ADM Integration to 3rd Party tools -  Light up your Splunk/New Relic visibility with SSL Certificate or WAF/BOT Violation Insights

NetScaler ADM (Application Delivery Management),  is a control plane available as both on-prem and as a Service that manages a fleet of NetScalers across monolith and modern microservices applications.  It offers Observability around, Infrastructure and Application availability, Performance, Usage including Security insights,  to enable you to act on application performance issues. It also provides HDX and Gateway insights to identify the gateway errors and the network or application latency issues impacting the ICA HDX proxy user experience.

In this blog post, we'll explore how NetScaler ADM can integrate with 3rd party tools (such as Splunk, New Relic) to empower you to receive NetScaler’s aggregated/processed insights, directly from ADM.

ADM is a great choice of platform for 2 reasons:

1. In-Product ADM Observability - NetScaler admins who use ADM as a visualization and management platform for their fleet and use analytics with aggregated/processed insights for triaging and troubleshooting
2. ADM’s Aggregated/Processed Insights export to 3rd party tools - Personas like Splunk or SIEM admins who manage their existing enterprise observability tools can receive rich NetScaler insights via ADM integration as well.

Insights available in ADM that can be exported to Splunk:

ADM Integration with Splunk is available in both ADM Service and on-prem. ADM on-prem has the observability integration available from 13.1-48.x onwards. These integrations include:

• WAF violation Security Insights (Realtime or Periodic)
• BOT violation Security Insights (Realtime or Periodic)
• SSL Certificate Insights (Periodic)
• ADM On-prem system health and events (Sent every minute from ADM on-prem release 14.1-8.x onwards)

Live Demo of How to Configure ADM for Export to Splunk available below.

How NetScaler Sample Dashboards help visualize at Splunk:

SSL Certificate Insights :

Let us look at some of the use cases you can visualize with the SSL certificate insights exported to Splunk from the ADM aggregated across your NetScalers.

1. SSL Protocol Compliance - Quickly track if unsupported protocols are enabled in the SSL profile across a scale of Vservers of all your instances, which could be against your enterprise compliance. 

2. Get notified before certificates expire to Proactive notification of expiring certs to avoid Application disruption - SSL certificate expiry information aggregated across NetScalers can be exported and you can get timely notifications about certificates expiring in next month or quarter so that you can renew those on time. You can now avoid unnecessary and embarrassing app downtimes

3. Security Compliance - Easy way to assess and track which of the SSL certificates are unused (not bound to any VServer) or expired and act upon them. 

WAF/BOT Insights :

SecOps admins typically export and visualize security events in SIEM tools like Splunk. NetScaler WAF/BOT violation events can be exported from ADM in real-time and visualized at Splunk.

Let us look at some of the use cases you can visualize with the WAF/Bot Violation events insights exported to Splunk from the ADM aggregated across your NetScalers.

1. View  Violation trends - Quickly track WAF or Bot violation trends over a period of time to derive patterns or your application threat surface. 
2. View Top applications with WAF/Bot Events
3. View total applications impacted by WAF/Bot violations
4. View today application attacks mitigated with the WAF rules configured in the NetScalers.
5. View BOT traffic classification to identify good actors, bad actors classified as humans or bots

Benefits of ADM Integration with  3rd party endpoints:

Enterprises that have ADM managing their NetScaler fleet can leverage it as a centralized export platform that offers several advantages:

1. Aggregated Data: Since ADM manages all NetScalers, it can aggregate the data across NetScalers to export to 3rd party tools of choice.

For example, whether it is an application or certificates across 10’s or 100’s of ADCs, ADM’s aggregated data can collect the total traffic/errors/certificate and usage details that is available for immediate export, alleviating the need to code or perform the aggregation yourself.

2. Processing Capabilities: ADM can preprocess and normalize the data before and produce more meaningful insights before exporting.

 For example, Web Insights is a standout example where the Response time is broken down into Client Network Latency, Server Network Latency and Server Processing Time. This helps pinpoint the session slowness problem to the exact contributor by doing some processing at the ADM end.

3. Centralized Control: ADM’s centralized data collection from managed NetScalers makes export easier to observability tools of choice. Typically integrations increase the ingestion at destination end (such as Splunk), but our integration helps you control and filter relevant data export at source itself (i.e the ADM itself). With this, you can control what data you want, how much you want and where you want it to be exported.

4. Intent Centric User Interface for Data Export hosted in the ADM as a feature: Is going to simplify the experience of configuring the integrations in ADM, going forward.

Setting Up NetScaler ADM Integration with Splunk:

NetScaler ADM Integration with Splunk is easy with a 3-step process. Here's a high-level overview of the steps for streamlined data export and analysis:

1. Prepare Splunk

• Install the relevant app plugins of NetScaler at Splunk (See Doc Link)
• Configure HEC endpoint (HTTP Event Collector) in Splunk and generate the token.

2. Prepare Data Export in the ADM

• In the ADM interface, configure the data export under Settings -> Ecosystem Integration
• Create a subscription specifying Splunk as the target destination with the HEC endpoint details and the token generated while preparing Splunk.
• HEC format - https://SPLUNK_PUBLIC_IP:SPLUNK_HEC_PORT/services/collector/event .
• Select the use-case to export data.

3. Download Sample Dashboards and Visualize in Splunk:

• Download Splunk dashboards for ADM from https://www.citrix.com/downloads/citrix-adc/sample-dashboards/endpoints-and-dashboards.html
• Extract the tgz file and copy the contents of the dashboard you want to create (It will be in JSON format)
• Go to Splunk and create a Dashboard studio.
• Click on the source code icon and paste the JSON and save the dashboard.

That’s it!!

Conclusion:

NetScaler ADM integration with Splunk provides organizations with a centralized point for data export that offers enhanced control, data processing capabilities, and aggregated insights.

By seamlessly integrating these powerful tools, organizations can gain a comprehensive understanding of their network and application performance, enabling them to proactively address issues and enhance user experiences.

You can DIY this right away. Here’s how.

2. Download Splunk dashboards for ADM from https://www.citrix.com/downloads/citrix-adc/sample-dashboards/endpoints-and-dashboards.html
3. Detailed documentation of preparation available at https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/analytics/security/splunk-integration.html