2. Inspect log files and statistics

_images/MoteurDeDetectionON.png

From the 'Inspect' menu it is possible to verify that the capture of the stream is taking place correctly. Status of configuration data, file logging, and statistics are available.

_images/SPDC8.PNG_images/SPDC9.PNG

  • View detection engine log visualization of messages from the detection engine of the probe GCap for incoming/outgoing flows.

  • Watch eve statistics; shows at a time T all the capture parameters and counters associated with the sensor detection engine GCap.

  • 'Monitor alerts' displays raw alerts captured by the GCap in real time.

  • 'Monitor CPU usage' monitors the CPU load of the GCap every second.

  • 'View file-related detection ruleset' list all active detection rules linked to the files of the GCap.

  • 'View user-defined detection ruleset' list all active detection rules defined by the user.

  • 'View threshold configuration files' displays the specific threshold/suppress rules generated from Sigflow Manager.

  • 'View detection engine configuration' displays the configuration parameters of the network card acquisition driver.

  • 'View kernel alerts' accesses the kernel message logging of the GCap.

  • 'View general logs (/var/log/messages)' generic GCap logs.

  • 'View boot logs (/var/log/rc.log)'logging of messages generated when starting the GCap.

  • 'View authentication logs (/var/log/auth.log)' displays the IPsec tunnel authentication logs between the GCenter management server and the GCap.

  • 'View planned tasks logs (/var/log/cron.log)' displays all scheduled tasks of the GCap.

  • 'View daemon logs (/var/log/daemon.log)' linux daemons information. Most of the data will be related to the IPsec tunnel.

  • 'View user logs (/var/log/user.log)' displays user actions on the detection engine.

  • 'View debug logs (/var/log/debug.log)' displays debug logs messages.

You can do it with the following CLI command :

services status [eve-compress|eve-generation|eve-upload|file-extraction|file-upload|filter-fileinfo]

services start [eve-compress|eve-generation|eve-upload|file-extraction|file-upload|filter-fileinfo]

services stop [eve-compress|eve-generation|eve-upload|file-extraction|file-upload|filter-fileinfo]

services show retention-periods [unsent-files|sent-files|eve-files]

services set retention-periods [unsent-files|sent-files|eve-files]

show alerts

show cpus

show eve-stats

show logs [detection-engine-logs|dmesg|var-log-messages|var-log-rc|var-log-auth|var-log-cron|var-log-daemon|var-log-user|var-log-debug]