Administration Guides

Eyeglass CLI Commands

Home

Eyeglass CLI Commands

The following Eyeglass CLI commands are available and can be executed directly from the Eyeglass shell or any ssh session to the appliance.

Security CLI Commands

This section covers security related cli commands

Change cluster service account password CLI Command

(2.5.6 or later required) igls adv changepwd --cluster T-A8200 --password 1 --restart true
1. NOTE: --restart true is required for the password to take effect, and will restart the SCA process to have the password change take effect. After using this command, login to the UI, open the jobs icon and verify configuration sync jobs are completing successfully. If restart true is not used, the SCA will need to be restarted at a later time using the command sudo systemctl restart sca.
2. The Eyeglass service account must be used. AD accounts are not supported and not best practice since it reduces availability of the system with dependency on AD DC's
3. igls adv changepwd help

Appliance Management

Disk Management Monitoring

This command and configuration file allows increasing the support backup disk monitor alarm from the default of 800 MB to a higher value. The cli command below re-loads the new monitoring threshold.
Edit this file to change the 2nd rule to a higher value in MB /opt/superna/sca/conf/DiskSpaceMonitorConfig.xml save the file, and run the command below, to allow storing more backups before the alarm will be triggered.
If you get this alarm you can delete old backup files located in /srv/www/htdocs/archive
igls adv reloaddiskspacemonitorrules (this command will update the monitor to use the new limits configured in )

Alarm Database Table Compression Enabled or Disabled

igls adv managealarmdatacompression (this command checks if alarm data compression is abled to store in the database, contact support before attempting to change this)

Easy Auditor CLI commands

These commands are used for Easy Auditor configuration changes.

When a cluster has had auditing enabled a history of audit logs are stored on the cluster. This CLI command can be used to ingest old audit messages for searching. It can also be used to ingest data while ECA cluster was down or unable to reach a cluster to process audit messages.

igls rawsignals bulkLoadTAEvents --file=/opt/superna/sca/tmp/bulkLoadTAConfig.json

A json file is used to specify the cluster, the node names and the compressed files on PowerScale that should be ingested.

Sample file exists on the appliance to edit /opt/superna/sca/tmp/bulkLoadTAConfig.json

Example json file below

[{ "cluster_name": "sourcein8", "cluster_guid": "0050569f9a9f4d819b58261e950907a632ad", "node": [{ "node_id": "node001", "audit_files": ["00000000.gz", "00000001.gz", "00000002.gz", "00000003.gz"] }, { "node_id": "node002", "audit_files": ["00000000.gz", "00000001.gz", "00000002.gz", "00000003.gz"] } ] }]

igls admin eaCsvArchivePath show

Use this to show the current location that csv reports are stored or change this location.

The location can be changed to an NFS mount on the Eyeglass appliance, to allow centralized reports to be stored automatically as they are generated by users. This keeps a secondary copy of all reports or searches executed with Easy Auditor.

Use:

igls admin eaCsvArchivePath set --value=<path where csv files should be saved> (to set the path.)

igls admin eaCsvArchivePath (will show you where they are currently saved. There should be no default, so initially they are not saved anywhere, but the step in the report job will be marked as successful if no path is set.)

Robot Audit

This feature performs continuous auditing by creating user events as an SMB connected user. The events are created, ingested and stored in the database. The Robot audit process runs reports, and counts file and directory events, and logs success or failure. This offers the highest level of confidence that audit data is being processed and stored. The audit lag is the time from when an event is created to when the data is searchable. This sets the time lag value to a value that avoids robot audit failures for a particular environment where event rate may require an increased value. Value is in minutes.

igls easyauditor roboaudit (shows current value)

igls easyauditor roboaudit set --eventlag=15 (sets new value to 15 minutes)

igls easyauditor roboaudit set --runpathreport=true (this command disables the path search that can take variable time to complete, and will exclude this from running as part of the test automation)

Event result percent for Robot Audit

Use only directed by support

igls easyauditor roboaudit set --reportpercent=60

Where did My Folder Go Query Event Limit

This command will set the limit of the number of events returned with a Where did my folder go search. NOTE: The feature has been tested to return 5000 events, over this limit may overwhelm the browsers ablity to display the data.

igls easyauditor folderquerylimit set --limit=2500

Easy Auditor And Ransomware Defender common CLI commands

Easy Auditor and Ransomware Queue Reset to process only recent events versus backlog in the queue

Easy Auditor has real time triggers, if a misconfigured trigger is configured, a back log of detections will end up in the queue to be processed. This will take a long time to process when it was setup in error. This command also applies to Ransomware Defender if a large number of detections occur. Each product has a separate real-time queue for processing, with Ransomware Defender processing taking priority.

If a large back log occurs from an Easy Auditor, or user activity flagged by Ransomware Defender, the following command can be used to skip to the end of the queue, to effectively ignore all previous detections and start processing from the end of the queue.

igls adv eventTriggers set --operation=reset --topic=rsw (will reset the processing on the Ransomware Queue)

igls adv eventTriggers set --operation=reset --topic=ea (will reset the processing on the Real time Active audit triggers Queue for Easy Auditor)

Ransomware CLI commands

Lockout Root SID with SMB disable

Use this command to enable SMB shutdown if root PowerScale user is detected with Ransomware behavior. Cluster wide shutdown of all SMB IO. NOTE: Root user should never be used to access data since it can access all shares regardless of permissions

igls admin lockroot --lock_root

General Ransomware Settings

Use this command to see general Ransomware Defender settings. NOTE: some settings are managed in the GUI.

igls rsw generalsettings

Sample output :

{

"snapshot_expiry_hours": 48,

"escalate": false,

"critical_on": true,

"monitor_only": false,

"snapshotOn": "WARNING",

"lock_root": false,

"root_sids": [

"S-1-1-1-0",

"S-1-22-1-0"

