Documentation GCap
Dernière mise à jour 21/02/2022

Overview

  • 1. Introduction
  • 2. Overall operation
  • 3. Prerequisites
  • 4. First connexion
  • 5. Installation steps
  • 6. Performance optimization

User management

  • 1. Gview profile
  • 2. Gviewadm profile
  • 3. Profil Setup
  • 4. Change passwords
  • 5. Password policy
  • 6. Sessions maximum duration
  • 7. Bruteforce Protection
  • 8. Unlock a session

Supervising

  • 1. Device Status
  • 2. Inspect log files and statistics
  • 3. Detection engine stats

CLI

  • 1. Choose a default mode
  • 2. CLI

System configuration

  • 1. Modify the keymap
  • 2. Set date and time
  • 3. Reload network card drivers
  • 4. Restart GCap
  • 5. Shutdown

Network configuration

  • 1. Network Settingd
  • 2. Management interfaces configuration
  • 3. Set hostname and domain name

Pairing with GCenter

  • 1. Select compatibility with GCenter
  • 2. Turn up IPsec tunnel

Upgrade

  • 1. Download and trigger an update

Detection engine

  • 1. Selection of capture interfaces
  • 2. Enable/disable detection engine
  • 3. Select scanned protocols
  • 4. Synchronize MAC addresses to network interfaces
  • 5. Multi-tenant
  • 6. Ajouter des règles locales
  • 7. File reconstruction capability

Interface cluster

  • 1. Clustering
  • 2. Cluster configuration
  • 3. Impact on other features

Performance

  • 1. CPUs assignation to the detection engine
  • 2. Manage capture interfaces loadbalancing

XDP Filtering

  • 1. Change native VLAN
  • 2. Filter based on VLAN
  • 3. Filter by Protocols

Services

  • 1. Manage file-related transfers
  • 2. Set retention time
  • 3. Replay pcap
Documentation GCap
  • »
  • 1. Manage file-related transfers

1. Manage file-related transfers

_images/MoteurDeDetectionON.png

The 'Service Management' tab allows you to start or stop the transfer of files and/or the history of events between the GCap and the GCenter. This menu also allows the filtering of files, their retention periods and the compression of logs.

_images/SPDC1.PNG

The 'eve-log' du GCap are the network anomaly detection service scan logs. These events are timestamped and ordered according to the time of capture.

The functionality for generating and sending 'eve-log' events are enabled by default. Extracting and sending files to the GCenter management server is also enabled.

_images/SPDC2.PNG

'Stop eve-log generation' allows you to stop the generation and storage of events on the detection probe GCap. This has the effect of stopping capturing files.

'Stop sending eve-logs (but keep on generating them)' is intended to stop sending events to the GCenter server. Note that this action has no influence on the generation of logs.

'Stop file extraction' is the action that stops extracting files captured by the probe.

'Stop sending files (but keep on extracting them)' a pour but de stopper l'envoi des fichiers au serveur GCenter. À noter que cette action n'a pas d'influence sur l'extraction des fichiers.

_images/SPDC3.PNG

Services can be restarted according to the preferences of the solution administrator. Note that starting the service 'Start eve-log generation' allows to leave the possibility of launching the extraction of the files.

_images/SPDC4.PNG

'Remove fileinfo events for observed files' and 'Keep fileinfo events for observed files' allow the automatic deletion or preservation of events of type 'fileinfo' about files that would not be kept for analysis by the GCenter. The goal is to reduce the signal-to-noise ratio and limit the amount of logs sent to the GCenter.

_images/SPDC5.PNG

'Compress eve-log' and 'Do not compress eve-log' allow to compress or not the events captured by the GCap. This feature is disabled by default, as it consumes computing power unnecessarily. In case of intermittent connectivity, or any other issue preventing logs from being sent to the GCenter , it is advisable to enable this feature to maximize the log retention time on the GCap.

You can do it with the following CLI command :

services status [eve-compress|eve-generation|eve-upload|file-extraction|file-upload|filter-fileinfo]

services start [eve-compress|eve-generation|eve-upload|file-extraction|file-upload|filter-fileinfo]

services stop [eve-compress|eve-generation|eve-upload|file-extraction|file-upload|filter-fileinfo]
Précédent Suivant

© Copyright 2022, Gatewatcher.