Using the command console
If you are a Global Administrator, you can perform certain Security Console operations using the command console. You can see real-time diagnostics and a behind-the-scenes view of the application when you use this tool.
How to access and use the command console
- In Nexpose, click Administration, and click Troubleshoot > Run Commands.
- Enter a command.
- Click Execute.
If you are running the Security Console on an Appliance, you can perform all operations using the Appliance’s LCD or through the Security Console Web interface.
Available commands
The following table contains a list of available console commands and their respective descriptions. You can also generate a list of available commands in the console itself by entering and executing the help command.
Text in square brackets [] contain optional parameters, as explained in the action descriptions. Text in arrow brackets <> contain variables.
| Command | Action |
|---|---|
activate <license-key> | Activate the application with a license key. |
database diagnostics | Check the database for inconsistencies, such as partially deleted sites or missing synopsis data, which can affect counts of assets, sites, asset groups, scans, or nodes as displayed in the Web interface. |
[show] diag[nostics] | Display diagnostic information about the Security Console. |
exit | Stop the Security Console service. |
garbagecollect | Start the garbage collector, a Java application that frees up drive space no longer used to store data objects. |
get property [] | View the value assigned to a parameter associated with the Scan Engine. Example: get property os.version. The Security Console would return: os.version=5.1. If you type get property without a parameter name, the Security Console will list all properties and associated values. You can view and set certain properties, such as the IP socket number, which the application uses for communication between the Security Console and the Scan Engine. Other properties are for system use only; you may view them but not set them. |
heap dump | “Dump” or list all the data and memory addresses “piled up” by the Java garbage collector. The dump file is saved as heap.hprof in the nsc directory. |
help | Display all available commands. |
license request from-email-address [mail-relay-server] | E-mail a request for a new license. The email-address parameter is your address as the requestor. The optional mail-relay-server parameter designates an internally accessible mail server to which the license server should connect to send the e-mail. After you execute this command, the application displays a message that the e-mail has been sent. When you receive the license file, store it in the nsc/licenses directory without modifying its contents. Licenses have a .lic suffix. |
log rotate | Compress and save the nsc.log file and then create a new log. |
ping <host-address> [<tcp-port>] | Ping the specified host using an ICNMP ECHO request, ICP ACK packet, and TCP SYN packet. The default TCP port is 80. |
quit | Stop the Security Console service. |
restart | Stop the Security Console service and then start it again. |
log list | List all logging configuration properties. |
log set [<name>] <value> | Set a logging configuration property to a specified value. Omit the name parameter to set all properties to the specified value. Use log list to view available property names. Available value parameters are: OFF, ERROR, WARN, INFO, DEBUG, and TRACE ALL. |
log reset [<name>] | Reset a logging configuration property to its default value. Omit the name parameter to reset all properties to their default value. Use log list to view available property names. |
log-time-zone list | List possible time zone options that can be set for logs. |
log-time-zone reset | Reset the time zone for all log files to the default GMT time zone. |
log-time-zone set [<timezone>] | Set the time zone for all log files. Use time zone list for available time zone options. Ex: log-time-zone set GMT+04:00 |
[show] schedule | Display the currently scheduled jobs for scans, auto-update retriever, temporal risk score updater, and log rotation. |
show host | Display information about the Security Console host, including its name, address, hardware configuration, and Java Virtual Machine (JVM) version. The command also returns a summary of disk space used by the installation with respect to the database, scans, reports, and backups. |
show licenses | Display information about all licenses currently in use. Multiple licenses may operate at once. |
show locked accounts | List all user accounts locked out by the Security Console. The application can lock out a user who attempts too many logons with an incorrect password. |
show mem | List statistics about memory use. |
