Jump to content
Welcome to our new Citrix community!
  • Export Insights from ADM to Observability tools of choice


    Karthick Srivatsan
    • Validation Status: Validated
      Summary: In this blog post, we'll explore how NetScaler ADM can integrate with 3rd party tools (such as Splunk, New Relic) to empower you to receive NetScaler’s aggregated/processed insights, directly from ADM.
      Has Video?: No

    ADM Integration to 3rd Party tools -  Light up your Splunk/New Relic visibility with SSL Certificate or WAF/BOT Violation Insights

    NetScaler ADM (Application Delivery Management),  is a control plane available as both on-prem and as a Service that manages a fleet of NetScalers across monolith and modern microservices applications.  It offers Observability around, Infrastructure and Application availability, Performance, Usage including Security insights,  to enable you to act on application performance issues. It also provides HDX and Gateway insights to identify the gateway errors and the network or application latency issues impacting the ICA HDX proxy user experience.

    In this blog post, we'll explore how NetScaler ADM can integrate with 3rd party tools (such as Splunk, New Relic) to empower you to receive NetScaler’s aggregated/processed insights, directly from ADM.

    ADM is a great choice of platform for 2 reasons:

    1. In-Product ADM Observability - NetScaler admins who use ADM as a visualization and management platform for their fleet and use analytics with aggregated/processed insights for triaging and troubleshooting
    2. ADM’s Aggregated/Processed Insights export to 3rd party tools - Personas like Splunk or SIEM admins who manage their existing enterprise observability tools can receive rich NetScaler insights via ADM integration as well.

    Insights available in ADM that can be exported to Splunk:

    ADM Integration with Splunk is available in both ADM Service and on-prem. ADM on-prem has the observability integration available from 13.1-48.x onwards. These integrations include:

    • WAF violation Security Insights (Realtime or Periodic)
    • BOT violation Security Insights (Realtime or Periodic)
    • SSL Certificate Insights (Periodic)
    • ADM On-prem system health and events (Sent every minute from ADM on-prem release 14.1-8.x onwards)
     

    Use Case

    Category

    Endpoints

    Release

    Export Type

    Available on

    WAF Violation Insights

    Security

    Splunk, New Relic, Any HTTPS Collector

    ADM on-prem (13.1-48.x) onwards

    JSON

    ADM Service & ADM on-prem

    BOT Violation Insights

    Security

    Splunk, New Relic, Any HTTPS Collector

    ADM on-prem (13.1-48.x) onwards

    JSON

    ADM Service & on-prem

    SSL Certificate Insights

    Security, Infrastructure

    Splunk, New Relic, Any HTTPS Collector

    ADM on-prem (13.1-48.x) onwards

    JSON

    ADM Service & ADM on-prem

    ADM On Prem specific system health and Events

    On Prem System

    Splunk, New Relic, Any HTTPS Collector

    ADM on-prem (14.1-8.x) onwards

    JSON

    ADM on-prem

     

    Live Demo of How to Configure ADM for Export to Splunk available below.

     

    How NetScaler Sample Dashboards help visualize at Splunk:

    SSL Certificate Insights :

    Let us look at some of the use cases you can visualize with the SSL certificate insights exported to Splunk from the ADM aggregated across your NetScalers.

    1. SSL Protocol Compliance - Quickly track if unsupported protocols are enabled in the SSL profile across a scale of Vservers of all your instances, which could be against your enterprise compliance. 
    2. Get notified before certificates expire to Proactive notification of expiring certs to avoid Application disruption - SSL certificate expiry information aggregated across NetScalers can be exported and you can get timely notifications about certificates expiring in next month or quarter so that you can renew those on time. You can now avoid unnecessary and embarrassing app downtimes

    3. Security Compliance - Easy way to assess and track which of the SSL certificates are unused (not bound to any VServer) or expired and act upon them. 
    Below is the dashboard of SSL Cert data exported from ADM aggregated across NetScalers.

    image.jpg

     

    WAF/BOT Insights :

     

    SecOps admins typically export and visualize security events in SIEM tools like Splunk. NetScaler WAF/BOT violation events can be exported from ADM in real-time and visualized at Splunk.

