11.1. The log files
It is possible to consult the event files.
To display...
file name...
detection engine events
detection-engine-logs
kernel events
var-log-kernel
the aggregation of different logs
var-log-messages
GCap authentication information
var-log-auth
the launch information of scheduled tasks
var-log-cron
information about the activity of the various applications used
var-log-daemon
information on the activity of the GCap users
var-log-user
debugging events
var-log-debug
11.1.1. Detection engine events: detection-engine-logs
This log contains debug events of the monitoring engine.
They enable obtaining additional information on the status or errors of the detection engine.
Some examples of useful lines:
End of startup
[97] <Info> -- All AFP capture threads are running.
End of rule reload
[76] <Info> -- cleaning up signature grouping structure... complete
[76] <Notice> -- rule reload complete
Rule loading error
[76] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
[76] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 $EXTERNAL_NET any -> $INTERNAL_NET any (msg: "Failing rule"; sid:2000001; rev:1;) from file /etc/suricata/rules/local_all.rules at line 1
11.1.2. Kernel related events: var-log-kernel
This log contains information about kernel events.
Some examples of useful information:
Change of link status
2022-02-03T12:48:39.578422+00:00 GCap.domain.tld kernel: [ 9149.189652] i40e 0000:17:00.0 mon0: NIC Link is Down
2022-02-03T12:48:40.457410+00:00 GCap.domain.tld kernel: [ 9150.068228] i40e 0000:17:00.0 mon0: NIC Link is Up, 10 Gbps Full Duplex, Flow Control: None
11.1.3. GCap authentication information: var-log-auth
This log contains the GCap authentication information.
Some examples of useful lines:
SSH authentication error
2022-02-03T14:10:17.680152+00:00 GCap.domain.tld sshd: root [pam]#000[338683]: level=error msg="failed to check credentials for \"root\": \"invalid password: password mismatch\""
2022-02-03T14:10:26.682897+00:00 GCap.domain.tld sshd[338675]: error: PAM: Authentication failure for root from 1.2.3.4
2022-02-03T14:10:26.785321+00:00 GCap.domain.tld sshd[338675]: Connection closed by authenticating user root 1.2.3.4 port 3592 [preauth]
IPSec events
2022-02-03T13:38:10.770453+00:00 GCap.domain.tld charon: 06[IKE] reauthenticating IKE_SA GCenter[4]
2022-02-03T13:38:10.771116+00:00 GCap.domain.tld charon: 06[IKE] deleting IKE_SA GCenter[4] between 10.2.19.152[C=FR, O=GATEWATCHER, CN=lenovo-se350-int-sla.gatewatcher.com]...2.3.4.5[CN=GCenter.domain.tld.com]
2022-02-03T13:38:13.085957+00:00 GCap.domain.tld charon: 16[IKE] IKE_SA deleted
2022-02-03T13:38:13.141553+00:00 GCap.domain.tld charon: 16[IKE] initiating IKE_SA GCenter[5] to 2.3.4.5
2022-02-03T13:38:13.364748+00:00 GCap.domain.tld charon: 07[IKE] establishing CHILD_SA GCenter{18} reqid 2
2022-02-03T13:38:14.827308+00:00 GCap.domain.tld charon: 12[IKE] IKE_SA GCenter[5] established between 10.2.19.152[C=FR, O=GATEWATCHER, CN=GCap.domain.tld]...2.3.4.5[CN=GCenter.domain.tld.com]
11.1.4. Information on the activity of the various applications used: var-log-daemon
This log contains information about the activity of the different applications used.
Some examples of useful lines:
Configuration synchronization with the GCenter
2022-02-03T16:25:35.583926+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Successfully rsynced GCap.domain.tld-rules/suricata_configuration.json:
2022-02-03T16:25:35.840272+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Successfully rsynced GCap.domain.tld-rules-static/v2.0/codebreaker_shellcode.rules:
2022-02-03T16:25:35.840643+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Codebreaker file /data/containers/suricata/etc/suricata/rules/codebreaker_shellcode.rules was identical
2022-02-03T16:25:35.975630+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Successfully rsynced GCap.domain.tld-rules-static/v2.0/codebreaker_powershell.rules:
2022-02-03T16:25:35.975771+00:00 GCap.domain.tld GCenter_gateway.xfer [xfer] : [INFO] Codebreaker file /data/containers/suricata/etc/suricata/rules/codebreaker_powershell.rules was identical
11.1.5. User activity information: var-log-user
This log contains information about the activity of the GCap users.
Some examples of useful lines:
Detection engine startup
2022-02-03T14:18:26.428461+00:00 GCap.domain.tld root: [GCap_suricata_tools.suricata-INFO] Detection Engine successfully started!
Actions performed via the
`gcap-cli`command
2022-02-03T16:47:50.636706+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 656] : [GCap_cli.main-NOTICE] Starting CLI
2022-02-03T16:47:50.636768+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 676] : [GCap_cli.main-INFO] Acquiring lock
2022-02-03T16:47:50.636832+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 686] : [GCap_cli.main-INFO] Running single CLI command
2022-02-03T16:47:50.784347+00:00 GCap.domain.tld GCap-setup (root) [main main.py default 530] : [GCap_cli.main-NOTICE] [user root] Running CLI command 'show logs var-log-kernel'
2022-02-03T16:47:50.784889+00:00 GCap.domain.tld GCap-setup (root) [inspect inspect.py run 332] : [GCap_setup.inspect-NOTICE] Starting inspect procedure
2022-02-03T16:47:50.784930+00:00 GCap.domain.tld GCap-setup (root) [inspect inspect.py run 339] : [GCap_setup.inspect-NOTICE] Selecting inspection action: `View kernel logs (/var/log/kern.logs)`
2022-02-03T16:47:51.714026+00:00 GCap.domain.tld GCap-setup (root) [inspect inspect.py run 336] : [GCap_setup.inspect-NOTICE] Stopping inspect procedure
2022-02-03T16:47:51.718373+00:00 GCap.domain.tld GCap-setup (root) [main main.py handle_shell 710] : [GCap_cli.main-NOTICE] [user root] Stopping CLI
11.1.6. Debug events: var-log-debug
This log contains debug events.
This entry is mainly used by support during advanced troubleshooting.
11.1.7. Aggregation of different logs: var-log-messages
This log contains the aggregation of the different logs listed above.
11.1.8. Scheduled task start information: var-log-cron
This log contains the launch information of scheduled tasks.