5.6.26. `Admin-GCenter- Data exports` screen of the legacy web UI

5.6.26.1. Introduction

It is possible to export events from the GCenter to remote servers such as a SIEM by using the syslog protocol.
The number of Syslog servers is limited to two.
After pressing the `Data Exports` command in the `Admin-GCenter` menu, the following screen allows you to manage up to two log exports to two different destinations.
../../_images/DATA_EXPORT-01.PNG

The `Data exports` screen contains the following sections:

Item

Name

7

1st type of export. The information available for this export is as follows:

1

  • `Type` field: type of export

2

  • `Ǹame` field: here, the first logging server

3

  • `Last Change (UTC)` field: date of last saved change

4

  • `Enabled` field: export status . here `False` because not performed

5

  • `Configure` button: displays the configuration window. See below for details.

6

2nd type of export. The information available for this export is as follows:

1

  • `Type` field: type of export

2

  • `Ǹame` field: here, the second logging server

3

  • `Last Change (UTC)` field: date of last saved change

4

  • `Enabled` field: export status . here `false` because not performed

5

  • `Configure` button: displays the configuration window. See below for details.


5.6.26.2. Setting up the connection

Connection to a server using syslog must be configured; this configuration is described in General settings.
The data to be exported can be:
  • Alerts or

  • Alerts and metadata

This data can be defined in the General settings screen.

Note

No GCenter or GCap system log is affected by this export.

The communication can be encrypted: this setting is described in the screen Encryption.
For details on data management, see Data use.

5.6.26.3. General settings

../../_images/DATA_EXPORT-02.PNG

The `Data exports - GENERAL` screen contains the following sections:

Item

Name

1

The `GENERAL` button for general log export settings. This button displays the following settings.

15

  • `Enabled` field: enables or disables Syslog export.

14

  • `Ǹame` field: name of the remote server assigned by the administrator (Example: _First logging server).

13

  • `Hostname` field: IP address or name of the remote server (Example: localhost or 192.168.199.1).

7

  • `Port` field: listening port of the remote server. The default value is 514.

12

  • `Codecs` field: codec used for the output data.
    Output codecs are a convenient way to encode the data prior to export without the need for another filter.
    By default the value is in json. (Example: _json or _idmef)

6

  • `RFC` field: enables selecting the corresponding RFC for the desired message normalisation.
    (Example: _3164 or _5424)

11

  • `Facility` field: message type used for sending to the Syslog server.
    The default value is a kernel.
    (Example : kernel, user-level, mail, daemon, security/authorization, syslog, line printer, network news, uucp)

8

  • `Severity` field: severity rate for Syslog messages. The default value is an emergency
    The list of choices is shown in the table List of Facility field choices.

5

  • `Protocol` field: protocol used for data transfer
    The default value is in TCP. (Example: tcp, udp ou ssl_tcp)

10

  • `Output interface` field: selected output interface between the GCenter and the remote SIEM server
    (Example: mgmt0, sup0)

2

`FILTERS` button for filtering the data to be exported. For details of the parameters, see Filtering Parameters

3

`ENCRYPTYON` button for encrypting the connection between the GCenter and the remote server For details of the parameters, see Encryption

4

Button to return to the `DATA EXPORTS` screen

9

`Save` button. The changes will only take effect after this button is pressed.

Name

Description

Emergency

The system is unusable

Alert

Action must be taken immediately

Critical

Conditions are severe.

Error

Failure conditions

Warning

Conditions of caution

Notice

Normal but significant condition

Informational

Explanatory messages

Debug

Repair level messages

Note

SSL-TCP is mandatory if SSL encryption is enabled. Otherwise, it is disabled.


5.6.26.4. Filtering Parameters

The `Data exports - FILTERS` screen contains the following parts:

../../_images/DATA_EXPORT-03.PNG

Item

Parameter

Description

16

`Message type`

Defines the type of event to send to the remote server. Either alerts only, or alerts and metadata. (Example: alerts, all)

17

`Ip addresses`

Filter by IP or network. By default, all data is sent to the remote server if the field is empty.

18

`Gcaps`

Filter by Gcap. By default, all data from the GCap paired to the GCenter is sent to the remote server if nothing is selected. (Example: GCap1, GCap2)

19

`Additional fields`

Adds additional fields to the exported events.
A name (`Name`) and a description (`Values`) can be entered in this window.
When using the idmef codec, this field is not supported.

20

`Protocols`

Selects the protocols to be exported.
(Example : dcerpc, dhcp, dnp3, dns, enip, ftp, http, http2, ikev2, krb5, mqtt, modbus, netflow, nfs, ntp, rdp, rfb, sip, smb, smtp, ssh, tftp et tls)

21

`Save`

The changes are only effective after pressing `Save`

Note

`Select All` selects all listed protocols: a protocol that is not selected will not be exported.
If the GCap version is newer than that of the GCenter, some protocols may be missing.
To export everything, deactivate this filter with `Deselect all`.

5.6.26.5. Encryption

This section enables encrypting exchanges between the GCenter and the remote server.
It is necessary to add a certificate, the associated key, and the certification authority in order to activate this functionality.
The `Data exports - ENCRYPTYON` screen contains the following sections:
../../_images/DATA_EXPORT-04.PNG

Item

Parameter

Description

22

`Enable TLS`

Enables the TLS service (Transport Layer Security). Disabled by default.

23

`Check certificate`

Checks the validity of the certificate when the TLS service is enabled. Disabled by default.

24

`Certificate file`

Adds a certificate

25

`Certificate Key file`

Adds the related key

26

`Certificate Authority file`

Adds the file for the certification authority.

27

`Save`

The changes are only effective after pressing `Save`