Skip to content

cli-map.md

Latest commit

 

History

History
166 lines (146 loc) · 5.4 KB

cli-map.md

File metadata and controls

166 lines (146 loc) · 5.4 KB

twsla CLI

Global Flags

  • --config: config file (default $HOME/.twsla.yaml)
  • -d, --datastore: Bbolt Log DB (default "./twsla.db")
  • -t, --timeRange: Time range
  • -f, --filter: Simple filter
  • -r, --regex: Regexp filter
  • -v, --not: Invert regexp filter
  • --sixel: show chart by sixel

Commands

ai

  • ai <filter>...: AI-powered log analysis
  • Flags
    • --aiProvider: AI provider (ollama|gemini|openai|claude)
    • --aiBaseURL: AI base URL
    • --aiModel: LLM Model name
    • --aiErrorLevels: Words included in the error level log (default "error,fatal,fail,crit,alert")
    • --aiWarnLevels: Words included in the warning level log (default "warn")
    • --aiTopNError: Number of error log patterns to be analyzed by AI (default 10)
    • --aiSampleSize: Number of sample log to be analyzed by AI (default 50)
    • --aiLang: Language of the response

anomaly

  • anomaly: Anomaly log detection
  • Flags
    • -m, --mode: Detection modes (tfidf|sql|os|dir|walu|number) (default "tfidf")
    • -e, --extract: Extract pattern

count

  • count: Count log
  • Flags
    • -i, --interval: Specify the aggregation interval in seconds.
    • -p, --pos: Specify variable location (default 1)
    • --delay: Delay filter
    • -e, --extract: Extract pattern or mode (json,grok,word,normalize)
    • -n, --name: Name of key
    • -x, --grokPat: grok pattern
    • -g, --grok: grok pattern definitions
    • --geoip: geo IP database file
    • --ip: IP info mode (host|domain|loc|country)
    • -q, --timePos: Specify second time stamp position
    • --utc: Force UTC

delay

  • delay: Search for delays in the access log
  • Flags
    • -q, --timePos: Specify second time stamp position
    • --utc: Force UTC

email

  • email [search|count]: Search or count email logs
  • Flags
    • --emailCountBy: Count by field (default "time")
    • --checkSPF: Check SPF

extract

  • extract: Extract data from log
  • Flags
    • -e, --extract: Extract pattern
    • -p, --pos: Specify variable location (default 1)
    • -n, --name: Name of value
    • -x, --grokPat: grok pattern
    • -g, --grok: grok pattern definitions
    • --geoip: geo IP database file
    • --ip: IP info mode (host|domain|loc|country)

heatmap

  • heatmap: Command to tally log counts by day of the week and time of day
  • Flags
    • -w, --week: Week mode

import

  • import: Import log from source (file | dir | scp | ssh | twsnmp | imap | pop3)
  • Flags
    • --utc: Force UTC
    • -b, --size: Batch Size (default 10000)
    • --noDelta: Disable delta check
    • --api: TWSNMP FC API Mode
    • --tls: TWSNMP FC API TLS
    • --skip: TWSNMP FC API skip verify certificate (default true)
    • --noTS: Import no time stamp file
    • -s, --source: Log source
    • -c, --command: SSH Command
    • -k, --key: SSH Key
    • -p, --filePat: File name pattern
    • -l, --logType: TWSNNP FC log type (default "syslog")
    • --imapFolder: List IMAP folder names
    • --emailTLS: IMAP use start TLS
    • --emailUser: IMAP or POP3 user name
    • --emailPassword: IMAP or POP3 password

mcp

  • mcp: MCP server for AI agent
  • Flags
    • --transport: MCP server transport (stdio/sse/stream) (default "stdio")
    • --endpoint: MCP server endpoint (default "127.0.0.1:8085")
    • --clients: IP address of MCP client to be allowed to connect
    • --geoip: geo IP database file

relation

  • relation <data1> <data2>...: Relation Analysis
    • data entry: ip | mac | email | url | regex/<pattern>/<color>

search

  • search [simple filter...]: Search logs
  • Flags
    • -c, --color: Color mode
    • -w, --wrap: Wrap or scroll x

sigma

  • sigma: Detect threats using SIGMA rules
  • Flags
    • -s, --rules: Sigma rules path
    • --strict: Strict rule check
    • -c, --sigmaConfig: config path
    • -x, --grokPat: grok pattern if empty json mode
    • -g, --grok: grok definitions

tfidf

  • tfidf: Log analysis using TF-IDF
  • Flags
    • -l, --limit: Similarity threshold between logs (default 0.5)
    • -c, --count: Number of threshold crossings to exclude
    • -n, --top: Top N

time

  • time: Time analysis

twlogeye

  • twlogeye: Import notify, logs and report from twlogeye
  • Arguments
    • target: notify | logs | report
    • sub target: syslog | trap | netflow | winevent | otel | mqtt | monitor | anomaly
  • Flags
    • --apiServer: twlogeye api server IP address
    • --apiPort: twlogeye api port number (default 8081)
    • --ca: CA Cert file path
    • --cert: Client cert file path
    • --key: Client key file path
    • --filter: Log search text
    • --level: Notify level
    • --anomaly: Anomaly report type (default "monitor")

twsnmp

  • twsnmp [target]: Get information and logs from TWSNMP FC
  • Arguments
    • target: node | polling | eventlog | syslog | trap | netflow | ipfix | sflow | sflowCounter | arplog | pollingLog
  • Flags
    • --jsonOut: output json format
    • --checkCert: TWSNMP FC API verify certificate
    • --twsnmp: TWSNMP FC URL (default "http://localhost:8080")

update

  • update: Update twsla to the latest or specified version from GitHub releases.
  • Flags
    • -c, --check: Check for updates only
    • --version: Update to specified version
    • -y, --yes: Update without confirmation

version

  • version: Show twsla version
  • Flags
    • --color: Version color