[send] support [from-email-address] [mail-relay-server] [message-body] | Send logs generated by the Security Console and Scan Engine(s) for troubleshooting support. By default, the application sends the request to a log server via HTTPS. Alternatively, you can e-mail the request by specifying a sender’s e-mail address or outbound mail relay server. You also can type a brief message with the e-mail request. When you execute the command, the Security Console displays a scrolling list of log data, including scheduled scans, auto-updates, and diagnostics. |
[show] threads | Display the list of active threads in use. |
traceroute host-address | Determine the IP address route between your local host and the host name or IP address that you specify in the command. When you execute this command, the Security Console displays a list of IP addresses for all “stops” or devices on the given route. |
unlock account <name> | Unlock the user account named in the command. |
update engines | Send pending updates to all defined Scan Engines. |
update now | Check for and apply updates manually and immediately, instead of waiting for the Security Console to automatically retrieve the next update. |
[ver] version | Display the current software version, serial number, most recent update, and other information about the Security Console and local Scan Engine. Add “console” to the command to display information about the Security Console only. Add “engines” to the command to display information about the local Scan Engine and all remote Scan Engines paired with the Security Console. |
? | Display all available commands. |
enable mrc-service on all engines | Enable the Metasploit Remote Check Service on all suitable Scan Engines. |
disable mrc-service on all engines | Disable the Metasploit Remote Check Service on all Scan Engines. |
enable mrc-service on engines <engine name>, <engine name> ... | Enable the Metasploit Remote Check Service on one or more Scan Engines based on a comma separated list of engine names that you specify. |
disable mrc-service on engines <engine name>, <engine name> ... | Disable the Metasploit Remote Check Service on one or more Scan Engines based on a comma separated list of engine names that you specify. |
| `tune assistant [ calculate | apply ]` |
activate <product-key> | Activate the license with the provided key. |
[run] backup retention | Run your backup retention policy immediately. |
[show] blackout | Show the scheuled scan blackouts. |
cancel scan <scan-id> [<silo-id>] | cancel scan: for hung running scans |
clear caches | Clears caches in order to free memory that is currently being consumed. |
| `collector (<start> | <stop> |
database diagnostics [<silo-id>] | Check the database for inconsistencies, such as partially deleted sites or missing synopsis data, which can affect counts of assets, sites, asset groups, scans, or nodes as displayed in the Web interface. |
delete custom property <property-name> | Deletes the current setting for a custom environment property with the given name. |
[show] diag[nostics] [<silo-id>] | Display diagnostic information that may be useful for debugging or monitoring of activity. |
diff node vulns <node-id-1> <node-id-2> | Displays the difference in vulnerabilities found between two nodes. The order of the nodes matter. |
disable mrc-service on all engines | Disable metasploit remote check service on all suitable scan engines. |
disable mrc-service on engines <engine name>, <engine name> ... | Disable metasploit remote check service on one or more scan engine(s) based on a comma separated list of engine name(s). |
enable mrc-service on all engines | Enable metasploit remote check service on all suitable scan engines. |
enable mrc-service on engines <engine name>, <engine name> ... | Enable metasploit remote check service on one or more scan engine(s) based on a comma separated list of engine name(s). |
exit | Stop the service. |
| `export documents [true | false]` |
export warehouse [silo-id] | Manually invokes an execution of the warehouse export (disregarding any defined schedules). |
garbage collect | Start the Java garbage collector, freeing resources that are no longer in use. |
gen[erate] doc[ument] asset <database-identifier> | Generate file containing the latest state of a specific Nexpose domain object. Data represents contents transmitted to Exposure Analytics dashboards. |
gen[erate] stat[istic]s | Display usage statistics that may be useful for debugging. |
gen[erate] update stat[istic]s | Display update statistics that may be useful for debugging. |
get ea command poll | Get the poll time for reading commands from EA. |
get property [<name>] | View the value assigned to a parameter associated with a property named in the command. |
heap dump [<dump-file>] | ”Dump” or list all the data and memory addresses “piled up” by the Java garbage collector. The dump file is saved as heap.hprof. |
| `help | ? [all]` |
import agent-assets yyyy-MM-dd'T'HH-z yyyy-MM-dd'T'HH-z | Imports assets scanned by agents from EA from a start time to an end time. |
import agent-assets-from-file <directory> | Imports assets scanned by agents from EA from a start time to an end time. |
import policy-scan <scan-log-dir> [<site-id>] | Imports a scan log with policy checks. |
