Purview Integration: Splunk
Transcription
Purview Integration: Splunk
The Purview™ Solution– Integration With Splunk Integrating Application Management and Business Analytics With Other IT Management Systems A SOLUTION WHITE PAPER WHITE PAPER Introduction Purview Integration with Splunk Purview is a network powered application analytics and optimization solution that captures and analyzes context-based application traffic to deliver meaningful intelligence - about applications, users, locations and devices. It is the Industry’s very first and only – patent pending – solution to transform the Network into a Strategic Business Asset - by enabling the mining of network-based business events and strategic information that help business leaders make faster and more effective decisions. It does this all from a centralized command control center that combines Network Management with Business Analytics, and at unprecedented scale (100M sessions) and scope. Enterprise mobility is more than the mobile device – mobility and agility across the entire enterprise requires access to data from any device, which has resulted in a change of the application landscape by moving away from installing and maintaining traditional applications, to private and public Cloud-based delivery models, such as SalesForce.com, Google Apps and many more. Millions of new applications have been developed to support new work efficiencies, with new “apps” showing up every day; some become business-critical the next day while others may have no real value. Additionally, mobile users demand immediate access to all of their social media apps. Social, mobile, Cloud and Big Data is everywhere. To maximize the user experience IT must make sure that applications can be seamlessly delivered from the Cloud – private or public—to those users and devices that require them to perform their jobs. The Purview Solution – White Paper 2 Apps Everywhere – Public and Private Cloud How users see applications: How traditional switches see applications: Port 80 Port 443 Figure 1–Loss of application visibility and control What is Purview? The three main solution components that make up this unique Purview architecture are: • OneFabric Control Center with OneFabric Connect • Purview (Application Fingerprint) Engine • CoreFlow2 based Data Collection Device OneFabric Control Center provides centralized visibility and control over the entire network. Centralized visibility and control enables infrastructure and application teams to work together, eliminating costly misalignments and errors that occur through typical operational workflows. Embedded automation and orchestration features improve application delivery for dynamic and mobile environments leveraging Cloud, virtualization, and server/storage consolidation. OneFabric Control Center provides unified, centralized management and control, which allows network operations to leverage the power and intelligence, built into Extreme Networks networking solutions and thereby unlock the full potential of Purview. Additionally, OneFabric Control Center as a SDN (Software Defined Network) management and control solution integrates with external systems via OneFabric Connect—a set of APIs that increases visibility and control to new heights. The data that Purview provides can be accessed via OneFabric Connect to create new third party integrations or augment existing integrations. The integration options are: • Scheduled reporting (email via PDF) • OneFabric Connect API (XML) support for integration with other IT applications • Real-time application detection notification (using syslog) Purview is in fact a deep packet inspection (DPI) solution that can be deployed at scale, across the entire network infrastructure from the data center to the mobile edge – wired and wireless – to provide a superior user experience while optimizing network resource utilization. A fully integrated and unified solution can also eliminate point products, thereby reducing the operational complexity and cost The Purview Solution – White Paper 3 that is associated with these existing approaches. By providing more contextual information the solution becomes a business asset for analytics and network-driven business intelligence. CoreFlow2 is the cornerstone of Extreme Networks’ switching technology – addressing the need for application monitoring and control at scale and highperformance. CoreFlow2 is a highly programmable custom designed ASIC, which delivers flexibility in packet classification and reframing not found in competitive offerings. The granularity of packet analysis and controls is unsurpassed, and it translates into real-world benefits in the data center and the campus network. The flow-based application visibility provided by CoreFlow2 is used to provide the Purview flow mirroring to the Purview Fingerprint Engine. OneFabric Control Center Visibility Control Context Purview Engine Collect Analyze Classify NetFlow Purview Mirror Massive scalability Multiple Tbit/s and millions of flows CoreFlow2 Data Collection Device Figure 1–Loss of application visibility and control Overview – Purview Integration Splunk