ScienceLogic, Splunk, and the InteropNet NOC

Michelle DeFiore

We’re embarking on our third year of providing monitoring services for InteropNet. We’re so excited to work with the Splunk ninjas again, and looking forward to the cool new things we have in store for this year’s InteropNet.

I had the opportunity to talk with our deployment engineer and InteropNet NOC engineer extraordinaire Alejandro Figueroa (not to be confused with Lady Gaga’s Alejandro) and with Splunk’s Senior Support Engineer Karandeep Bains aka Deep.

We discussed the continued and ever expanding relationship and integration between our EM7 products and Splunk.

So How Does It All Work? ScienceLogic powers the dashboards and flashing lights to keep the NOC staff on its toes and speed the troubleshooting process

blog-201004-em7dashboardinteropnetsplunksciencelogic

EM7 checks ports on Splunk’s boxes to monitor for uptime and latency. EM7 pings the boxes every 15 seconds and throws an alert if any of the servers or network devices in the NOC are down, or underperforming. EM7 can monitor several critical areas of network and server performance, including CPU and memory monitoring—and most importantly–Bandwidth.

Hundreds of GB of syslog will be flowing into Splunk, and EM7 makes sure the network isn’t bogged down as Splunk indexes the data. In past InteropNet integrations between ScienceLogic and Splunk, one of the most interesting visualizations was a heatmap correlating botnet and firewall exception data from McAfee with geolocation lookups in Splunk.

The map gave an overall view of where in the world botnets and hackers were attempting to infiltrate InteropNet.

blog-201004-threatmapscreenshotinteropnetsplunksciencelogic

As the largest temporary network in the world, InteropNet is a big target for attacks. Trending over time shows threats “following the sun.” During peak hours, attacks were heavy from the U.S. – but as the day progressed, threats from Italy, Missed it last time?

Check out our dashboards in the NOC and follow the attackers as they come in during the show. Why You Need to Tour the InteropNet NOC This year’s NOC tour walks attendees through a real-world workflow featuring four vendor sponsors.

Enterasys (providing back end infrastructure) is going to orchestrate a mock broadcast storm spewing lots of data on the network. All of this data logs in Splunk and as the systems detect spikes and anomalies ScienceLogic triggers an alert.

The attacks—and alerts—unfold in real time – so people can see the process as it happens. Real time graphs, charting, and threat detection maps allow NOC staff and visitors to view and monitor the attack as it unfolds.

We want to embed more information into the EM7 dashboard, like a real time graph updating every 30 seconds – EM7 will be displaying some of the data, but we want to showcase even more.

Our new liquid dashboards provide a more modular and fluid window into NOC operations and integration with the widgets and dashboards from other vendors like Splunk provide a full picture of critical happenings in the NOC.

Our RSS feed integration is provided by a link right on the events screen. This allows a user logged into EM7, upon receipt of a Splunk event, to immediately click and drill into the Splunk portal.

This allows for quick access from EM7 to Splunk. Very cool when seen in action. Both Splunk and ScienceLogic are showcasing the ability to show other vendors’ dashboards.

Leveraging RSS feeds from the NOC tours – EM7 allows us to integrate and throw events off of several different data sources. The dashboards and RSS feeds are separate integrations we are doing with Splunk.

The dashboards are just eye candy, a little sex appeal for the NOC, the RSS feeds are how Splunk and EM7 integrate their events, the real work horses and the critical components of our monitoring platforms. Not only do you get to see all of that (and maybe learn about SNMP monitoring along the way), but we hear there will be awesome giveaways.

Share This Post

Most Popular

Archive

Comments