Reporting

The CLI provides commands to support the reporting features. The commands are accessible from exec mode.

The reporting features include configuration, cache reporting for systems and devices, statistics for systems and devices, and Kerberos-related reporting.

Displaying Sentry configuration

Displaying information for entries in the device cache

Displaying information about Kerberos modules

Displaying Sentry statistics

Displaying information about servers

Displaying Sentry system resources

Displaying Sentry log configuration

Displaying Sentry log filters

Displaying Sentry configuration

You can request a report of the entire configuration or filter by a string of text so that the output only displays rows matching the filter-string text.

To show the Sentry log configuration, enter the following command:

show sentry config-properties [filter-string]

filter-string
Optional. Specify text to filter the output.

Example of a request for output of the Sentry log configuration for asproxy.client:

#show sentry config-properties asproxy.client

asproxy.client.port = 80

asproxy.client.tls.port = 443

If you do not specify a filter, the output includes all configuration information.

Displaying information for entries in the device cache

You can display information for entries in the Sentry device cache. You can also display information about the in-memory device list, the persistent device list, and connectivity to UEM.

Caution: The purpose of these commands is to assist Technical Support with troubleshooting. Do not depend on the output’s format for use with any programs.

Table 43.   Displaying information for entries in the device cache

Feature

Command

Display a list of entries in the Sentry device cache.

show sentry device-cache dump {all | active-sync | app-tunnel}

Display detailed information for a specific entry.

show sentry device-cache entry <tunnel-id> <user-id>

Display the entries associated with a device id

show sentry device-cache device <device-id>

Display the entries associated with a user id

show sentry device-cache user <user-id>

Display the entries with the specified number of minimum connections

show sentry device-cache min-connection
<value>

Show the entries that need validation from UEM.

show sentry device-cache validation-pending {yes | no}

Show the status of the Sentry-device cache.

show sentry device-cache status

Show the connection status to UEM.

show sentry status

To display the entries in the device cache, type the following command:

show sentry device-cache dump {all | active-sync | app-tunnel}

- all
Displays all entries in the cache in table format.

#show sentry device-cache dump all

- active-sync
Displays the ActiveSync entries in the cache in table format.

#show sentry device-cache dump active-sync

- app-tunnel
Displays the app tunnel entries in the cache in table format.

#show sentry device-cache dump app-tunnel

To display detailed information about a specific entry in the device cache, type the following command:

show sentry device-cache entry <tunnel-id> <user-id>

- tunnel-id

The Tunnel ID of the entry in the device cache for which you want information. You can view the Tunnel-ID in the output from show sentry device-cache dump.

- user-id

The User ID associated with the entry.

To display all entries associated with a specific device, type the following command:

show sentry device-cache device <device-id>

- device-id
The device-id for which you want to display all entries.
If you provide a partial device id, the rows for all matching devices are displayed.

Example of a request for a report for a specific device-id:

sentry# show sentry device-cache device 0V55EEVSRT5UVFA05AUBLF9O4S

 

S: Tunnel State {A:Allowed, B:Blocked, P:Policy Pending, W:Wipe Pending}

Vs: EMM Validation State {Y:validated, N:not-validated}

Cn: Connection count

Ver: AppTunnel Version or ActiveSync Version

Time: Timestamp of the last request or connection

Application[/ID]: Application[/ActiveSync Device ID (if application is 'ActiveSync')]

Tunnel-ID: Generic Tunnel ID

 

Index User S Vs Cn Ver Time Application[/ID] Tunnel-ID

1 testuser3351 A Y 0 14.1 2015-08-27 18:30:57 GMT ActiveSync/0V55EEVSRT5UVFA05AUBLF9O4S 0v55eevsrt5uvfa05aublf9o4s

 

sentry#

To display all entries associated with a specific user, type the following command:

show sentry device-cache user <user-id>

- user-id
The user-id for which you want to display all entries.
If you provide a partial userid, the rows for all matching users are displayed.

