FortiSOAR Admin CLI
An administrator can use FortiSOAR Admin CLI (csadm
) to perform various functions such as backing up and restoring data and run various FortiSOAR commands such as starting and stopping services and collecting logs.
Prerequisites
To run csadm
you must login as root
or have sudo
permissions.
FortiSOAR Admin CLI - Usage
Once you type # csadm
on the command prompt, the usage and subcommands of the FortiSOAR Admin CLI are displayed as shown in the following image:
To perform a particular task in FortiSOAR using csadm, you must type # csadm
and then its subcommand and the subcommand’s arguments (if any). For example, to change a hostname use the following command:
# csadm hostname --set [<hostname to be set>]
You can get help for a particular subcommand by running following command:# csadm <subcommand>
OR# csadm <subcommand> --help
csadm
supports the following subcommands:
Subcommand | Description |
---|---|
certs |
Generates and deploys your certificates. You can use the following arguments with this subcommand:
|
db |
Performs operations related to database.
From version 7.0.0 onwards, you can also backup and restore the data of your external Secure Message Exchange (SME) system, by using the following arguments with the
|
ha | Manages your FortiSOAR High Availability cluster. For more information about HA and its commands, see the High Availability support in FortiSOAR chapter. |
hostname |
Changes the name of the host and Fully Qualified Domain Name (FQDN) based on the parameters you have specified. You can use the following arguments with this subcommand:
|
license |
Manages your FortiSOAR license. You can use the following arguments with this subcommand:
|
user (introduced in version 7.0.1) |
Manages your FortiSOAR users. You can use the following options with this subcommand:
|
mq |
FortiSOAR message queue controller (RabbitMQ) functions. You can use the following options, which are enhanced in version 7.0.2, with this subcommand:
|
log |
Performs log collection and forwarding of syslogs. You can use the following option and arguments with this subcommand:
|
secure-message-exchange |
Manages the default secure message exchange server available with a FortiSOAR node. A secure message exchange establishes a secure channel that is used to relay information to the agents or tenant nodes.
|
source-control |
Allows import or export of FortiSOAR configurations, such as, MMD and SVT updates along with playbooks and other required configuration changes between systems. This is required for Continuous Integration or Continuous delivery (CICD), which is a pipeline that automates of your software delivery process. The pipeline builds code, runs tests (CI), and safely deploys a new version of the application (CD). You can use the following options with this subcommand:
|
services |
FortiSOAR services controller (RabbitMQ) functions. You can use the following arguments with this subcommand:
|
network |
Manages network operations. You can use the following options with this subcommand:
|
system (introduced in version 7.0.2) |
Manages system settings. You can use the following options with this subcommand:
|
package (introduced in version 7.0.2) |
Installs, updates, or removes connectors (RPM packages) from your FortiSOAR system.
|
CLI commands used for forwarding syslogs
Use the csadm log forward
command to forwards FortiSOAR logs to your central log management server that supports a Rsyslog client. You can use the following options with this subcommand:
-
add-config
-csadm log forward add config
: Adds configuration details for the syslog server to which you want to forward the FortiSOAR. You can use the following arguments with this option:-
--server
: Hostname of the syslog server to which you want to forward the FortiSOAR logs. -
--port
: Port number that you want to use to communicate with the syslog server. -
--protocol
: Protocol that you want to use to communicate with the syslog server. You can specifytcp
,udp
, orrelp
. -
--tls
: To securely communicate with the syslog server, set-tls
to true.
If you enable TLS, then in the--ca-cert
argument, you must specify the path to the CA certificate PEM file which contains the complete chain of CA certificates including the filename.
If you have a client certificate for your FortiSOAR client, then in the--client-cert
argument, you must specify the path to the client certificate PEM file including the filename, and in the--client-key
argument, you must specify the path to the client key PEM file including the filename. -
--filter
: Comma-separated list of filters to specify the type of logs that you want to forward to your syslog server. Valid values areapplication, audit, none
, and by default, all the logs, i.e., application and audit logs are forwarded. If for example, if you want to forward audit logs only then specify--filter=audit
.
If you specify--filter=none
, then no logs are forwarded, i.e., log forwarding is temporarily disabled. To enable the log forwarding again, use theupdate-config
option with the--filter
argument. For example,csadm log forward update-config –uuid < UUID of configuration > --filter <audit,application>
.
Note: You can define the rules to forward audit logs using the FortiSOAR UI. For more information, see the System Configuration chapter. -
--config-name
: Name of the configuration in which you want to store the log forwarding configuration details.
Note: Validation checks such as, whether the syslog server is reachable on the specified port etc. are run before adding the syslog server, and the syslog server is added only if the configuration details entered are valid.
-
-
show-config
-csadm log forward show-config
: Displays configuration details of the syslog server such as the server's IP address, protocol, TLS information, UUID of the configuration, etc. -
remove-config
-csadm log forward remove-config –uuid < UUID of configuration >
: Removes the syslog configuration based on the configuration UUID you have specified. To know the UUID of your configuration use theshow-config
option. -
update-config
-csadm log forward update-config –uuid < UUID of configuration >
: Updates the syslog configuration based on the configuration UUID you have specified. To know the UUID of your configuration use theshow-config
option. You can update any or all of the options as mention in theadd-config
subcommand.
Use theupdate-config
option with the--filter
argument, to enable temporarily disabled log forwarding.
You can configure only a single syslog server. If you have already configured a syslog server and you try to add a new one, then FortiSOAR displays appropriate warning messages informing you that a syslog server is already configured, and adding a new syslog server will remove already configured one. Further processing is done based on your response (yes/no) to the messages. |