The Snowbit STA comes, prebuilt with tools and services that automatically handle the majority of the management issues of the STA so you won’t have to do anything.
Just in case you’ll need it, the STA comes with a collection of commands that will help you control it. In this article, we’ll explain each command and when to use it.
When you have finished installing the STA, it is recommended that you will run the command
sta-get-installation-id and store its output in some secure place and then run this command. The installation ID is required to get privileged access to the STA, thing which might be required by our support team. Once you run the acknowledgement command, it will erase the installation ID from the instance.
This command will print something similar to the following output which will indicate the current status of every service in the STA. If the STA was just installed it is normal that it takes for some services some time (up to 10 minutes) to fully stabilize:
This command will test the connection to Coralogix by sending a dummy event to your Coralogix account. If you see it in Coralogix within a second or two it means that the connection to Coralogix is working properly.
Provides the current version of the STA.
By default the STA is updating itself seamlessly. This command requires 1 additional argument which can be set to a
<specific_version>/latest update. in case you provided a specific version for the STA using this command, please note that the STA won’t update itself until this command will be executed again with
"latest" as an argument.
This command returns the STA’s current full configuration as JSON output.
Editing STA’s configuration can be performed only when not using a remote storage such as S3 (highly recommended).
this holds the full configuration for the STA and all its relevant components and services.
By using this command you can select your preferred editor for example
nano. please see command above for the editing constraints.
In case you are using a remote storage, you can validate the current
sta.conf file’s schema. Note that when editing the configuration the STA is validating the schema on the fly – so this command is not mandatory when configuration changes are executed.
As the STA’s configuration can hold delicate information that you might want to prevent from other users to read it, you can encrypt desired values by following the steps after running the command.
Using this command, you can investigate different services that are running within the STA. additional argument is required which is representing the desired service. The service name can be found when running the command
sta-get-status-short that presented above.
This command allows you to find a Suricata rule used by the STA by using its SID as mentioned here: How to Modify an STA Suricata Rule
If you have installed Wazuh agents and have connected them to the STA, this command will display a list of all the connected agents like this:
ID: 001, Name: ip-172-31-29-200, IP: any
ID: 002, Name: ip-172-31-29-10, IP: any
ID: 003, Name: ip-172-31-30-89, IP: any
ID: 004, Name: ip-172-31-27-174, IP: any
ID: 005, Name: ip-172-31-31-73, IP: any
ID: 006, Name: ip-172-31-30-60, IP: any
ID: 007, Name: ip-172-31-21-241, IP: any
ID: 008, Name: ip-172-31-17-78, IP: any
ID: 009, Name: ip-172-31-29-40, IP: any
ID: 010, Name: ip-172-31-23-114, IP: any
You can add Wazuh agents from different machines manually using this command. This command requires 2 additional arguments:
agent name and
agent ip. To see the constraints for those arguments please run this command without no arguments. Please note that if you are installing Wazuh agents using our Documentation, those agents are added automatically and no actions are required.
You can remove Wazuh agents from different machines manually using this command. This command requires 1 additional argument:
agent id. To get all agents IDs use
sta-wazuh-list-agents command. Please note that the STA is monitoring each agent, and in case no communication is received from the agent for some time, the STA removes it automatically.
By using this command, the STA restarting all Wazuh agents that are currently connected.
Use this command to get Wazuh agent’s key. requires 1 additional argument:
agent id. To get all agents IDs use
Normally, the STA will update its set of rules for Suricata, Zeek and Wazuh every day at 07:07AM at the STA’s local time. If you want it to update these rules now run this command.
Normally, the STA will attempt to synchronize its config files from the S3 bucket that has been configured during the installation phase every three minutes. If you have made a change to your configuration and would like to apply these changes now you can run this command.
Provides a general overview of the STA’s performance including both network, processor, disk and memory metrics.
Provides detailed real-time information about the network usage in the STA.
Launches a “top” like tool that provides information about processes, threads, memory and tasks metrics.
Currently supported for STA deployed on AWS. This command will delete a Traffic Mirror Session depended on a required argument representing available
<traffic_mirror_target_id> (tmt-*) or
This command will provide current disk usage separated per root level folders. To see the disk usage iterated recursively over whole paths use the following command:
using this command, you can dump all into console all available cache enrichment files. the output is separated per enrichment represented as files. this is the representation per line:
Tests the enrichment of data by the various services in the STA.
Useful for on-prem installations where each server has a manual management IP address. In such cases use this command to specify the address you would like the STA to have.
Useful for on-prem installations. In case you used the
sta-set-mgmt-ip command to force the STA to use a manually set IP address for its management network interface and now interested in reverting that to the default (using an IP address from a DHCP).
This command tears down current
management NIC and bringing it up again. use this when you want to restart the management NIC that handles all STA’s traffic communication.
Run this command to see how the storage is used per root’s folders. If you wish to see every folder separately in a recursive manner use
by using this command, the STA collects all possible logs from all services, system processes, etc. and compresses them into one archive. This command is available so you’ll be able to provide our support a full state of your STA.
Note – This command is a very heavy process. Use this command as last resort for investigating issues in your STAs as this archive hold everything and it similar to look for a needle in a haystack.
by using this command, you are able to inspect specific metric files and perform aggregation functions in specific timeframe. the initial path for all metric files is:
/coralogix/sta/metrics/ – from there, locate the desired
Whisper file which representing your metric. The supported aggregation functions are: