6.2.3.1. Introduction

The GCap 'eve-log' are the analysis logs of the network anomaly detection service. These events are time-stamped and sequenced according to the time of capture.
The list of monitored services is as follows:

Service

Function

local-alerts

  • Alerts are automatically sent to the GCenter for their processing with appropriate tools.

  • The local-alerts service enables alerts to be stored locally.

  • This service, monopolising resources (CPU + disk space), should only be activated to perform advanced diagnostics in collaboration with the Gatewatcher support service.

  • Remember to switch off this service after use. This service is not started up natively.

eve-generation

  • Generation of eve logs and storage of events on the GCap.

  • Stopping this service also stops the capture of files

eve-compress

  • Compression of eve logs on GCap enables compression of eve logs but consumes CPU power

  • In the event of intermittent connectivity, or any other problem preventing logs from being sent to the GCenter it is advisable to enable this feature to maximise the time the logs are kept on the GCap.

eve-upload

  • Sending eve logs to the GCenter.

  • Stopping this service has no influence on the extraction of files

file-extraction

File extraction by the GCap probe

file-upload

Sending the extracted files to the GCenter

filter-fileinfo

  • Filtrage des fileinfos (event_type: fileinfo dans elasticsearch)

  • Automatically removes or retains fileinfo events about files that would not be retained for analysis by the GCenter

  • The aim is to reduce the signal to noise ratio and limit the amount of logs sent to the GCenter

  • These are replicas (fileinfo.stored: false in elasticsearch)

Each of these services can be:

  • Started: refer to the start command

  • Stopped: refer to the stop command

To view the current status of the services, refer to the status command.