6.2.5. monitoring-engine

6.2.5.1. Introduction

The GCap detection engine captures network traffic and analyses it to generate security events such as alerts and metadata.

The monitoring-engine command enables:

  • starting the detection engine

  • stopping the detection engine

  • visualising the status of the detection engine

Note

For this command, there are advanced options (see the set monitoring-engine section).

Once the capture engine is enabled, some GCap configuration commands are no longer accessible. This information is indicated by the "Dependencies" field in the description of each command. The capture engine must be disabled to make them accessible again.

If the GCap configuration is changed via the GCenter, the detection engine is reloaded automatically. If the GCap device is restarted, there is no impact on the detection engine status.


6.2.5.2. Prerequisites

  • Users: setup, gviewadm

  • Dependencies:

    • Add the IP of the GCenter (set gcenter-ip).

    • Pair the GCap and GCenter.

    • Choose the GCenter compatibility version.

    • Activate at least one capture interface.

Note

If the sanity-checks option is set to enable, the detection engine starts only after verifying that at least one `monx` capture interface has been activated and that a cable is connected.


6.2.5.3. Command

monitoring-engine {status|start|stop}


6.2.5.4. Example of displaying the status of the detection engine

  • Enter the following command.

    (gcap-cli) monitoring-engine status
    
  • Validate.

    The system displays the engine status:

    Detection engine is down
    

    Meaning:

    • Detection engine down: means that the engine status is inactive

    • Detection engine up: means that the engine status is active


6.2.5.5. Example of starting the detection engine

The system displays the following command prompt:

Monitoring DOWN gcap-name (gcap-cli) 

The command prompt indicates the status of the detection engine: here it is stopped.

  • Enter the following command.

    (gcap-cli) monitoring-engine start
    
  • Validate.

  • Check the status of the detection engine:

    The system displays the following command prompt:

    [Monitoring UP] gcap-name (gcap-cli) 
    

    The command prompt indicates the status of the detection engine: here it is running.


6.2.5.6. Example of stopping the detection engine

The system displays the following command prompt:

[Monitoring UP] gcap-name (gcap-cli) 

The command prompt indicates the status of the detection engine: here it is running.

  • Enter the following command.

    (gcap-cli) monitoring-engine stop
    
  • Validate.

  • Check the status of the detection engine:

    Monitoring DOWN gcap-name (gcap-cli) 
    

    The command prompt indicates the status of the detection engine: here it is stopped.