Example of a request for a report for a specific user-id:

sentry# show sentry device-cache user testuser3351

 

S: Tunnel State {A:Allowed, B:Blocked, P:Policy Pending, W:Wipe Pending}

Vs: EMM Validation State {Y:validated, N:not-validated}

Cn: Connection count

Ver: AppTunnel Version or ActiveSync Version

Time: Timestamp of the last request or connection

Application[/ID]: Application[/ActiveSync Device ID (if application is 'ActiveSync')]

Tunnel-ID: Generic Tunnel ID

 

Index User S Vs Cn Ver Time Application[/ID] Tunnel-ID

1 testuser3351 A Y 0 14.1 2015-08-27 18:30:57 GMT ActiveSync/0V55EEVSRT5UVFA05AUBLF9O4S 0v55eevsrt5uvfa05aublf9o4s

sentry#

To display the entries with the specified minimum number of connections, enter the following command:

show sentry device-cache min-connection <value>

- value
The number of connections, at a minimum, for which you want to display the associated entries.

Example of a request for a list of devices that have the minimum number of connections:

#show sentry device-cache min-connection 1

To display the entries that require EMM validation, enter the following command:

show sentry device-cache validation-pending {yes | no}

Example of a request for a list of devices that require validation from UEM:

#show sentry device-cache validation-pending yes

To display information about the persistent device list and the in-memory device list, enter the following command:

show sentry device-cache status

Example of the command:

To display information about the Standalone Sentry’s connection to the UEM server , enter the following command:

show sentry status

Example of the command and its output:

#show sentry status

EMM server type : Core

Connectivity to Core : Connected

Last connectivity change detected by : Periodic connectivity check

Last connectivity change time : Fri Aug 03 18:55:16 UTC 2012

 

Core periodic connectivity check status

Current time : Fri Aug 03 21:32:49 UTC 2012

Last successful : Fri Aug 03 21:25:17 UTC 2012

Last failed : Never

Next scheduled : Fri Aug 03 21:40:17 UTC 2012

 

EMM server fail-open status : Allow

Last fail-open status change detected by : Sentry initialization

Last fail-open status change time : Tue Aug 02 23:05:08 UTC 2012

The Standalone Sentry detects changes to EMM connectivity in one of the following ways:

- The Standalone Sentry checks EMM connectivity on a regular basis. This is known as the periodic connectivity check.
- The Standalone Sentry checks EMM connectivity when the Sentry initializes.
- The administrator can manually check EMM connectivity by using the Verify button on the Troubleshooting > Service Diagnosis page of the Standalone Sentry Web Portal.

Displaying information about Kerberos modules

You can display the Kerberos and UPN information. The new CLI commands for Kerberos reporting are described below.

Table 44.   Displaying information about Kerberos modules

Feature

Command

Display the SPN, timeout, and cache size for Kerberos

show sentry kerberos

Display Kerberos UPN information

show sentry kerberos cache dump [upn-filter]

Display Kerberos information related to a specific UPN

show sentry kerberos cache upn
<upn-string>

To display Kerberos information for the Sentry, enter the following command:

show sentry kerberos

Example of a request for Kerberos information:

#show sentry kerberos

sentry-spn = HTTP/sentry.company.com

cache-ticket-idle-timeout = 48

cache-size = 1

To display information for all UPNs in the Kerberos cache, enter the following command:

show sentry kerberos cache dump [upn-filter]

- upn-filter
Optional. Full or partial UPN to filter on. Shows only the rows matching this string.

Example of a request to display Kerberos UPN information for UPNs that match the upn-filter:

# show sentry kerberos cache dump user

Indx User-UPN Created(m) IdleTime(m)

1 [email protected] 1010 7

To display Kerberos information for a specific UPN in the Kerberos cache, enter the following
command:

show sentry kerberos cache upn <upn-string>

- upn-string
The full UPN of the UPN for which you want to display information.

Example of a request to display Kerberos UPN information for a specific UPN:

# show sentry kerberos cache upn [email protected]

Kerberos Cache for UPN: [email protected]

[0]user-upn = [email protected]

[0]idle-time-min = 7

[0]creation-time = Fri Jan 13 01:44:11 UTC 2012

Displaying Sentry statistics

Displays statistics for Sentry. You can specify parameters for global statistics or statistics for a specific device.

