2.3. Data use

The GCenter generates several data: events, statistics, health logs, authentication logs.
The GCenter generates events based on the GCap data (captured traffic), the GScan data and the GCenter engines.
The data (events) created by the GCap and GCenter is of various types:
This data can, if necessary, be managed by the administrator.
This management involves:

2.3.1. Detection data

In addition to dashboards present from the GCenter web interface, it is possible to use external equipment using the Syslog protocol ( such as a SIEM), in order to exploit the data reported by the solution.

2.3.1.1. Data export via the Syslog protocol

The GCenter offers administrators the option of configuring up to two data exports to different destinations.
Data can be exported to a SIEM for example.
Once an export is activated, all selected data will be sent to the configured destination.
It is of course possible for the administrator to choose which data they wish to export.

Note

When referring to exported data, only "alert" and "metadata" type data are concerned.
No GCenter or GCap system log file is concerned by this export.

For more information about the export configuration, see `Data export` screen.

2.3.1.2. ECS format for the data export

The GCenter uses the ECS format for the data export.
The Elastic Common Schema (ECS) is an open source specification, developed with support from the Elastic user community.
ECS defines a common set of fields to be used when storing event data in Elasticsearch, such as logs and metrics.
ECS specifies field names and Elasticsearch datatypes for each field, and provides descriptions and example usage.
ECS also groups fields into ECS levels, which are used to signal how much a field is expected to be present.

2.3.1.2.1. Example of an alert exported

For information : this example shown an alert of infected type

<0>Sep 11 09:31:00 gcenter-xxxo-01.gatewatcher.com gatewatcher[-]: {"observer":{"vendor":"gatewatcher","uuid":"78f4fed1-c9ad-52b9-b509-6b87767f501f","gcap":{"ingress":{"interface":{"name":"monvirt"}},"hostname":"gcap-xxx.gatewatcher.fr","version":"2.5.x.x-yy"},"version":"2.5.3.103","log_format_version":"1.0.0","hostname":"gcenter-xxx.gatewatcher.com","product":"gcenter"},"source":{"port":80,"ip":"xx.xx.xx.xx"},"file":{"magic":"Macromedia Flash data (compressed), version 13","sid":[1100020],"hash":{"sha256":"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6f79278b"},"name":"/","file_id":219,"tx_id":2,"state":"CLOSED","gaps":false,"size":55351,"stored":true},"@timestamp":"2024-09-11T09:31:00.111583612Z","malcore":{"file_type":"application/x-shockwave-flash","analyzers_up":16,"analyzed_clean":9,"engines_last_update_date":"2024-09-03T17:15:00Z","state":"Infected","total_found":"3/16","detail_scan_time":373,"reporting_token":"","analyzed_infected":3,"detail_threat_found":"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash","analyzed_suspicious":0,"analyzed_error":0,"processing_time":1576,"engine_id":{"5":{"scan_result":"CLEAN","threat_details":"","id":"c18ab9n"},"8":{"scan_result":"INFECTED","threat_details":"Exploit.Flash","id":"ib54e9s"},"4":{"scan_result":"UNSUPPORTED_FILE_TYPE","threat_details":"","id":"c10195e"},"14":{"scan_result":"CLEAN","threat_details":"","id":"t3114fn"},"13":{"scan_result":"CLEAN","threat_details":"","id":"sde882s"},"9":{"scan_result":"CLEAN","threat_details":"","id":"kfb8487"},"12":{"scan_result":"CLEAN","threat_details":"","id":"qb9308l"},"10":{"scan_result":"CLEAN","threat_details":"","id":"mb2b5fe"},"0":{"scan_result":"CLEAN","threat_details":"","id":"a32935b"},"15":{"scan_result":"UNSUPPORTED_FILE_TYPE","threat_details":"","id":"we9a17t"},"6":{"scan_result":"CLEAN","threat_details":"","id":"c81e55c"},"7":{"scan_result":"NOT_SCANNED","threat_details":"","id":"e83bf1t"},"3":{"scan_result":"CLEAN","threat_details":"","id":"b557a5r"},"1":{"scan_result":"INFECTED","threat_details":"EXP/Flash.EB.502","id":"acf9bba"},"11":{"scan_result":"NOT_SCANNED","threat_details":"Unavailable (permanently_failed)","id":"n00000e"},"2":{"scan_result":"INFECTED","threat_details":"SWF/Exploit","id":"af7872b"}},"detail_wait_time":660,"file_type_description":"Macromedia Flash Player","code":1,"magic_details":"Macromedia Flash data (compressed), version 13","analyzed_other":4},"@version":"1","network":{"protocol":"http","timestamp":"2024-09-11T09:15:23.329615+0000","transport":"tcp","flow_id":1779492455056060},"destination":{"port":47858,"ip":"x.x.x.x"},"url":{"domain":"exnchantingweddingsants.co.uk","path":"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs"},"user_agent":{"original":"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"},"ecs":{"version":"8.6.0"},"http":{"request":{"method":"GET"},"hostname":"nchantingweddingsandevents.co.uk","version":"HTTP/1.1","http_refer":"http://echantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/","response":{"status":200,"mime_type":"application/x-shockwave-flash","bytes":55351}},"event":{"id":"7c4e2a77-3481-4201-8247-889fe0718ed8","kind":"alert","module":"malcore","severity":1,"category":["network","file"],"created":"2024-09-11T09:15:23.329615+0000","dataset":"alert"}}
The counters are detailed in DGA detect log data structure.

