Cisco Cisco Firepower Management Center 4000

\

Any

Any Defense Center

System administrators can use a shell-based query management tool to locate and stop long-running 
queries. 

Leaving the search page in the web interface does not stop a query. Queries that take a long time to return 
results impact overall system performance while the query is running.

The query management tool allows you to locate queries running longer than a specified number of 
minutes and stop those queries. The tool logs an event to the audit log and to syslog when you stop a 
query. 

Note that the only locally-created user with shell access on Defense Centers is the 

admin

 user. If you use 

an external authentication object which grants shell access, users matching the shell access filter can also 
log into the shell. 

Usage:

query_manager [-v] [-l [minutes]] [-k query_id [...]] 

 

[--kill-all minutes]

Options:

-h, --help

            Prints a brief help message.

-l, --list [minutes]

            Lists all queries taking longer than passed in minutes. By

            default it will show all queries taking longer than 1 minute.

-k, --kill query_id [...]

            Kills the query with the passed in id. The option can take

            multiple ids.

--kill-all minutes

            Kills all queries taking longer than passed in minutes.

-v, --verbose

            Verbose output including full SQL queries.

Shell access should be limited to system administrators. 

21

Returns all events on port 21, including TCP and UDP events.

!23

Returns all events except those on port 23.

25/tcp

Returns all TCP-related intrusion events on port 25.

21/tcp,25/tcp Returns all TCP-related intrusion events on ports 21 and 25

21-25

Returns all events on ports 21 through 25.