]

}

Default Snapshot Expiry

Use this command to set the expiry default time on pro-active snapshots.

igls rsw generalsettings set --snapshot_expiry_hours 72

Security Guard Delay Detection

Use this command to change security timer to delay failure message when audit events are behind on the cluster.

igls rsw securityguardsettings help

demo2:/opt/superna/sca/conf # igls rsw securityguardsettings help

show(default):

Provides the following options:

1. Set security guard wait for event timer in seconds.

2. Set security guard restore timer in seconds.

set --<option>=<value>

Valid Options: sg_waitforevent_timer_seconds and sg_restore_timer_seconds

Example - set event timer :

igls rsw securityguardsettings set --sg_waitforevent_timer_seconds=600

Example - set restore permissions timer :

igls rsw securityguardsettings set --sg_restore_timer_seconds=600

NFS Event Processing and lockout

This section shows how to enable NFS IO processing and enable lockout for Ransomware events. This single command will process NFS IO, and apply lockouts based on thresholds configured in the GUI. The lockout function will remove the client ip address from the export definition to lockout the NFS host. It will not check host names to map them to IP addresses in this release. Consult documentation for Lockout configuration.

To set the value from default of disabled to enabled:

igls rsw nfsevents set --enabled=true

To check the value that is currently set for NFS lockout:

igls rsw nfsevents

Extensions Whitelist

The file extension list tracks over 2000 well known extensions used in Ransomware incidents. Sometimes these are valid extensions in customer environments or applications. These CLI commands can be used to whitelist extensions by adding them to an allowed list.

igls rsw allowedfiles add --extensions=’.ext1’ (add an extension to the list)
igls rsw allowedfiles (list all allowed files)
igls rsw allowedfiles remove --extensions=’.ext1’ (remove an extension from the list)

False Positive Override per user

Contact support to enter values. Commands are provided as a reference, but support should be involved to provide values to modify user threat level settings. These command use SID to add or delete. The side cache file can be used to find the user name for a given SID. To read this file login to Eyeglass VM via ssh and run this command "cat /opt/superna/sca/data/ad_principal_cache.json" to see the SID and user names.

Add an override for a user
- igls rsw RSWUserOverride post --user=S-1-5-21-826284354-1834749432-1846952604-4825 --tdid=03 --parameter=X --multiplier=16.008001000000004
Delete an override for a user
- igls rsw RSWUserOverride delete --sid=S-1-5-21-826284354-1834749432-1846952604-4825 --tdid=03 --parameter=X --multiplier=16.008001000000004
View the current overrides set by flag as false positive
- igls rsw RSWUserOverride get

all command line inputs and outputs will use a SID. Resolve these to and from the SID format using the cache file above or AD tools. All entries in the file should be by SID. "[ SID ] : [ Threat detector ID ] : [ Parameter ID ] : [ Multiplier ]"

Restore a locked out User when Security Event in Error State

This command would be used only when a locked out user security event has an error due to cluster reachability, or some shares were not unlocked. This command will re-attempt the recovery of a user’s share access. NOTE: do not use this command if you assigned users directly to shares versus using AD groups.

igls rsw restoreaccess set --user=<value> (where value is domain\user, note use uppercase domain name and quotes)

example: igls rsw restoreaccess set --user="TESTDOMAIN\usera"

A new igls CLI is defined to restore all access to all shares for a user. The cli command is "igls rsw restoreaccess set --user=<value>"

This CLI scans the Eyeglass database, finds all shares that have a "deny" for the user based on AD group membership only.

The CLI builds and executes the restore job for all of these shares.

This CLI is only used by Superna support in the case where there was a lockout that reported no shares successfully locked out, but where deny flags actually were applied on the PowerScale.

Test Step:

Have an Error state where no shares are saved in the database (i.e. "none lockedout" under "Shares" column in Ransomware Defender table).

Apply the command.

Expected Results:

The user is restored accessed to all shares he was assigned to.

Note:

Restoring access to a user who happened to be in a group added to this share. And not for a user who is directly added to this share.

Ranswomare Defender Banned file Version Apply Commands

These commands require 2.5.7 release
These commands allow apply a new version of the banned file lists from the ECA cluster. Note The ECA nodes require Internet access to download and apply new versions of the banned file list.
ecactl rsw versions list: Returns the list of all installed ransomware defender versions, in the <YYYYMMDD> format, and displays which one is active.
ecactl rsw versions sync: Fetches any versions from google storage that don't currently exist on the system
ecactl rsw versions apply <--version YYYYMMDD>: Sets the active version file to the one named in the argument.

Ransomware Defender AirGap CLI commands

igls airgap disable (quick disable all policies, no syncing will occur, this is a maintenance state)

igls airgap enable (quick enable all policies)

igls rsw airgappolicysync {enable, disable}

If set to disable send major alarm ("airgap policy sync state disabled by administrator")

Temporary Maintenance Command

It is also possible to open an airgap for maintenance but specify a time period to leave the network open before it automatically closes. Use the connect and disconnect commands. The timeout ensures the network is not left open by accident exposing data to the network.

igls airgap connect help

Usage:

igls airgap connect --job=<job-name> --timeout=<duration>[m|h]

igls airgap connect --policy=<policy> --source=<source> --timeout=<duration>[m|h]

Enable network connection to the target device of an airgap policy with a timeout that will auto close the network connection once the timeout is reached.

Required arguments:

--job=<job-name> Use config settings of given AirGap job to enable network connection to it's target device.

--policy=<policy> Use config settings of AirGap <policy> to enable network connection to it's target device.

--source=<source> Name of the source cluster for the given AirGap policy.

