An administrator can use FortiSOAR Admin CLI (
csadm) to perform various functions such as backing up and restoring data and run various FortiSOAR commands such as starting and stopping services and collecting logs.
csadm you must login as
root or have
Once you type
# csadm on the command prompt, the usage and subcommands of the FortiSOAR Admin CLI are displayed as shown in the following image:
To perform a particular task in FortiSOAR using csadm, you must type
# csadm and then its subcommand and the subcommand’s arguments (if any). For example, to change a hostname use the following command:
# csadm hostname --set [<hostname to be set>]
You can get help for a particular subcommand by running following command:
# csadm <subcommand>
# csadm <subcommand> --help
csadm supports the following subcommands:
Generates and deploys your certificates. You can use the following arguments with this subcommand:
Performs operations related to database.
From version 7.0.0 onwards, you can also backup and restore the data of your external Secure Message Exchange (SME) system, by using the following arguments with the
|ha||Manages your FortiSOAR High Availability cluster. For more information about HA and its commands, see the High Availability support in FortiSOAR chapter.|
Changes the name of the host and Fully Qualified Domain Name (FQDN) based on the parameters you have specified. You can use the following arguments with this subcommand:
Manages your FortiSOAR license. You can use the following arguments with this subcommand:
Manages your FortiSOAR users. You can use the following options with this subcommand:
FortiSOAR message queue controller (RabbitMQ) functions. You can use the following options with this subcommand:
Performs log collection and forwarding of syslogs. You can use the following option and arguments with this subcommand:
Manages the default secure message exchange server available with a FortiSOAR node. A secure message exchange establishes a secure channel that is used to relay information to the agents or tenant nodes.
Allows import or export of FortiSOAR configurations, such as, MMD and SVT updates along with playbooks and other required configuration changes between systems. This is required for Continuous Integration or Continuous delivery (CICD), which is a pipeline that automates of your software delivery process. The pipeline builds code, runs tests (CI), and safely deploys a new version of the application (CD). You can use the following options with this subcommand:
FortiSOAR services controller (RabbitMQ) functions. You can use the following arguments with this subcommand:
Manages network operations. You can use the following options with this subcommand:
Manages system settings. You can use the following options with this subcommand:
Installs, updates, or removes connectors (RPM packages) from your FortiSOAR system.
csadm log forward command to forwards FortiSOAR logs to your central log management server that supports a Rsyslog client. You can use the following options with this subcommand:
csadm log forward add config: Adds configuration details for the syslog server to which you want to forward the FortiSOAR. You can use the following arguments with this option:
--server: Hostname of the syslog server to which you want to forward the FortiSOAR logs.
--port: Port number that you want to use to communicate with the syslog server.
--protocol: Protocol that you want to use to communicate with the syslog server. You can specify
--tls: To securely communicate with the syslog server, set
If you enable TLS, then in the
--ca-certargument, you must specify the path to the CA certificate PEM file which contains the complete chain of CA certificates including the filename.
If you have a client certificate for your FortiSOAR client, then in the
--client-certargument, you must specify the path to the client certificate PEM file including the filename, and in the
--client-keyargument, you must specify the path to the client key PEM file including the filename.
--filter: Comma-separated list of filters to specify the type of logs that you want to forward to your syslog server. Valid values are
application, audit, none, and by default, all the logs, i.e., application and audit logs are forwarded. If for example, if you want to forward audit logs only then specify
If you specify
--filter=none, then no logs are forwarded, i.e., log forwarding is temporarily disabled. To enable the log forwarding again, use the
update-configoption with the
--filterargument. For example,
csadm log forward update-config –uuid < UUID of configuration > --filter <audit,application>.
Note: You can define the rules to forward audit logs using the FortiSOAR UI. For more information, see the System Configuration chapter.
--config-name: Name of the configuration in which you want to store the log forwarding configuration details.
Note: Validation checks such as, whether the syslog server is reachable on the specified port etc. are run before adding the syslog server, and the syslog server is added only if the configuration details entered are valid.
csadm log forward show-config: Displays configuration details of the syslog server such as the server's IP address, protocol, TLS information, UUID of the configuration, etc.
csadm log forward remove-config –uuid < UUID of configuration >: Removes the syslog configuration based on the configuration UUID you have specified. To know the UUID of your configuration use the
csadm log forward update-config –uuid < UUID of configuration >: Updates the syslog configuration based on the configuration UUID you have specified. To know the UUID of your configuration use the
show-configoption. You can update any or all of the options as mention in the
update-configoption with the
--filterargument, to enable temporarily disabled log forwarding.
You can configure only a single syslog server. If you have already configured a syslog server and you try to add a new one, then FortiSOAR displays appropriate warning messages informing you that a syslog server is already configured, and adding a new syslog server will remove already configured one. Further processing is done based on your response (yes/no) to the messages.