import scan <scan-log-dir> [<site-id>] [<scan-template-id>] | Imports a scan log |
import scans <scan-log-parent-dir> [<site-id>] | Imports a set of scan logs. |
| ` ingress (<start> | <stop>)` |
load content | Loads vulnerability content. |
log list | List all logging configuration properties. |
log reset [<name>] | Reset a logging configuration property to it’s default value. Omit the name parameter to reset all properties to their default value. Use ‘log list’ to view available property names. |
log set [<name>] <value> | Set a logging configuration property to a specified value. Omit the name parameter to set all properties to the specified value. Use ‘log list’ to view available property names. |
log-time-zone list | List possible time zone options that can be set for logs. Time zones can be in GMT in the following formats: GMT+XX:XX, GMT-XX:XX, GMTXX:XX. |
log-time-zone reset | Reset the time zone for all log files to the default time zone: GMT. |
log-time-zone set [<timezone>] | Set the time zone for all log files. Use ‘log-time-zone list’ for available time zone options and time zone format. |
[show] mem[ory] | List statistics about memory use. |
pair to platform [--force] <pairing_token> | Pair scan engines to platform. |
ping <host-address> [<tcp-port>] | Ping the specified host using an ICMP ECHO request, TCP ACK packet, and TCP SYN packet. The default TCP port is 80. |
| `platform-login disable [user1,user2… | |
platform-login enable [username1,email2...] | Enable platform login for users given either username or email. |
quit | Stop the service. |
record history <MM-dd-yyyy> | Instructs to record historical information (assets, groups, sites) against a particular date or current date if not date specified. |
remove partially deleted sites [<silo-id>] | Remove partially deleted sites. |
reset password <username> <password> <password-confirm> | Resets the password of a user. |
restart [server] | Stop the service and then start it again. |
[show] schedule | Displays the currently scheduled jobs. |
set custom property <property-name> = <property-value> | Sets the value of a custom environment property. |
set ea command poll <poll-time> | Set the poll time for reading commands from EA. |
| ` show (database | db) (autovac |
| `show (database | db) act[ivity]` |
| `show (database | db) stat[istics]` |
show asset vulns <asset-id> | Summarizes the vulnerabilities found on an asset. |
show content version | Displays the content version loaded in memory. |
show host [info] | Display information about the host machine. Includes memory and disk space usage. |
show licenses | Display information about all licenses currently in use. |
show locked accounts | List all current user accounts that have been locked out by the Security Console. |
show mvc mappings | Displays the currently registered MVC request handler mappings. |
show node vulns <node-id> | Summarizes the vulnerabilities found on a node. Also lists all vulnerability check IDs applicable to the vulnerabilities. |
show saml idp [info] | Display diagnostic information about the SAML Identity Provider. |
show sessions | Displays the currently active sessions for all authenticated principles. |
show vuln <vulnerability-nexpose-id> | Displays details of the vulnerability checks defined in content for a given vulnerability ID. |
show web cache stat(istic)s | Outputs summary information for caching statistics of the web cache. |
[send] support [<silo-id>] | Send logs to Technical Support. Logs are sent to the log server via HTTPS. Don’t include “send” in the command and the logs are compiled in a local directory. |
sync agent-assets | Sync EA agents with Nexpose console. |
sync cloud | Sends sync documents to cloud to trigger a synchronization cycle. |
sync policy benchmarks | Syncs policy benchmarks. |
task summary | Prints a summary of running and queued tasks. |
[show] threads | Display the list of active threads in use. |
traceroute <host-address> | Determine the IP address route between your local host and the host name or IP address that you specify in the command. When you execute this command, it displays a list of IP addresses for all “stops” or devices on the given route. |
unlock account <name> | Unlock the user account named in the command. |
unregister platform | Unregister the Scan Engines with the Platform. |
update content | Updates content. |
update engines | Send pending updates to all defined Scan Engines. |
update now | Check for and apply updates manually and immediately, instead of waiting for an automatic, scheduled update. |
update temporal risk [<silo-id>] | Triggers the update of the temporal risk scores. |
upload support package [<silo-id>] | Upload the Support Package to Rapid7. |
ver[sion] [console] [engines] | Display the current software version, serial number, and most recent updates. Add “console” to the command to display information about the Security Console only. Add “engines” to the command to display information about the local Scan Engine and all remote Scan Engines paired with the Security Console. |