--timeout=<duration>[m|h] Duration of time to keep the connection to the given AirGap policy's target device. You can follow the duration by the = suffix 'm' to indicate minutes or 'h' to indicate hours. If no suffix is given, duration defaults to minutes.

igls airgap disconnect help

Usage:

igls airgap disconnect --job=<job-name> OR use

igls airgap disconnect --policy=<policy> --source=<source>

Disable network connection to the target device of an airgap policy, without waiting for the time out period.

Required arguments:

--job=<job-name> Use config settings of given AirGap job to disable network connection to it's target device.

--policy=<policy> Use config settings of AirGap <policy> to disable network connection to it's target device.

--source=<source> Name of the source cluster for the given AirGap policy.

igls adv failovermode

This command is for a large number of policy failovers. It changes the default behavior of sequential make writable and resync prep commands to allow up to 10 parallel make write commands, or resync prep commands to be issued to the cluster at once. If a job on the cluster finishes, another is sent with the goal of keeping 10 jobs always running on the cluster until failover is complete.

High Speed Failover - Parallel Failover Flag Notes :

Allows make write step and resync prep to run in parallel with up to 10 threads, ensures that 10 policies are submitted to be processed at all times.
Testing has shown these steps for large quantity policy failover can improve failover times 3x to 4x.
Risk of a policy failure increases, and new flag will NOT stop the failover in progress. The process will continue to issue api calls to submit all SyncIQ policies in the failover job until all have been submitted. This runs the risk of more complex recovery if more than one policy fails to complete its step (Allow Writes OR resync Prep) .

igls adv failoverSettings set --parallel=true (defaults to true as of 2.5.5 release), not recommended to disable this contact support.

igls adv failovertimeout

Display the per step timeout for failover tasks. Advanced setting. Default 45 minutes. For very large policies (see Eyeglass and PowerScale DR Best Practices), igls adv failovertimeout can be increased to suggest value of 180 minutes.

igls adv failovertimeout get (returns current value)

igls adv failovertimeout set --minutes 180 (sets)

igls adv full sync

This advanced option should be enabled only after consulting with Superna support first. It overcomes a scenario where NFS exports are created with FQDN for client lists, and the FQDN values are NOT resolvable by the DR or target cluster. This scenario happens when DHCP leases expire DNS resolution, OR if FQDN values do not resolve any longer, and it's not possible to clean up this condition. OneFS 8 API behavior denies the creation of the exports with unresolved FQDN client list entries, and requires the force flag to override cluster rules on export creation. The force create override flag is disabled by default in Eyeglass to avoid conditions where duplicate exports are created.

Behavior

This sync mode will delete all shares and exports found on the target cluster that DO NOT exist on the source. This creates a full sync. The default option in Eyeglass will leave any shares or exports found that do not exist on the source. With this option enabled, all extra config will be deleted to make an exact copy on the DR/target cluster.

igls adv fullsync set --fullsync=<true/false>

Default is false

igls adv runbookrobot

Allows a mode where the export auto create and update is disabled, and can be manually created on the Robot policy path, set the export settings with Eyeglass appliance ip address as root client, and other settings can be enabled manually. Each robot run will no longer create or update the export.

Default is true.

igls adv runbookrobot set --createExport=false

igls admin ignoreunresolvablehosts

This command can be used to enable or disable config sync of exports to allow client lists with unresolvable DNS or Netgroup entries. It is best practice to allow the DR cluster to resolve host names, or data will not be mountable after a failover.

The default setting is disabled and will raise and configuration sync error when attempting to create an export on the DR cluster when the DR cluster cannot resolve the client list host name or Netgroup.

igls admin ignoreunresolvablehosts set --value=true (use this command to allow unresolvable hosts on exports to sync)

igls admin ignoreunresolvablehosts set --value=false (use this command to disable it)

igls admin ignoreunresolvablehosts (use this command to see current value)

igls admin health

Display the overall health status of the Eyeglass appliance.

~> igls admin health

{

"success": true

}

igls admin appid

Display the appliance id of the Eyeglass appliance.

~> igls admin appid

{

"applianceCode": [

]

}

igls admin version

Display the Eyeglass component versions.

~> igls admin version

[

{

"release": [

"38"

"version": [

"1.3"

"name": [

"eyeglass_ui"

]

{

"release": [

"34"

"version": [

"1.3"

"name": [

"eyeglass_rest"

]

{

"release": [

"64"

"version": [

"1.3"

"name": [

"eyeglass_sca"

]

}

]

igls alarm active

Retrieve the current active alarm list.

~> igls alarm active

{

"sync_key": "Share3-SystemZone",

"code": "SCA0002",

"severity": "Critical",

"timestamp": 1430350806854,

"source": "Share3-SystemZone",

"message": "Found a replication job where either the sou

rce or destination is not a managed network element.",

"extra_data": "{\"info\":\"The replication job for polic

y 'Share3-SystemZone' cannot be created because the target host

cannot be identified.\"}"

}

Note: To view this list incrementally, you can use the command:

~> igls alarm active | more

igls alarm all

Display the total alarms received in “results”.

~> igls alarm all

{

"rows": [],

"alarmsPerPage": "50",

"results": "889"

}

igls alarm settings

This new command allows controlling the severity of any alarm and can be used to disable an alarm completely. Use with caution.

igls alarm settings help

Allows to set the following options for alarms:

1. Enable or disable raising alarm. Setting "raise" to false disables raising alarm.

2. Enable or disable alarm email notification. Setting "email" to false disables alarm email.

3. Setting alarm severity.

--raise= false (disables the alarm)

--severity= (sets the severity of the alarm to the value entered here)

--email= (sends alarm true or false, if false it will display in the gui but no email or other method of alarm notification will be executed)

List of alarm codes can be found here.

igls appliance upgrade

Use for on line upgrade of the appliance software.

