2.3. Data use

The GCenter server works with log files.
These log files record all the traffic captured by the GCap probe as well as the information from the GScan.
The data created by the GCap and GCenter is of various types:
This data can, if necessary, be managed by the administrator.
This management involves:

2.3.1. Detection data

In addition to dashboards present from the GCenter web interface, it is possible to use external equipment using the syslog protocol ( such as a SIEM), in order to exploit the data reported by the solution.


2.3.1.1. Export des données via le protocole Syslog

The GCenter offers administrators the option of configuring up to two data exports to different destinations.
Data can be exported to a SIEM for example.
Once an export is activated, all selected data will be sent to the configured destination.
It is of course possible for the administrator to choose which data they wish to export.

Note

When referring to exported data, only "alert" and "metadata" type data are concerned.
No GCenter or GCap system log file is concerned by this export.

For more information, see the presentation in the `Admin-GCenter- Data exports` screen of the legacy web UI.


2.3.3. Management and system status data

This data enables the following functions:


2.3.3.1. Viewing the system status

  • Legacy WEB GUI:
    System status data is managed through the legacy WEB UI.
  • Gstats GUI
    System state data is also managed by Netdata services.
    Specifically, each GCap has a Netdata service that sends its information to the Netdata server located in the GCenter.
    Similarly, GCenter has a Netdata service that sends its information to the internal Netdata server at GCenter.
    The GCenter internal Netdata server allows the display of this data via the Gstats graphical interface.
    For more information, see Overview of the Netdata User Interface.

2.3.3.2. Export system state data to remote servers

2.3.3.2.1. Export data to a Netdata server

In addition to the Netdata interface used for Gstats, the GCenter has another Netdata export interface whose purpose is to export data to an external server.
It must be configured: for more information, see the presentation of the `Admin-GCenter-Configuration` screen of the legacy web UI.
For implementation, see the Configuring the Netdata export interface.

2.3.3.2.2. Data retrieval by a Nagios server

For more information, see the presentation in the `Admin-GCenter-Configuration` screen of the legacy web UI.


2.3.3.3. System management and configuration

System management, in particular configuration, is carried out via:

In the event of an obstructing problem, it is necessary to access the solution logs in order to resolve the problem.
This information is used for diagnosis in collaboration with GATEWATCHER support.
The diagnostic function enables:
  • Generating log files and uploading them for analysis by GATEWATCHER support.
    The export file log is protected by a password only known by the GATEWATCHER administrator team.
    Messages from all logs will be accessible as well as all system calls from the system.
  • Generating the "Tech support" file and uploading it for analysis by an administrator.
    The "Tech support" file provides information on the health of the GCenter server although it does not contain any captured data.
    This file is not encrypted and is usable by the administrator.

Note

In some sensitive environments, it may not be possible to extract the full set of non-anonymized logs as is possible with the Log files archive.
`Tech support` enables the administrator to provide non-sensitive, anonymized diagnostic information to support.
The graphical interface of the diagnostic function is described in the paragraph `Admin-GCenter- Diagnostics` screen of the legacy web UI.

Note

It is also possible from the setup menu to generate a "Tech Support".
For more information, see the Presentation of the configuration menu.
In these two situations, it is generally necessary for the administrator to contact GATEWATCHER support.
These files will enable the support team to identify potential malfunctions and to solve them.

2.3.4. Data retention

Data is stored on the GCenter for a limited time (called retention time) and for a maximum size.

Astuce

Increasing this time will increase the size of the stored data. This entails higher latencies and reduced performance and stability.

Note

Configuration is performed in two steps:

  • The first on the GCenter in this field,

  • The second step on the GCap detection probe in the configuration parameters.

These parameters are adjustable.
The graphical interface is described in the paragraph `Admin-GCenter-Configuration` screen of the legacy web UI.

2.3.5. Deleting data

After a full or incremental save by the backup functionality, the old logs are automatically deleted, depending on the data retention time, thus freeing up disk space.
It is possible to delete information manually, by selecting all or part of the type and dates of the information to be removed.
This deletion period is selected by the administrator, however, it cannot exceed the total retention period of the data already pre-configured in the solution.
The same applies to the ICAP and Syslog services.

Important

Data not yet processed will also be deleted.

The graphical interface is described in the paragraph `Admin-GCenter- Data Management` screen of the legacy web UI.
For implementation, see Deleting data (log files).