GOD'S EYE

AGENT ARCHITECTURE · THREE-COMPONENT COLLECTION LAYER · MARCH 2026

ge-sensor · 3 INSTANCES CAPTURING
ge-agent · 12 HOSTS REPORTING
ge-desktop · SOC WORKSTATION ACTIVE
// RUST · LIBPCAP / AF_PACKET / AF_XDP
ge-sensor
Network Packet Capture & IDS/IPS
⬡ NETWORK TAPs / SPAN PORTS / INLINE
  • [01]Raw packet capture · <20MB RAM footprint
  • [02]Protocol dissection: TCP/UDP/DNS/HTTP/TLS
  • [03]OT protocols: Modbus, DNP3, BACnet, EtherNet/IP
  • [04]14-feature flow extraction for ML pipeline
  • [05]Alert-triggered selective PCAP capture
  • [06]IPS inline drop via AF_PACKET inline mode
  • [07]Syslog · SNMP trap · NetFlow/IPFIX/sFlow
  • [08]RocksDB DLQ — 7-day local spool on Kafka loss
// GO · GOROUTINE CONCURRENCY
ge-agent
Host Telemetry & Log Collection
⬡ SERVERS / ENDPOINTS / CLOUD VMs
  • [01]Windows Event Log · WEF · WMI · Sysmon
  • [02]File log monitoring (tail -f equivalent)
  • [03]Cloud API: AWS CloudTrail · Azure AD · GCP
  • [04]SaaS logs: Okta · GitHub · Slack · O365
  • [05]Container & Kubernetes log collection
  • [06]Database audit log tailing (PG, MySQL)
  • [07]HTTP webhook receiver (JSON/CEF)
  • [08]Disk DLQ — 7-day local spool on Kafka loss
// TAURI (RUST) + REACT · ANALYST UI
ge-desktop
SOC Analyst Workstation App
⬡ SOC ANALYST DESKTOPS ONLY
  • [01]Pipeline health visualization & overview
  • [02]Local ge-sensor / ge-agent start/stop/restart
  • [03]GEQL quick search interface
  • [04]Config editor & validation
  • [05]Recent events & error log viewer
  • [06]System tray / menu bar integration
  • [07]Local diagnostics export
  • NOT a data collector — management UI only
ge-sensor
Network
ge-agent
Host
Kafka
ge.raw.logs
Parser + GES
Normalize
Enrichment
GeoIP · IOC · MITRE
Detection
XGBoost·AE·LSTM·Sigma
Alert / SOAR
Response
ge-desktop
Analyst View
// WHERE ge-sensor RUNS Network TAPs, span ports, and inline segments at chokepoints. One instance per network segment. No GUI, headless daemon. Linux primary (AF_XDP/AF_PACKET), cross-platform via libpcap fallback.
// WHERE ge-agent RUNS Every monitored host — servers, endpoints, cloud VMs. Could be dozens or hundreds of instances. Runs as a system service / daemon. Broad OS support: Linux, Windows, macOS.
// WHERE ge-desktop RUNS Only on SOC analyst workstations. A small number of installs. Produces zero telemetry data itself — purely a management and investigation interface talking to the API gateway.