Usage: igls app upgrade [OPTIONS]

Download Eyeglass installer - update Eyeglass appliance

Options:

--url TEXT URL of an Eyeglass installer (optional)

--help Show this message and exit.

igls appliance restore

Restore Eyeglass data and configuration from Eyeglass Archive.

Note: must be logged in as admin or root user.

~> igls app restore

Release 2.5.5 or below

Usage: igls app restore [OPTIONS]
--anyrelease (this allows a version mismatch between the backup file appliance version and the target appliance version, this will skip restore of many items, check the upgrade guide for details. Retains licenses, and clusters and passwords)

Release 2.5.6 or later

igls app restore /srv/www/htdocs/archive (pass in a path and all available files are scanned to list the most recent backup found, and presents the file name with yes no option to proceed)
Or igls app restore /srv/www/htdocs/archive/backupfile.zip (This option allows full path to the file you want to restore)

igls appliance rediscover

This command should be used when directed by support. It will rebuild the Eyeglass database and preserve job status in the jobs icon with release 1.8 or later. The “igls appliance rediscover command” will prompt yes to continue. NOTE: It will preserve the quota request, data recovery databases.

Upon completion refresh the UI login screen. Go to running jobs to see initial discovery job is running to repopulate cluster information in the database inventory icon.

Once completed the job definition screen will show the jobs in previous state and show as pending . The jobs will run again on next scheduled interval or, you can force them to run with the “run now” option.

igls appliance report

(diagnostic log parsing tool run command) This command is for dark or secure sites where on site log analysis is required. The report summarizes all api, ssh and other errors, config sync analysis, failover analysis of each attempt and success or failure.

Run command: igls appliance report.
Wait for the report to complete.
See logs report on: https://<eyeglass IP address>/report/ .

Please refer to document: Eyeglass Backup and Restore .

Advanced CLI Commands

igls adv adserver

This command is used to build a user to SID cache information used by Eyeglass, Ransomware Defender, Storage cluster monitor and Easy Auditor. This avoids API lookups for user and AD information. In very large AD environments with 10 000 of thousands of users and groups it is more efficient to collect this information directly from AD domain controllers. This is also more reliable method to collect this information. This command can be used for an AD provider and configure a user to collect this information using LDAP from the domain controller.

igls ad adserver help -- displays help of the command

list(default): it shows all saved AD servers for which the user cache will be built directly from the server and not from the PowerScale

set:Allows adding AD servers to the list. Each entry will have the following parameters:

--server=<value> (the AD server name or LDAP provider-it has to match the value from the PowerScale)

--domain=<value> (domain name),

--basedn=<value> (the distinguished name from where the server will search for users),

--logindn=<value> (distinguished name for the connecting user),

--password=<value>

and optional parameters which are:

--loginhost=<value> i(p or hostname of AD domain controller)

--ssl={true|false} (default is false),

--port=<value> (default is 389 for SSL off, 636 otherwise).

delete: deletes the entry specified by:

--server=<value> or

--all=true (deletes all entries of the list).

Examples:

--server=AD2.TEST (note this is the value shown in the PowerScale GUI for auth provider name

--baseDn=DC=ad2,DC=test (Distinguished to the start the search for users and groups)

--logindn=CN=Administrator,CN=Users,DC=ad2,DC=test (Distinguished to the user, used to authenticate to AD, can be normal user account)

--domain=AD01 (netbios name of the domain)

--loginhost= ip address of a domain controller

--ssl=false

--port=389

example command

Add AD configuration - see example below change yellow values:
1. igls adv adserver set --server=AD1.TEST --basedn=DC=ad1,DC=test --logindn=CN=Administrator,CN=Users,DC=ad1,DC=test --domain=AD01 --loginhost=172.16.80.6 --ssl=false --port=389 --password=3y3gl4ss!
2. Example when users are stored in a different OU:
  1. igls adv adserver set --server=RNSM04-05.SUPERNA.NET --basedn=OU=t11543,DC=rnsm04-05,DC=superna,DC=net --logindn=CN=Administrator,CN=Users,DC=rnsm04-05,DC=superna,DC=net --domain=RNSM04-05 --loginhost=172.22.4.155 --ssl=false --port=389 --password=3y3gl4ss!
Delete AD configuration:
1. igls adv adserver delete --server=AD1.test
2. igls adv adserver delete --all
List all AD configurations:
1. igls adv adserver list

igls adv initialstate

Display and update initial state when Eyeglass creates a new Job. This command supports changing the initial state for the following Eyeglass Job types: ZONES, AUTO, CUSTOM, QUOTAS.

~> igls adv initialstate help

show(default):

Displays the initial states for new jobs.

set --<type>=<state>:

sets a job type to have a specific initial state.

Valid states are: enabled, disabled.

Valid types are: ZONES, AUTO, CUSTOM, QUOTA

Default: is shown below

Examples:

~> igls adv initialstate show

{

"ZONES": "USERDISABLED",

"AUTO": "ENABLED",

"QUOTA": "ENABLED",

"CUSTOM": "ENABLED"

~> igls adv initialstate set --custom=disabled

{

"success": true

}

igls adv PolicyFailover

Enable and disable Eyeglass Configuration Replication task during SyncIQ Policy Failover.

~> igls adv PolicyFailover set --disablereplication=<state>

Valid states are: true, false

Examples:

Disable Eyeglass Configuration Replication task during SyncIQ Policy Failover:

~> igls adv PolicyFailover set --disablereplication=true

{

"success": true

}

Enable Eyeglass Configuration Replication task during SyncIQ Policy Failover:

~> igls adv PolicyFailover set --disablereplication=false

{

"success": true

}

Igls adv rundedupe

Disable dedupe setting process while allowing LiveOPS snapshot jobs to execute. All clusters global command.

igls adv rundedupe set --rundedupe=true/false (default true)

igls (disable new validations)

Prerequisite: 2.5.6 or later

This command will disable SPN AD delegation, dual dns delegation validations if they are not able to execute in a specific environment or of SPN's or dual DNS is not configured.