    Let us look at some of the use cases you can visualize with the WAF/Bot Violation events insights exported to Splunk from the ADM aggregated across your NetScalers.

    1. View  Violation trends - Quickly track WAF or Bot violation trends over a period of time to derive patterns or your application threat surface. 
    2. View Top applications with WAF/Bot Events
    3. View total applications impacted by WAF/Bot violations
    4. View today application attacks mitigated with the WAF rules configured in the NetScalers.
    5. View BOT traffic classification to identify good actors, bad actors classified as humans or bots

     

     

    image.jpg

    Benefits of ADM Integration with  3rd party endpoints:

    Enterprises that have ADM managing their NetScaler fleet can leverage it as a centralized export platform that offers several advantages:

    1. Aggregated Data: Since ADM manages all NetScalers, it can aggregate the data across NetScalers to export to 3rd party tools of choice.

    For example, whether it is an application or certificates across 10’s or 100’s of ADCs, ADM’s aggregated data can collect the total traffic/errors/certificate and usage details that is available for immediate export, alleviating the need to code or perform the aggregation yourself.

    1. Processing Capabilities: ADM can preprocess and normalize the data before and produce more meaningful insights before exporting.

     For example, Web Insights is a standout example where the Response time is broken down into Client Network Latency, Server Network Latency and Server Processing Time. This helps pinpoint the session slowness problem to the exact contributor by doing some processing at the ADM end.

    1. Centralized Control: ADM’s centralized data collection from managed NetScalers makes export easier to observability tools of choice. Typically integrations increase the ingestion at destination end (such as Splunk), but our integration helps you control and filter relevant data export at source itself (i.e the ADM itself). With this, you can control what data you want, how much you want and where you want it to be exported.
    1. Intent Centric User Interface for Data Export hosted in the ADM as a feature: Is going to simplify the experience of configuring the integrations in ADM, going forward.

    Setting Up NetScaler ADM Integration with Splunk:

    NetScaler ADM Integration with Splunk is easy with a 3-step process. Here's a high-level overview of the steps for streamlined data export and analysis:

     

    image.jpg

     

    1. Prepare Splunk
    • Install the relevant app plugins of NetScaler at Splunk (See Doc Link)
    • Configure HEC endpoint (HTTP Event Collector) in Splunk and generate the token.
    1. Prepare Data Export in the ADM
    • In the ADM interface, configure the data export under Settings -> Ecosystem Integration
    • Create a subscription specifying Splunk as the target destination with the HEC endpoint details and the token generated while preparing Splunk.
    • HEC format - https://SPLUNK_PUBLIC_IP:SPLUNK_HEC_PORT/services/collector/event .
    • Select the use-case to export data.
    1. Download Sample Dashboards and Visualize in Splunk:
    NetScaler offers sample dashboards off-the-shelf which can be easily imported into Splunk to visualize data as soon as ADM is prepared to send data. This alleviates the need to build complex logic of parsing and querying at Splunk, making visualization and customization easier for admins with a quick starting point in their journey.

    That’s it!!

    Conclusion:

    NetScaler ADM integration with Splunk provides organizations with a centralized point for data export that offers enhanced control, data processing capabilities, and aggregated insights.

    By seamlessly integrating these powerful tools, organizations can gain a comprehensive understanding of their network and application performance, enabling them to proactively address issues and enhance user experiences.

    You can DIY this right away. Here’s how.

    1. Download Splunk dashboards for ADM from https://www.citrix.com/downloads/citrix-adc/sample-dashboards/endpoints-and-dashboards.html
    2. Detailed documentation of preparation available at https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/analytics/security/splunk-integration.html

     

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...