Enterprise What is Splunk Enterprise? IT systems and technology infrastructure – websites, applications, servers, networks, sensors, mobile devices and the like –generate massive amounts of machine data. By monitoring and analyzing everything from customer clickstreams and transactions to network activity and call records, Splunk Enterprise turns machine data into valuable analytics. Troubleshoot problems and investigate security incidents in minutes, not hours or days. Monitor your end-to-end infrastructure to avoid service degradation or outages. Gain real-time visibility into user experience, transactions and behavior. The integration with Splunk Enterprise and Purview allows users to take full advantage of layer 7 application fingerprints produced by Purview within the Splunk framework. This enables complex use cases and analytics that Splunk makes possible through its excellent user interface, but powered under the covers by Purview application fingerprints derived from real world network communications. Splunk also has the ability to issue complex queries over incoming data sources. This allows network and security administrators to gain insight into what is actually happening with networks and systems that they are responsible for. The addition of Purview data will allow such investigations to take into account full application layer fingerprinting information. This provides a rich enhancement to network visibility for Splunk users. The Purview Solution – White Paper 4 Purview Alerts with Splunk Enterprise Splunk has a light-weight correlation system capable of producing custom-built Alerts. The Splunk system allows the administrator to create security, policy, or behavioral Alerts tied to specific values extracted from the results of a saved search. These Alerts can be posted to the Splunk user interface, configured to launch an administrator supplied script, or emailed to provide immediate notification. The Splunk system does not come with a large number of default Alerts, instead, Splunk administrators create their own custom Alerts to match their particular needs. In the example below a custom Splunk Alert is created via a wizard to detect virtual network computing (VNC) network reconnaissance and then post the Alert to the Splunk user interface. Purview Visibility within Splunk Splunk is able to provide in-depth visibility derived from the Purview event feed. Splunk provides a facility for complex queries, custom aggregations, multiple chart formatting options, real-time dashboards, and historical views through trend reports. Splunk’s strength is to parse, normalize, and process all available fields within the Purview event feed without any burdensome customization requirements placed upon the administrator. In the example below the Application Response Time field provided in the Purview feed is monitored for all values greater than 200 ms, aggregated by application, and then displayed in an auto-updating time-series chart. The Purview Solution – White Paper 5 Additional visualizations of Purview data are displayed below. Figure 5 – Raw Purview data collected from a relatively busy network: The Purview Solution – White Paper 6 Figure 6 – The Purview data is fully indexed and is searchable Figure 7 – Top source IP addresses in the current data set along with an aggregate graphical view The Purview Solution – White Paper 7 Top applications in the current sample set. This illustrates Splunk indexing of our application specific fingerprint information: Figure 8 – Top Apps The Purview Solution – White Paper 8 Top applications in the current sample set. This illustrates Splunk indexing of our application specific fingerprint information: Splunk Queries of Purview Data A strength of Splunk is the ability to issue complex queries over incoming data sources. This allows network and security administrators to gain insight into what is actually happening with networks and systems that they are responsible for. The addition of Purview data will allow such investigations to take into account full application layer fingerprinting information. This provides a rich enhancement to network visibility for Splunk users. Summary Purview provides application visibility for IT operations and business analytics at unparalleled scale and performance. Purview is also part of the OneFabric Control Center suite of network management solutions. By taking advantage of the OneFabric Connect API, Purview acts as a data broker and can feed application layer data to other third party applications to use for things such as SIEM, Splunk for detailed compliance reporting and analytics, and much more. ©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/about-extreme/trademarks.aspx . Specifications and product availability are subject to change without notice. 6667-0114 WWW.EXTREMENETWORKS.COM The Purview Solution – White Paper 9
Similar documents
The Purview™ Solution – Technical Overview
Control Center provides centralized visibility and control over the entire network. Centralized visibility and control enables infrastructure and application teams to work together, eliminating cos...
More information