To display settings:

igls adv readinessvalidation

NOTE: if nothing is returned then default settings are in effect

To modify settings:

igls adv readinessvalidation set --[spnsdelegation|dualdelegation]=[true|false]

Example

igls adv readinessvalidation set --spnsdelegation=false

igls adv readinessvalidation set --dualdelegation=false

igls adv readinessvalidation set --spnsdelegation=false --dualdelegation=false

igls admin schedules

Display and update schedule for Eyeglass tasks. This command supports enabling, disabling and updating the schedule for the following tasks: Configuration Replication, Eyeglass Reports, Zone Readiness, Runbook Robot.

~> igls admin schedules list

[

{

"interval": "*/1 * * * *",

"enabled": true,

"id": "EventAuditProgress",

"label": "Event Audit Progress Monitoring" NOTE: Used with Easy Auditor to check audit lag

{

"interval": "0 0 * * *",

"enabled": true,

"id": "InventoryReport",

"label": "Eyeglass Reports" NOTE: Used with DR product configuration reports

{

"interval": "*/15 * * * *",

"enabled": false,

"id": "PrintInventoryToSyslog",

"label": "Print Inventory to Syslog" NOTE: Used with DR product

{

"interval": "0 0 * * *",

"enabled": true,

"id": "QuotaRequestsReport",

"label": "Quota Requests Report" NOTE: Used with cluster Storage Monitor product

{

"interval": "*/1 * * * *",

"enabled": true,

"id": "RSWEventsMonitor",

"label": "Ransomware Events Monitoring" NOTE: Used with Ransomware Defender

{

"interval": "*/1 * * * *",

"enabled": true,

"id": "RSWHbaseScan",

"label": "Ransomware Hbase Scanning" NOTE: Used with Ransomware Defender to check DB health at an interval

{

"interval": "*/15 * * * *",

"enabled": true,

"id": "Readiness",

"label": "Zone Readiness" NOTE: Used with Dr product assess one and pool readines

{

"interval": "0 0 * * *",

"enabled": true,

"id": "RecoveryShareCleanUp",

"label": "Recovery Share Clean Up" NOTE: Used with cluster storage monitor data recovery share deletion check

{

"interval": "*/5 * * * *",

"enabled": true,

"id": "Replication",

"label": "Configuration Replication" NOTE: Used with DR product to sync config

{

"interval": "0 0 * * *",

"enabled": true,

"id": "RunbookRobot",

"label": "Runbook Robot" NOTE: Used with DR product to ruh continuous DR feature

{

"interval": "0 * * * *",

"enabled": true,

"id": "SecurityGuard",

"label": "Security Guard" NOTE: Used with Ransomware Defender to test end to end detection

{

"interval": "*/1 * * * *",

"enabled": true,

"id": "ServicesScan",

"label": "Services Scanning"

{

"interval": "0 0 * * *",

"enabled": true,

"id": "StorageMonitorReport",

"label": "Storage Monitor Report" NOTE: Used with Cluster storage monitor report

}

]

Eyeglass Reports

The cluster diff report is now run from an igls command. If the the cluster has a large configuration, this report can run for hours. The daily report will not difference configurations and will only send the basic report.

To execute an on demand difference report from today's cluster report to yesterday's use this cli command.

igls adv diffclusterreport

Enable/Disable

To enable/disable the schedule for the Eyeglass Reports, use this command:

igls admin schedules set --id InventoryReport --enabled <true|false>

Examples:

~> igls admin schedules set --id InventoryReport --enabled false

{

"success": true

}

~> igls admin schedules set --id InventoryReport --enabled true

{

"success": true

}

Update Schedule

To change the schedule for the Eyeglass Reports use this command. Valid intervals for reporting are: 1M, 2M, 3M, 4M, 5M, 6M, 10M, 15M, 20M, 30M, 1H, 2H, 3H, 4H, 6H, 8H, 12H, 1D, 7D, 31D.

~> igls admin schedules set --id InventoryReport --interval <interval>

Example:

~> igls admin schedules set --id InventoryReport --interval 7D

{

"success": true

}

Configuration Replication

Enable/Disable

To enable/disable the schedule for Configuration Replication, use this command:

igls admin schedules set --id Replication --enabled <true|false>

Examples:

~> igls admin schedules set --id Replication --enabled false

{

"success": true

}

~> igls admin schedules set --id Replication --enabled true

{

"success": true

}

Update Schedule

To change the schedule for Configuration Replication use this command. Valid intervals for replication are: 1M, 2M, 3M, 4M, 5M, 6M, 10M, 15M, 20M, 30M, 1H, 2H, 3H, 4H, 6H, 8H, 12H, 1D, 7D, 31D.

igls admin schedules set --id Replication --interval <interval>

Example:

~> igls admin schedules set --id Replication --interval 10M

{

"success": true

}

Runbook Robot Schedule Interval

Use this CLI command to change the interval from once per day.