2.3.3. Management and system status data

This data enables the following functions:

2.3.3.1. Viewing the system status

  • `Health checks` screen of the WEB GUI
    System status data is managed through the WEB UI.
    For more information, see the `Health checks` screen.
  • Gstats GUI
    System state data is also managed by Netdata services.
    Specifically, each GCap has a Netdata service that sends its information to the Netdata server located in the GCenter.
    Similarly, GCenter has a Netdata service that sends its information to the internal Netdata server at GCenter.
    The GCenter internal Netdata server allows the display of this data via the Gstats graphical interface.
    For more information, see Overview of the Netdata User Interface (Gstats).

2.3.3.2. Export system state data to remote servers

2.3.3.2.1. Export data to a Netdata server

In addition to the Netdata interface used for Gstats, the GCenter has another Netdata export interface whose purpose is to export data to an external server.
It must be configured: for more information, see the presentation of the `Retention policy` screen.

2.3.3.2.2. Data retrieval by a Nagios server

For more information, see the presentation in the `Retention policy` screen.

2.3.3.3. System management and configuration

System management, in particular configuration, is carried out via:

In the event of an obstructing problem, it is necessary to access the solution logs in order to resolve the problem.
This information is used for diagnosis in collaboration with GATEWATCHER support.
The diagnostic function enables:
  • Generating log files and uploading them for analysis by GATEWATCHER support.
    The export file log is protected by a password only known by the GATEWATCHER administrator team.
    Messages from all logs will be accessible as well as all system calls from the system.
  • Generating the "Tech support" file and uploading it for analysis by an administrator.
    The "Tech support" file provides information on the health of the GCenter server although it does not contain any captured data.
    This file is not encrypted and is usable by the administrator.

Note

In some sensitive environments, it may not be possible to extract the full set of non-anonymized logs as is possible with the Log files archive.
`Tech support` enables the administrator to provide non-sensitive, anonymized diagnostic information to support.
The graphical interface of the diagnostic function is described in `Diagnostics` screen.

Note

It is also possible from the setup menu to generate a "Tech Support".
For more information, see the `Diagnostics` screen.
In these two situations, it is generally necessary for the administrator to contact GATEWATCHER support.
These files will enable the support team to identify potential malfunctions and to solve them.

2.3.4. Data retention

Data is stored on the GCenter for a limited time (called retention time) and for a maximum size.

Astuce

Increasing this time will increase the size of the stored data. This entails higher latencies and reduced performance and stability.

Note

Configuration is performed in two steps:

  • The first on the GCenter in this field,

  • The second step on the GCap detection probe in the configuration parameters.

These parameters are adjustable.
The graphical interface is described in the paragraph `Retention policy` screen.

2.3.5. Deleting data

After a full or incremental save by the backup functionality, the old logs are automatically deleted, depending on the data retention time, thus freeing up disk space.
It is possible to delete information manually, by selecting all or part of the type and dates of the information to be removed.
This deletion period is selected by the administrator, however, it cannot exceed the total retention period of the data already pre-configured in the solution.
The same applies to the ICAP and Syslog services.

Important

Data not yet processed will also be deleted.

The graphical interface is described in the paragraph `Data Management` screen.