Table 45.   Displaying Sentry statistics

Feature

Description

Display Sentry statistics for a specific device

show sentry statistics entry <device-id> <user-id>

Display Sentry global statistics for a specific device

show sentry statistics global [device|system]
[filter-string]

Display complete global Sentry system statistics

show sentry statistics global system [filter-string]

Display complete global Sentry statistics for a server

show sentry statistics global server [filter-string]

To display complete Sentry statistics for a specific device, type the following command:

show sentry statistics entry <device-id> <user-id>

- device-id

The id of the device for which you want information.

- user-id

The User associated with the device.

Example:

sentry#show sentry statistics entry ApplDN6FM6SZDKPH testuser2885

d-connection = 4

s-connections = 4

d-bytes-rcvd = 8572

s-bytes-sent = 8368

s-bytes-rcvd = 2704

d-bytes-sent = 2704

d-http-requests = 20

s-http-requests = 16

s-http-responses = 16

d-http-responses = 16

d-http-449 = 0

s-http-449 = 0

permits = 16

pendings = 0

blocks = 0

wipes = 0

s-http-3xx-redirects = 0

s-http-451-redirects = 0

d-http-451-redirect-drops = 0

cmd-none = 0

cmd-options = 0

cmd-provision = 0

cmd-sync = 0

cmd-folder-sync = 0

cmd-ping = 16

cmd-get-attachment = 0

cmd-item-operations = 0

cmd-unknown = 0

d-err-conn-timeout = 0

s-err-conn-timeout = 0

d-err-so-timeout = 0

s-err-so-timeout = 0

s-err-cmd-ping-timeout = 0

s-err-cmd-sync-timeout = 0

d-err-cmd-timeout = 0

s-err-cmd-timeout = 0

d-err-reset = 0

s-err-reset = 0

d-so-close = 0

s-so-close = 0

http-status-200 = 0

http-status-401 = 16

http-status-404 = 0

http-status-409 = 0

http-status-5xx = 0

http-status-other = 0

err-conn-pooling = 0

d-unclassified = 0

s-unclassified = 0

ping-sync-throttled = 0

kerberos-auth-error = 0

attachments-encrypted = 0

attachment-encrypt-failures = 0

attachments-converted = 0

attachments-replaced = 0

attachment-replaced-failures = 0

attachments-fwd-restored = 0

attachments-fetched = 0

attachments-embedded = 0

attachments-renamed = 0

attachments-size-MB = 0

attachments-size-bytes = 0

decryption-failures = 0

d-http-503-s2c = 0

d-http-503-c2s = 0

d-http-400-c2s = 0

active-sync-status-reports = 0

sentry#

 

To display complete global Sentry statistics for devices, type the following command:

show sentry statistics global device <filter-string>

- filter-string
The full or partial string of one of the fields in the statistics report. The filter-string can either be a field name or a value in the field.

Example of a request to display global statistics for devices, filtered on http-status:

# show sentry statistics global device http-status

http-status-200 = 388

http-status-401 = 32

http-status-404 = 0

http-status-409 = 0

http-status-5xx = 0

http-status-other = 0

To display complete global Sentry system statistics, type the following command:

show sentry statistics global system [filter-string]

- filter-string
The full or partial string of one of the fields in the statistics report. The filter-string can either be a field name or a value in the field.