Enable/Disable

To enable/disable the schedule for Runbook Robot, use this command:

igls admin schedules set --id RunbookRobot --enabled <true|false>

Examples:

~> igls admin schedules set --id RunbookRobot --enabled false

{

"success": true

}

~> igls admin schedules set --id RunbookRobot --enabled true

{

"success": true

}

Update Schedule

To change the schedule for RunbookRobot use this command. Valid intervals for Configuration Replication are: 1M, 2M, 3M, 4M, 5M, 6M, 10M, 15M, 20M, 30M, 1H, 2H, 3H, 4H, 6H, 8H, 12H, 1D, 7D, 31D.

igls admin schedules set --id RunbookRobot --interval <interval>

Example:

~> igls admin schedules set --id RunbookRobot --interval 10M

{

"success": true

}

Failover Readiness for Access Zones and IP Pools

Enable/Disable

To enable/disable the schedule for the Zone Readiness job, use this command:

igls admin schedules set --id Readiness --enabled <true|false>

Examples:

~> igls admin schedules set --id Readiness --enabled false

{

"success": true

}

~> igls admin schedules set --id Readiness --enabled true

{

"success": true

}

Update Schedule

To change the schedule for the Zone Readiness job use this command. Valid intervals for reporting are: 1M, 2M, 3M, 4M, 5M, 6M, 10M, 15M, 20M, 30M, 1H, 2H, 3H, 4H, 6H, 8H, 12H, 1D, 7D, 31D.

~> igls admin schedules set --id Readiness --interval <interval>

Example:

~> igls admin schedules set --id Readiness --interval 2H

{

Runbook Robot Mount Export Enable Disable

Default is enabled to mount the cluster and create the test file:

igls adv runbookrobot show (show current value)

igls adv runbookrobot set --mount=true (default)

igls adv runbookrobot set --mount=false

Advanced Commands

igls adv requesttimeout

Description: Sets rest API timeout when cluster or wan responses take longer to return, this value can be increased.

igls adv requesttimeout (displays the timeout value)

igls adv requesttimeout set --inventory <time> (sets the timeout value to <time>)

Example:

igls adv requesttimeout set --inventory 300

igls adv spndelay

Description: used to increase the delay between SPN failover commands, that require domain controller to replicate the delete before the add spn can succeed. Release 1.8.3 removes the need for this command, by pinning spn failover commands to a single node and domain controller.

igls adv spndelay (displays the current setting)

igls adv spndelay set --seconds=<seconds> (set a delay between delete and create SPN during failover)

Example:

igls adv spndelay set --seconds=10

Role Based Authentication Authentication CLI Commands

When proxy login is used to login using pass through authentication to AD an ip address is needed to send an SMB authentication request for the users AD user id and password. This is done using the SMB protocol to a share on PowerScale using the SmartConnect FQDN to a share discovered in the zone. In order to provide a list of SmartConnect FQDN's to use to test the users password, use the CLI commands below. The authentication will use the ordered list below until the password test succeeds to allow the user to login.

During the process the AD groups are also retrieved to map the user to a role defined in the Users icon. If the user matches an AD group role, or a user added directly to a role, then the icons or permissions assigned to the role will display on the Eyeglass desktop.

These commands are used to add SmartConnect FQDN to the Access Zone where the users should authenticate to the AD provider assigned to the Access Zone.

For checking fqdn list: igls admin auth
For adding a new fqdn: igls admin auth add --fqdn <name>
For changing a fqdn: igls admin auth modify --fromfqdn <name> --tofqdn <newName>
For deleting a fqdn: igls admin auth delete --fqdn <name>
For deleting all fqdn's: igls admin auth delete --all true

Cluster Storage Monitor CLI commands

Cluster Storage Reports Schedule CLI Commands

See setting and getting schedules in the CLI section above, to specify job id, get and set functions, and enable and disable actions on scheduled reports.

Igls admin schedules (lists schedules)

Used to enable or disable the daily report for cluster disk usage:

{

"interval": "0 0 * * *",

"enabled": true,

"id": "StorageMonitorReport",

"label": "Storage Monitor Report"

}

Used to schedule the daily summary of quota requests and actions for the daily summary:

{

"interval": "0 0 * * *",

"enabled": true,

"id": "QuotaRequestsReport",

"label": "Quota Requests Report"

Quota collection Job Schedule for Large Quota Clusters Scheduling CLI Commands

Use this CLI command to set a different collection interval for clusters with > 1000 quotas to avoid long configuration sync jobs that detect share,exports for DR syncing.

How to Enable Dedicated Quota Inventory Collection Job and Quota pre-sync

igls admin schedules set --id QuotaInventoryCollection_2_5_3 --enabled true (this enables the schedule and default is every 12 hours)
1. Note: igls admin schedules command will not display QuotaInventoryCollection when it is not enabled
Then restart Eyeglass sca service following steps below in order for change to take effect
1. SSH to Eyeglass appliance
2. Type: sudo su - (to elevate to root - enter admin user password)
3. Type: systemctl restart sca
4. Type: systemctl status sca (to verify sca service active and running after the restart)
Use igls admin schedules to change from twice per day to an alternate schedule. Example - to change to 2 minutes use this:
1. igls admin schedules set --id QuotaInventoryCollection_2_5_3 --interval 2M
2. You should see result success.
You should now see the config job running with one of 2 options showing.
1. The default config sync job for shares and exports will show -- without quotas

Advanced Quota Failover and Inventory collection CLI commands

Enable pre-sync of Quotas on Onefs 8.x clusters (DR licensed feature)

Quotas can be synced with a special configuration sync jobs to sync quotas at the same time shares and exports are synced.

NOTE: If pre-Sync is enabled, quota inventory must be enabled as well, follow steps above to enable the dedicated quota inventory collection job.

To check the pre-sync status

igls adv quotas

Quota Advisory Sync Enabled: true

Quota Advisory Sync Delete Mode: ENABLED

Pre-Sync Quota On Interval: false

To enable pre sync of quotas requires the separate configuration job to be enabled as per above
igls adv quotas set --quotapresync=true
Check that it is now set
igls adv quotas
Verify that pre-sync shows enabled.
Now enable quota dedicated quota collection job following the steps in the previous section. Pre sync is only supported using the dedicated quota collection inventory collection job.If you do not enable the separate quota collection pre sync will not function by design. Not the schedule to pre-sync quotas will be the same as the quota inventory collection schedule.

