FortiSOAR Admin CLI
An administrator can use FortiSOAR Admin CLI (csadm
) to perform various functions such as backing up and restoring data and run various FortiSOAR commands such as starting and stopping services and collecting logs.
Prerequisites
To run csadm
you must login as root
or have sudo
permissions.
FortiSOAR Admin CLI - Usage
Once you type # csadm
on the command prompt, the usage and subcommands of the FortiSOAR Admin CLI are displayed as shown in the following image:
To perform a particular task in FortiSOAR using csadm, you must type # csadm
and then its subcommand and the subcommand’s arguments (if any). For example, to change a hostname use the following command:
# csadm hostname --set [<hostname to be set>]
You can get help for a particular subcommand by running following command:# csadm <subcommand>
OR# csadm <subcommand> --help
csadm
supports the following subcommands:
Subcommand | Description |
---|---|
certs |
Generates and deploys your certificates. You can use the following options with this subcommand:
|
db |
Performs operations related to database.
From version 7.0.0 onwards, you can also backup and restore the data of your external Secure Message Exchange (SME) system, by using the following commands:
|
ha | Manages your FortiSOAR High Availability cluster. For more information about HA and its commands, see the High Availability support in FortiSOAR chapter. |
hostname |
Changes the name of the host and Fully Qualified Domain Name (FQDN) based on the parameters you have specified. You can use the following options with this subcommand:
|
license |
Manages your FortiSOAR license. You can use the following options with this subcommand:
|
mq | FortiSOAR message queue controller (RabbitMQ) functions. --flush-db : Deletes and recreates the rabbitmq database. |
log |
Performs log collection and forwarding of syslogs. You can use the following options with this subcommand:
|
secure-message-exchange |
Manages the default secure message exchange server available with a FortiSOAR node. A secure message exchange establishes a secure channel that is used to relay information to the agents or tenant nodes.
|
source-control |
(New in version 7.0.0) Allows import or export of FortiSOAR configurations, such as, MMD and SVT updates along with playbooks and other required configuration changes between systems. This is required for Continuous Integration or Continuous delivery (CICD), which is a pipeline that automates of your software delivery process. The pipeline builds code, runs tests (CI), and safely deploys a new version of the application (CD). You can use the following options with this subcommand:
|
services |
FortiSOAR services controller (RabbitMQ) functions. You can use the following options with this subcommand:
|
network |
Manages network operations. You can use the following options with this subcommand:
|
CLI commands used for forwarding syslogs
Use the csadm log forward
command to forwards FortiSOAR logs to your central log management server that supports a Rsyslog client. You can use the following options with this subcommand:
-
add-config
-csadm log forward add config
: Adds configuration details for the syslog server to which you want to forward the FortiSOAR. You can use the following options with this subcommand:-
--server
: Hostname of the syslog server to which you want to forward the FortiSOAR logs. -
--port
: Port number that you want to use to communicate with the syslog server. -
--protocol
: Protocol that you want to use to communicate with the syslog server. You can specifytcp
,udp
, orrelp
. -
--tls
: To securely communicate with the syslog server, set-tls
to true.
If you enable TLS, then in the--ca-cert
option, you must specify the path to the CA certificate PEM file which contains the complete chain of CA certificates including the filename.
If you have a client certificate for your FortiSOAR client, then in the--client-cert
option, you must specify the path to the client certificate PEM file including the filename, and in the--client-key
option, you must specify the path to the client key PEM file including the filename. -
--filter
: Comma-separated list of filters to specify the type of logs that you want to forward to your syslog server. Valid filters areapplication, audit, none
, and by default, all the logs, i.e., application and audit logs are forwarded. If for example, if you want to forward audit logs only then specify--filter=audit
.
If you specify--filter=none
, then no logs are forwarded, i.e., log forwarding is temporarily disabled. To enable the log forwarding again, use theupdate-config
subcommand with the--filter
option. For example,csadm log forward update-config –uuid < UUID of configuration > --filter <audit,application>
.
Note: You can define the rules to forward audit logs using the FortiSOAR UI. For more information, see the System Configuration chapter. -
--config-name
: Name of the configuration in which you want to store the log forwarding configuration details.
Note: Validation checks such as, whether the syslog server is reachable on the specified port etc. are run before adding the syslog server, and the syslog server is added only if the configuration details entered are valid.
-
-
show-config
-csadm log forward show-config
: Displays configuration details of the syslog server such as the server's IP address, protocol, TLS information, UUID of the configuration, etc. -
remove-config
-csadm log forward remove-config –uuid < UUID of configuration >
: Removes the syslog configuration based on the configuration UUID you have specified. To know the UUID of your configuration use theshow-config
subcommand. -
update-config
-csadm log forward update-config –uuid < UUID of configuration >
: Updates the syslog configuration based on the configuration UUID you have specified. To know the UUID of your configuration use theshow-config
subcommand. You can update any or all of the options as mention in theadd-config
subcommand.
Use theupdate-config
subcommand with the--filter
option, to enable temporarily disabled log forwarding.
You can configure only a single syslog server. If you have already configured a syslog server and you try to add a new one, then FortiSOAR displays appropriate warning messages informing you that a syslog server is already configured, and adding a new syslog server will remove already configured one. Further processing is done based on your response (yes/no) to the messages. |