Example of a request to display global Sentry statistics, filtered on peak:

# show sentry statistics global system peak

 

peak-heap-mem-used-MB = 389

peak-date-heap-mem-used-MB = Thu Aug 27 22:32:30 UTC 2015

peak-buff-cached-mem-used-MB = 1189

peak-date-buff-cached-mem-used-MB = Thu Aug 27 22:33:30 UTC 2015

peak-process-virtual-mem-used-MB = 2988

peak-date-process-virtual-mem-used-MB = Thu Aug 27 22:32:30 UTC 2015

peak-process-resident-mem-used-MB = 1049

peak-date-process-resident-mem-used-MB = Thu Aug 27 22:34:30 UTC 2015

peak-cpu-% = 14

peak-date-cpu-% = Thu Aug 27 22:32:30 UTC 2015

peak-mem-% = 39

peak-date-mem-% = Thu Aug 27 22:32:30 UTC 2015

peak-running-threads = 1

peak-date-running-threads = Thu Aug 27 22:33:21 UTC 2015

peak-device-cache-size = 2

peak-date-device-cache-size = Thu Aug 27 22:32:30 UTC 2015

peak-user-url-cache-size = 0

peak-date-user-url-cache-size = Thu Aug 27 22:32:30 UTC 2015

peak-kerb-servtkt-cache-size = 0

peak-date-kerb-servtkt-cache-size = Thu Aug 27 22:32:30 UTC 2015

sentry#

The full global statistics report can be downloaded in CSV format using the user interface. See Sentry Statistics.

To display complete global Sentry statistics for a server, type the following command:

show sentry statistics global server <filter-string>

- filter-string

The full or partial string of one of the fields in the statistics report. The filter string can either be a field name or a value in the field.

Example:

sentry#show sentry statistics global server

hc-connections = 6

hc-bytes-sent = 816

hc-bytes-rcvd = 1116

hc-http-requests = 6

hc-http-responses = 6

hc-err-conn-timeout = 0

hc-err-so-timeout = 0

hc-err-reset = 0

hc-so-close = 0

hc-unclassified = 0

hc-http-status-200 = 0

hc-http-status-401 = 6

hc-http-status-404 = 0

hc-http-status-other = 0

Example with filter string:

sentry#show sentry statistics global server err

hc-err-conn-timeout = 0

hc-err-so-timeout = 0

hc-err-reset = 0

sentry#

Displaying information about servers

To display server details and connection status, type the following command in EXEC mode:

show sentry server status

Example:

sentry# show sentry server status

 

Current Time : Thu Aug 27 19:21:37 UTC 2015

 

Service Name : <ANY>

Service Type : App Tunnel

Server Scheduling : PRIORITY

Server Declared Last Failure

Name/IP Status Failed Count

--------------------------------------------------------------------------

Live Never 0

 

Service Name : default

Service Type : Active-Sync

Server Scheduling : PRIORITY

Active Background Health Check : Enabled

Server Declared Last Last Failure

Name/IP Status Successful Failed Count

-----------------------------------------------------------------------------------------------

ex2010sp3.enterprise.com Live 08/27/2015 19:20:52 Never 0

 

Service Name : <TCP_ANY>

Service Type : App Tunnel

Server Scheduling : PRIORITY

Server Declared Last Failure

Name/IP Status Failed Count

--------------------------------------------------------------------------

Live Never 0

sentry#

Displaying Sentry system resources

To display Sentry system resources, type the following command:

show sentry utilization

Example:

sentry#show sentry utilization

Number of Connected Devices : 0

Number of Open Connections : 0

Thread Pool Utilization : 0.0%

CPU Utilization : 0%

System Memory Utilization : 23%

Heap Memory Utilization : 15%

sentry#

Displaying Sentry log configuration

You can display the Sentry log configuration. To change the log configuration, see the commands in Logging.

To display the Sentry log configuration, type the following command:

show sentry log

Example of a request to display log configuration information:

# show sentry log

log-from-to = both

enable = true

verbosity = level3

Displaying Sentry log filters

You can display the log filters that are currently configured on Sentry. To configure the log filters, see Logging.

To display the Sentry log filters, type the following command:

show sentry log filter

Example of a request to display the log filters:

# show sentry log filter

TAG ENABLED TYPE VALUE

 

KensPhone true user-id ksmith

Displaying Sentry GC log configuration

You can display the garbage collection (GC) currently configured on Sentry. To configure GC, see Configuring garbage collection (GC).

To display the Sentry GC configuration, type the following command:

show sentry gc-log