Cluster Storage Monitor automation quota commands (Cluster Storage Monitor Feature)

This section covers auto advisory quota creation, and quota templates for AD managed quotas.

Note: Requires Storage cluster Monitor license

igls adv quotas help
Igls adv quotas (see current values).
Igls adv quotas set --quotasync=true (this enables the feature, false to disable).
Igls adv quotas set --quotasyncdelete=true (defaults disabled, valid values are enabled/disabled/advanced).

Active Directory Group based Quota Management (Cluster Storage Monitor Feature)

In order to use this AD group based quota management feature and new job type needs to be enabled , that runs on a default schedule of once per day. This group will evaluate the AD to group membership of users, and auto apply quota templates configured in Eyeglass.

Requirements to use this Feature

new AD Group discovery job must be enabled first to retrieve AD groups and users (instructions below)
Separate quota inventory job must be enabled see here for instructions. (optional change schedule)
Create a Storage tier to label quotas (commands below)
Create a template (commands below)
Create ad groups, add users to groups
1. NOTE: Domain Users group cannot be used. A new AD group is required if the goal is a default domain wide quota. To add all domain users to a new AD group easily execute this command on a domain controller. Replace the object name for your domain group name.
2. dsquery user -limit 0 | dsmod group "CN=newgroupname,CN=Users,DC=test ,DC=superna,DC=net" -addmbr
add group to a share
Wait for jobs to run before checking quota screen on Onefs
To trouble shoot look at file on Eyeglass to debug
1. cat /opt/superna/sca/logs/csm.log

NOTE: all references to AD domain should use uppercase characters

How to configure AD group quota scheduled job (Required)

This task will get AD group membership to evaluate which quotas should be applied. This is the task that monitors AD group changes to determine when to apply new quota or upgrade quota to a new tier.

igls admin schedules set --id ADGroupThresholds_2_5_5 --enabled true (this enables the schedule set to be every 2 hours).
1. Note when ADGroupThresholds_2_5_5 is not enabled it will not be displayed using the igls admin schedules command
Then restart Eyeglass sca service following steps below in order for change to take effect:
1. SSH to Eyeglass appliance
2. Type: sudo su - (to elevate to root - enter admin user password)
3. Type: systemctl restart sca
4. Type: systemctl status sca (to verify sca service active and running after the restart)
Verify the schedule is enabled:
1. igls admin schedules
To change the schedule to check user to group AD membership more often than every 2 hours (the default schedule), make the following change with the IGLS command. Example for 10 minutes (this would be for testing only):
1. igls admin schedules set --id ADGroupThresholds_2_5_5 --interval 10M
2. verify with "igls admin schedules"

How to start an onDemand AD Quota scan of AD and Quota creation

Use this command to start the scan job. This should be used for testing purposes.

igls adv ADGroupThresholds

User quotas or group quota templates

Default mode is to create user quotas on templates. A parameter can be added to a template to change the quota type to be a group quota, and apply the group quota on a share where the template AD group has been applied to the permissions list. The command parameter example is shown below on the add template example using the [--quotasmode=[group|<default user>]] option on the create command.

igls csm tier help

Use this command to list storage tiers that have been created to group templates by tier.

list(default):

Lists all the tiers with their list of templates.

add: adds a new tier to the config file.

--id=<value>

delete: removes the tier from the config file.

--id=<value>

igls csm template help

Templates define a quota (hard, soft , accounting) and and AD group is assigned to a template. Templates are assigned to a tier (a label to group templates). The Tier must exist first before assigning a template to a tier.

list [--tier=<value>] [--name=<value>]: by default, lists all the templates from the config file and the tiers they belong to.

The output can be restricted to the tier name and/or the template's group name.

add: adds a new quota in the config file.

--tier=<value>

--name=<value>

[--hard=<value>]

[--hardunit=[PB|TB|GB|MB|KB|B|<default GB>]

[--soft=<value>]

[--softunit=[PB|TB|GB|MB|KB|B|<default GB>]

[--softgrace=<value>]

[--advisory=<value>]

[--advisoryunit=[PB|TB|GB|MB|KB|B|<default GB>]

[--quotasmode=[group|<default user>]]

update: updates an existing entry in the config file. (it takes the same arguments as "add")

delete: removes group from the config file.

--tier=<value>

--name=<value>

igls csm tier

Use this command to list the details of all tiers and the assigned template details.

igls csm templates

Sample output shows tier assigned and AD group of the template.

Group quotas:

AD01\schema admins

tiers: silver

AD01\ai_testgroup

tiers: gold,silver

AD01\bronze

tiers: bronze

AD01\domain admins

tiers: gold

AD01\domain users

tiers: gold

List a specific template

igls csm template --name "AD01\testgroup"

List the template with the tier command to get details of the quota template

igls csm template --tier gold --name "AD01\gold"

List all templates in the gold Tier

igls csm template --tier gold

igls csm template add

Add new AD group template for user quota mode

Example:

igls csm template add --tier=bronze --name="AD01\bronze" --soft=200 --softunit=GB --softgrace=1 --softgraceunit=hours

Add new AD group template for group quota mode

Example:

igls csm template add --tier=bronze --name="AD01\silver" --soft=100 --softunit=GB --softgrace=1 --softgraceunit=hours --quotasmode=group

igls csm template update

Update an existing template

Example:

igls csm template update --tier=bronze --name="AD01\bronze" --soft=10 --softunit=GB --softgrace=1 --softgraceunit=days

igls csm template delete

Example:

igls csm template delete --tier=bronze --name="AD01\bronze" --quotasmode=user

Home Share AD Managed quota Configuration example

Create a tier "igls csm tier add --id="bronze"
Create the template and name the tier
1. igls csm template add --tier=bronze --name="AD01\bronze" --soft=200 --softunit=GB --softgrace=1 --softgraceunit=hours
Apply the Bronze AD group (in this example the domain is AD01) to a share with full control (or rear/write permissions) and move to the bottom of the share permission list. NOTE: This group is not for assigning permissions to users, and is only used to indicate where quotas should be applied. This is why it should be moved to the end of the share list. Security groups should be higher on the share list.
1. This could be on a home directory path and will allow mutiple templates to manage different tiers of quota limits for different users on the same path.
Done.

