 600)"
Define the minimum time between two alert e-mails in seconds to avoid spamming. All events during this timespan are collected and sent out with the next report. Defaults to 600 seconds.
MailAlerting.MaxAlertGap
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'MailAlerting.MaxAlertGap', 1000)"
Define the maximum time between two alert e-mails in seconds. When undefined this defaults to "MailAlerting.MinAlertGap". Otherwise this will activate an exponential backoff to reduce messages during permanent error states by increasing the alert gap by 50% when more alert-worthy events were recorded while the previous gap time was not yet elapsed.
MailAlerting.MaxEventsPerMessage
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'MailAlerting.MaxEventsPerMessage', 1000)"
Define how many events should be included in one alert mail at most. This defaults to 1000.
LogPrefix
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'LogPrefix', ' Original log line: ')"
Most analysis components implement the outputLogLine-property, which is True by default. Define a prefix to the original captured log lines. This defaults to ''
Resources.MaxMemoryUsage
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'Resources.MaxMemoryUsage', -1)"
This property limits the maximal possible RAM in MB which the AMiner process can use. Be careful at choosing the value, as a shortage of memory causes a MemoryError. This defaults to -1, which means that there is no limit.
Resources.MaxCpuPercentUsage
Example: AMinerRemoteControl --Exec "change_config_property(analysis_context, 'Resources.MaxCpuPercentUsage', 30)
By limiting the AMiner process to a fraction of possible CPU usage the system can not longer be overloaded by it. The percentages can only be full numbers and must be between 1 and 100.
FILES¶
/var/run/aminer-remote.socket
BUGS¶
Report bugs via your distribution's bug tracking system. For bugs in the the software trunk, report via at https://bugs.launchpad.net/logdata-anomaly-miner/+filebug.
SEE ALSO¶
AMiner(1)
AUTHOR¶
Markus Wurzenberger <markus.wurzenberger@ait.ac.at>
COPYRIGHT¶
Copyright © 2016 Markus Wurzenberger
This manual page was written for the Debian system (and may be used by others).
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3.
On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
06/30/2020 | logdata-anomaly-miner |