9.3.4. monitoring-engine

A - Introduction

The GCap detection engine captures network traffic and analyses it to generate security events such as alerts and metadata.
The `monitoring-engine` command enables:

  • Start the detection engine

  • Stop the detection engine

  • Check the status of the monitor engine

    Note

    For this command, there are advanced options (see the set monitoring-engine section).
    Once the capture engine is enabled, some GCap configuration commands are no longer accessible.
    This information is indicated by the "Dependencies" field in the description of each command.
    The capture engine must be disabled to make them accessible again.
    If the GCap configuration is changed via the GCenter, the detection engine is reloaded automatically.
    If the GCap device is restarted, there is no impact on the detection engine status.

B - Prerequisites

  • User: setup, gviewadm

  • Dependencies:

    • Add the IP of the GCenter (`set gcenter-ip`).

    • Pair the GCap and the GCenter.

    • Choose the GCenter compatibility version.

    • Activate at least one capture interface.

    Note

    If the `sanity-checks` option is set to `enable`, the detection engine starts only after verifying that at least one `monx` capture interface has been activated and that a cable is connected.

C - Command

`monitoring-engine {status|start|stop}`

9.3.4.1. Example of displaying the status of the detection engine

The command prompt is displayed.

(gcap-cli)

  1. Enter the command

    (gcap-cli) monitoring-engine status
  2. Validate
    The system displays the engine status.
    Detection engine is down

    Meaning:

    • Detection engine `down`: means that the engine status is inactive

    • Detection engine `up`: means that the engine status is active

9.3.4.2. Example to start the detection engine

The system displays the following command prompt:

Monitoring DOWN gcap-name (gcap-cli)

The command prompt indicates the status of the detection engine : here it is stopped.

  1. Enter the command

    (gcap-cli) monitoring-engine start

  2. Validate

  3. Check the status of the detection engine

    The system displays the following command prompt:

    [Monitoring UP] gcap-name (gcap-cli)

    The command prompt indicates the status of the detection engine : here it is started.

9.3.4.3. Example of stopping the detection engine

The system displays the following command prompt:

[Monitoring UP] gcap-name (gcap-cli)

The command prompt indicates the status of the detection engine : here it is started.

  1. Enter the command

    (gcap-cli) monitoring-engine stop

  2. Validate

  3. Check the status of the detection engine

    Monitoring DOWN gcap-name (gcap-cli)

    The command prompt indicates the status of the detection engine : here it is stopped.