Group Share AD managed quota Configuration example

NOTE: The default mode for group quota templates (adgroupmode false), will create a group quota for any groups that are members of the template AD group, and found to be assigned to an SMB share. The Best Practice is not to use nested groups, and simply apply the template AD Group to SMB Shares where you want Group quotas created.

Create a tier: "igls csm tier add --id="bronze-group"
Create the template and name the tier: "igls csm template add --tier=bronze-group --name="AD01\bronze-group" --soft=200 --softunit=GB --softgrace=1 --softgraceunit=hours --quotasmode=group " (notice the group mode is set now)
Apply the AD group bronze-group. To a share with full control (or rear/write permissions) and move to the bottom of the share permission list. NOTE: This group is not for assigning permissions to users and is only used to indicate where quotas should be applied. This is why it should be moved to the end of the share list. Security groups should be higher on the share list.
1. This could be on a group share and will allow mutiple templates to manage different tiers of group quotas on the same share path.
Done.

igls adv adgroupmode

NOTE: Use this with caution, it will apply quotas based on user share access. Default is disabled.

Use this command to set the AD group mode used in quota templates. The default is user mode (which means this setting will show false). When enabled (shows true) it means the AD group named in the template will get the list of users and all the users groups, then all shares detected as accessible to each user listed in the groups (based on their AD groups assigned to shares) will have a user quota created on those shares based on the template definition. NOTE: This can create a lot of quotas and limits the user on each share they have access to based on the template definition.

igls adv adgroupmode (show current setting) Display the working mode for group quotas sync, user (default mode) or group mode. set --enabled=[true|false]

igls adv adgroupmode set --enabled=true (enables group mode)

igls adv adgroupmide set --enabled=false (disable group mode)

RPO Reporting CLI Commands

This section contains Eyeglass CLI commands related to the RPO Reporting feature.

igls adv runreports --report_type=rpo

Use this command to manually generate the SyncIQ Job Report and have it emailed. The time that the command is run is the starting time for the report and associated calculations. Each command example below are the type options.

igls adv runreports --report_type=rpo

igls adv skipscreenshots

Use this command to enable or disable RPO chart screenshots in the RPO Report.

To disable screenshots:

igls adv skipscreenshots set --skip=true

To enable screenshots:

igls adv skipscreenshots set --skip=false

CSM Reporting CLI Commands

This section contains Eyeglass CLI commands related to the CSM Reporting feature.

igls adv runreports --report_type=csm

Use this command to manually generate CSM Report and have it emailed.

igls adv runreports --report_type=csm

Advanced Commands Use if directed by support

HBASE Query Commands

igls hbase rowkeyscangenerator --cluster=<GUID> --path=<path> [--starttime=<DateTime>] [--endtime=<DateTime>] [--user=<user>] [--protocol={SMB | NFS}] [--operation={keys | data}] [--explain=<value>] [--dir=<dir>]

The mandatory parameters are the cluster GUID and the path information. Start and end time are optional and will be set automatically to the current day and one day back if missing. If start and end date-time information is provided, it needs to be done in the format dd-MM-yyyy HH:mm:ss. There are no default values for the user or protocol (the above shows the two options acceptable for protocol information).

The parameter operation identifies the type of request being asked for: keys represents the default request type and documents the list of start and end row keys based on the provided information. The resulting row keys will be documented into a file. Note that in this case, the addition of the optional parameter "explain" (the value is not relevant), will break up the row key into its components and document the result as a table in the result file.

The optional parameter dir allows the caller to specify to where the result file is to be written (by default, this is /tmp). The generated file format name is ScanKeys_<CREATION_DATE>.log.

Memory watch dog on Eyeglass

get help

igls adv memorywatchdog help

show(default):

Allows to set and retrieve current values related to the forced garbage collection parameters.

set [--forcegc={true | false}] [--forcegcthreshold=<integer>] to set values or retrieve the current data.

get settings

igls adv memorywatchdog

Set memory threshold for memory watch dog to free up unused memory after crossing a threshold.

igls adv memorywatchdog set --forcegcthreshold=77 (sets GC to run over 77% memory used and writes debug log when this threshold has been crossed)

message sample

"Threshold has been reached, requesting GC to be executed if the GC is actually requested."

Database insertion validation

Default true, this removes orphaned records from db to avoid insertion errors. Do not use without direction from support.

igls adv verifydata [set] [--verify={true | false}]

AD User/group to SID or SID to user/group (Easy Auditor, Ransomware Defender)

These commands can be useful with Easy Auditor or Ransomware defender products to resolve user to SID, group to sid or the reverse.

User command
1. igls adv resolve --user 'RNSM03\rwtest1' (NOTE: use single quotes around the user name and enter the domain in upper case)
2. igls adv resolve --user ''user@domain.com'
3. igls adv resolve --user S-1-5-21-51043000-931826463-941209176-1140
Group command
1. igls adv resolve --group 'RNSM03\rwtesting' (NOTE: use single quotes around the user name and enter the domain in upper case)
2. igls adv resolve --group SID:S-1-5-21-51043000-931826463-941209176-1112 (must add SID: before the sid)