Administration Guides
ECA (Eyeglass Clustered Agent) CLI Commands

Kafka commands

ecactl zk --help  (commands for zookeeper)

ecactl zk shell (opens shell)

ls /superna/eca/turboaudit  (will list sub folders to get status)

ls /superna/eca/turboaudit/ecanodes

ls /superna/eca/turboaudit/auditfolders  (list the cluster folders and select a folder name with /owner and use the get command to find the assigned ECA node of this audit folder on the Isilon cluster)


 get /superna/eca/turboaudit/auditfolders/00505698f0793f8bbb56fc176e2f7b6e204c_node001/owner 

ecactl kafka topics --help

This will list the available flags for kafka.

ecactl kafka topics --describe

Which returns info about all kafka topics. If these commands to not error out, this can be considered a successful test.

ecactl cluster services list  (lists each node and the services running on that node in a distributed cluster with different services running on each node.)

Basic ECA commands

Start ECA cluster

ecactl cluster up

Stop ECA cluster

ecactl cluster down

Check ECA container logs

ecactl logs <CONTAINER>

You can tail the container logs

ecactl logs --follow <CONTAINER>

You can also tail ‘n’ number line from  ECA container logs

ecactl logs --follow --tail 100 <CONTAINER>

e.g.: This will output last 100n lines log

Mix command with “grep” 

ecactl logs --follow --tail 100 <CONTAINER>  | grep -i '<KEYWORD>'

Mix multiple container logs  with “egrep”

ecactl logs <CONTAINER> <CONTAINER>  | egrep -i '<KEYWORD>|<KEYWORD>'

Login to ECA container

ecactl containers exec <CONTAINER> /bin/bash 

ECA Cluster-wide log 

ecactl cluster exec'ecactl logs --follow --tail <CONTAINER>'

Run ECA related script cluster-wide

ecactl cluster exec '/opt/superna/eca/scripts/<SCRIPT_NAME>.sh'

Restart ECA containers cluster-wide

ecactl cluster exec 'ecactl containers restart <CONTAINER>'

Take down single ECA node containers 

Login to ECA node X (Where ‘X’ represents the node ID)

ecactl containers down

To bring up ECA containers again, login to ECA master node 1

ecactl cluster up

Run components install eca 

needed before first cluster up (2.5.4)

ecactl components install eca

Get a list of ECA containers and container stats

ecactl containers ps
ecactl cluster status

Stop a specific ECA container

ecactl containers stop <CONTAINER>

Remove a container

ecactl containers rm -f <CONTAINER>

Restart a container

ecactl containers restart <CONTAINER>

Start a container

ecactl containers up -d <CONTAINER>

Delete and re-add a ECA container or a list of containers

NEW 2.5.5 + Command:

ecactl cluster services restart --container <CONTAINER>

ecactl cluster services restart --all --container <CONTAINER>      ← Restart container on ALL nodes

Under the hood:

ecactl containers stop <CONT> && ecactl containers rm -f <CONT> && ecactl containers up -d <CONT>

Check ECA cluster-wide service status

ecactl cluster exec "systemctl status autofs"

Combine ECA cluster-wide commands

ecactl cluster exec '<COMMAND>' && ecactl cluster exec '<COMMAND>'

e.g.: ecactl cluster exec 'docker system df -v' && ecactl cluster exec 'docker stats -a --no-stream'

ECA disk usage check

ecactl cluster exec "df -h"

Mix command with “grep” 

ecactl cluster exec "df -h | grep -i zk*"

e.g.: shows zk-ram disk mount information 

ECA cluster-wide disk I/O check

ecactl cluster exec 'iostat -xyz'

Useful ECA commands

Run same command across ECA nodes

ecactl cluster exec "<command>"
ecactl cluster exec 'top -n 1 | grep -i "kib"'

e.g.: ecactl cluster exec 'sudo mount -a’

e.g.: ecactl cluster exec 'sudo umount -l /opt/superna/mnt/audit/_GUID_/_clusterName_’

e.g.: ecactl cluster exec 'sudo systemctl mask autofs’

e.g.: ecactl cluster exec 'sudo systemctl restart docker’

e.g.: ecactl cluster exec 'docker network ls | grep -i node*'

e.g.: ecactl cluster exec '/opt/superna/eca/scripts/'

Check hbase health for inconsistencies 

Hbase health check and repair covered in detail HERE

ecactl containers exec hbase-master /bin/bash
bin/hbase hbck 

Check fastanalysis container file for extension

ecactl containers exec fastanalysis /bin/bash
cat ransomwareFilters.json

Run ECA container in debug mode

ecactl containers stop <container_name>
ecactl containers rm -f <container_name>
ecactl containers up -d <container_name> --debug
ecactl logs --follow <container_name>

Schedule cron to restart containers

  1. ecactl cluster exec "sudo -E ecactl components restart-cron set fastanalysis,evtarchive,turboaudit 0 0,6,12,18 \'*\' \'*\' \'*\'"
    1. This command will set cron on three containers using the cron string shown above.     The above cron string is the default that should be used. Note: the outer double " is required for the ecactl cluster exec command
    2. password for each node will be required 
  2. sudo -E ecactl components restart-cron set <container>[,<container>[...]] <cron interval>

  3. sudo -E ecactl components restart-cron remove <container>[,<container>[...]]   (this removes the cron setting for  1 or more containers)
  4. NOTE: can be executed on a single node

Copyright Superna LLC