Skip to content

corelight/corelight-client

Repository files navigation

Corelight Sensor Command Line Client

This tool provides a command-line client for the Corelight Sensor, a Bro appliance engineered from the ground up by Bro's creators to transform network traffic into high-fidelity data for your analytics pipeline. Using the command-line client, you can configure and control a Corelight Sensor remotely through its comprehensive RESTful API. See the Corelight Sensor documentation for an extended version of this client overview.

Version:1.5.12
Home:http://www.corelight.com
GitHub:https://github.com/corelight/corelight-client
Author:Corelight, Inc. <[email protected]>

This client is open-source under a BSD license. See COPYING for details.

The command-line client needs Python >= 3.4 with the requests module installed as its main dependency.

The easiest way to install the client is through the Python Package Index:

# pip3 install corelight-client

Alternatively, you can install the latest version from GitHub:

# git clone https://github.com/corelight/corelight-client
# cd corelight-client
# python3 setup.py install

If everything is installed correctly, --help will give you a usage message:

# corelight-client --help
Usage: corelight-client [<global options>] <command> <subcommand> [<options>]
          [--ssl-ca-cert SSL_CA_CERT] [--ssl-no-verify-certificate]
          [--ssl-no-verify-hostname] [--cache CACHE]
[...]

Note that initially, --help will not yet show you any further commands to use. Proceed to the next section to let the client connect to your device.

You need to enable access to the Corelight API through the device's configuration interface. You also need to set passwords for the API users admin (for unlimited access) and monitor (for read-only access). See the Corelight Sensor documentation for more information.

Next, you need to tell the corelight-client the network address of your Corelight Sensor. You have three choices for doing that:

  • Add -b <address> to the command-line.
  • Create a configuration file ~/.corelight-client.rc with the content device=<address>.
  • Set the environment variable CORELIGHT_DEVICE=<address>.

If that's all set up, corelight-client --help will now ask you for a username and password, and then show you the full list of commands that the device API enables the client to offer. If you confirm saving the credentials, the client will store them in ~/.corelight-client/credentials for future reuse. You can also specify authentication information through the Configuration File or as Global Options.

The client offers the API's functionality through a set of commands of the format <command> <subcommand> [options]. By adding --help to any command, you get a description of all its functionality and options.

If the --help output lists a command's option as being of type file, the client requires you to specify the path to a file to send. In addition, you can prefix any option's value with file:// to read its content from a file instead of giving it on the command-line itself.

(Note: The --help output will contain the list of commands only if the client can connect, and authenticate, to the device.)

The corelight-client supports the following global command line options. The --device and --fleet options should be used mutually exclusively from each other. All other options apply to all requests:

--async
Does not wait for asynchronous commands to complete before exiting.
--device
Specifies the network address of a Corelight Sensor device.
--fleet
Specifies the network address of a Corelight Fleet Manager.
--uid
Specifies the UID of a Corelight Sensor managed through the specified Corelight Fleet Manager.
--cache=<file>
Sets a custom file for caching Corelight Sensor meta data.
--debug
Enables debugging output showing HTTP requests and replies.
--password
Specifies the password for authentication.
--mfa
Specifies the 2FA verification code for authentication with the specifed Corelight Fleet Manager. Use '-' to ask the user.
--ssl-ca-cert
Specifies a file containing a custom SSL CA certificate for validating the device's authenticity.
--ssl-no-verify-certificate
Instructs the client to accept any Corelight Sensor SSL certificate.
--ssl-no-verify-hostname
Instructs the client to accept the Corelight Sensor's SSL certificate even if it does not match its hostname.
--socket
Instructs the client to use a unix domain socket for sending requests.
--user
Specifies the user name for authentication.
--version
Displays the version of the corelight-client and exits.
--ignore-meta
Do not send metadata info to sensor API call, unless it's specified on CLI.

The corelight-client looks for a configuration file ~/.corelight-client.rc. The file must consist of lines <key>=<value>. Comments starting with # are ignored. corelight-client support the following keys:

device
The network address of a Corelight Sensor device.
fleet
The network address of a Corelight Fleet Manager.
uid
The UID of a Corelight Sensor managed through the specified Corelight Fleet Manager.
user
The user name for authentication.
password
The password for authentication.
mfa
The 2FA verification code for authentication with a Corelight Fleet Manager. Use '-' to ask the user.
ssl-ca-cert
A file containing a custom SSL CA certificate for validating the device's authenticity.
ssl-no-verify-certificate
If set to false, the client will accept any Corelight Sensor's SSL certificate.
ssl-no-verify-hostname
If set to false, the client will accept the Corelight Sensor's SSL certificate even if it does not match its hostname.
socket
A unix domain socket to use for sending requests.

About

Corelight Sensor API command-line client

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •