6.2.5. monitoring-engine
6.2.5.1. Introduction
The GCap detection engine captures network traffic and analyses it to generate security events such as alerts and metadata.
The monitoring-engine
command enables:
starting the detection engine
stopping the detection engine
visualising the status of the detection engine
Note
For this command, there are advanced options (see the set monitoring-engine
section).
Once the capture engine is enabled, some GCap configuration commands are no longer accessible. This information is indicated by the "Dependencies" field in the description of each command. The capture engine must be disabled to make them accessible again.
If the GCap configuration is changed via the GCenter, the detection engine is reloaded automatically. If the GCap device is restarted, there is no impact on the detection engine status.
6.2.5.2. Prerequisites
Users: setup, gviewadm
Dependencies:
Add the IP of the GCenter (
set gcenter-ip
).Pair the GCap and GCenter.
Choose the GCenter compatibility version.
Activate at least one capture interface.
Note
If the sanity-checks
option is set to enable
, the detection engine starts only after verifying that at least one `monx`
capture interface has been activated and that a cable is connected.
6.2.5.3. Command
monitoring-engine {status|start|stop}
6.2.5.4. Example of displaying the status of the detection engine
Enter the following command.
(gcap-cli) monitoring-engine status
Validate.
The system displays the engine status:
Detection engine is down
Meaning:
Detection engine
down
: means that the engine status is inactiveDetection engine
up
: means that the engine status is active
6.2.5.5. Example of starting the detection engine
The system displays the following command prompt:
Monitoring DOWN gcap-name (gcap-cli)
The command prompt indicates the status of the detection engine: here it is stopped.
Enter the following command.
(gcap-cli) monitoring-engine start
Validate.
Check the status of the detection engine:
The system displays the following command prompt:
[Monitoring UP] gcap-name (gcap-cli)
The command prompt indicates the status of the detection engine: here it is running.
6.2.5.6. Example of stopping the detection engine
The system displays the following command prompt:
[Monitoring UP] gcap-name (gcap-cli)
The command prompt indicates the status of the detection engine: here it is running.
Enter the following command.
(gcap-cli) monitoring-engine stop
Validate.
Check the status of the detection engine:
Monitoring DOWN gcap-name (gcap-cli)
The command prompt indicates the status of the detection engine: here it is stopped.