8.1. Event files
It is possible to consult the event files.
To display... |
file name... |
|---|---|
detection engine events |
detection-engine-logs |
kernel events |
var-log-kernel |
the aggregation of different logs |
var-log-messages |
GCap authentication information |
var-log-auth |
the launch information of scheduled tasks |
var-log-cron |
information about the activity of the various applications used |
var-log-daemon |
information on the activity of the GCap users |
var-log-user |
debugging events |
var-log-debug |
8.1.1. Detection engine events: detection-engine-logs
This log contains the events of the detection engine. They enable obtaining additional information on the status or errors of the detection engine.
Some examples of useful lines:
End of startup
[97] <Info> -- All AFP capture threads are running.
End of rule reload
[76] <Info> -- cleaning up signature grouping structure... complete
[76] <Notice> -- rule reload complete
Rule loading error
[76] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
[76] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 $EXTERNAL_NET any -> $INTERNAL_NET any (msg: "Failing rule"; sid:2000001; rev:1;) from file /etc/suricata/rules/local_all.rules at line 1
8.1.3. GCap authentication information: var-log-auth
This log contains the GCap authentication information.
Some examples of useful lines:
SSH authentication error
2022-02-03T14:10:17.680152+00:00 GCap.domain.tld sshd: root [pam]#000[338683]: level=error msg="failed to check credentials for \"root\": \"invalid password: password mismatch\""
2022-02-03T14:10:26.682897+00:00 GCap.domain.tld sshd[338675]: error: PAM: Authentication failure for root from 1.2.3.4
2022-02-03T14:10:26.785321+00:00 GCap.domain.tld sshd[338675]: Connection closed by authenticating user root 1.2.3.4 port 3592 [preauth]
IPSec events
2022-02-03T13:38:10.770453+00:00 GCap.domain.tld charon: 06[IKE] reauthenticating IKE_SA GCenter[4] 2022-02-03T13:38:10.771116+00:00 GCap.domain.tld charon: 06[IKE] deleting IKE_SA GCenter[4] between 10.2.19.152[C=FR, O=GATEWATCHER, CN=lenovo-se350-int-sla.gatewat
cher.com]...2.3.4.5[CN=GCenter.domain.tld.com]
2022-02-03T13:38:13.085957+00:00 GCap.domain.tld charon: 16[IKE] IKE_SA deleted
2022-02-03T13:38:13.141553+00:00 GCap.domain.tld charon: 16[IKE] initiating IKE_SA GCenter[5] to 2.3.4.5 2022-02-03T13:38:13.364748+00:00 GCap.domain.tld charon: 07[IKE] establishing CHILD_SA GCenter{18} reqid 2
2022-02-03T13:38:14.827308+00:00 GCap.domain.tld charon: 12[IKE] IKE_SA GCenter[5] established between 10.2.19.152[C=FR, O=GATEWATCHER, CN=GCap.domain.tld]...2.3.4.5[CN=GCenter.domain.tld.com]
8.1.4. Information on the activity of the various applications used: var-log-daemon
This log contains information about the activity of the different applications used.
Some examples of useful lines:
Configuration synchronisation with the GCenter
2022-02-03T16:25:35.583926+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Successfully rsynced GCap.domain.tld-rules/suricata_configuration.json:
2022-02-03T16:25:35.840272+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Successfully rsynced GCap.domain.tld-rules-static/v2.0/codebreaker_shellcode.rules:
2022-02-03T16:25:35.840643+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Codebreaker file /data/containers/suricata/etc/suricata/rules/codebreaker_shellcode.rules was identical
2022-02-03T16:25:35.975630+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Successfully rsynced GCap.domain.tld-rules-static/v2.0/codebreaker_powershell.rules:
2022-02-03T16:25:35.975771+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Codebreaker file /data/containers/suricata/etc/suricata/rules/codebreaker_powershell.rules was identical
8.1.5. User activity information: var-log-user
This log contains information about the activity of the GCap users.
Some examples of useful lines:
Detection engine start-up
2022-02-03T14:18:26.428461+00:00 GCap.domain.tld root: [GCap_suricata_tools.suricata-INFO] Detection Engine successfully started!
Actions performed via the
gcap-clicommand
2022-02-03T16:47:50.636706+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 656] : [GCap_cli.main-NOTICE] Starting CLI
2022-02-03T16:47:50.636768+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 676] : [GCap_cli.main-INFO] Acquiring lock 2022-02-03T16:47:50.636832+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 686] : [GCap_cli.main-INFO] Running single CLI command
2022-02-03T16:47:50.784347+00:00 GCap.domain.tld GCap-setup (root) [main main.py default 530] : [GCap_cli.main-NOTICE] [user root] Running CLI command 'show logs var-log-kernel' 2022-02-03T16:47:50.784889+00:00 GCap.domain.tld GCap-setup (root) [inspect inspect.py run 332] : [GCap_setup.inspect-NOTICE] Starting inspect procedure
2022-02-03T16:47:50.784930+00:00 GCap.domain.tld GCap-setup (root) [inspect inspect.py run 339] : [GCap_setup.inspect-NOTICE] Selecting inspection action: `View kernel logs (/var/log/kern.logs)`
2022-02-03T16:47:51.714026+00:00 GCap.domain.tld GCap-setup (root) [inspect inspect.py run 336] : [GCap_setup.inspect-NOTICE] Stopping inspect procedure
2022-02-03T16:47:51.718373+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 710] : [GCap_cli.main-NOTICE] [user root] Stopping CLI
8.1.6. Debug events: var-log-debug
This log contains debug events.
This entry is mainly used by support during advanced troubleshooting.
8.1.7. Aggregation of different logs: var-log-messages
This log contains the aggregation of the different logs listed above.
8.1.8. Scheduled task start information: var-log-cron
This log contains the launch information of scheduled tasks.