Mastering NetScaler Console: Zero to hero in 31days - Day 13 - Splunk day!

Observability Integration, exporting analytics to Splunk, NewRelic and Prometheus

Hello, my name is Andrew and I tend to get a lot of questions about NetScaler Console. The purpose of this series is to offer some pointers on what it is, what it can offer and why you should take some notice. This is the thirteenth and a bit post in a set which is designed to cover the top topics that will get you trained up.

Knowledge is power, right? 📖📖📖📖

31 days seems an arbitrary number. Today is all about NetScaler Console exporting analytics to Splunk. NewRelic and Prometheus will have their own ‘days’.

How does this normally come up?

When talking with a client, and options that they will have to integrate the various NetScaler appliances. There might be a point at which ‘Observability’ is a consideration.

Typically, this is because the client already has some of these components in place and suggesting that they need to drop them and move to a new platform (NetScaler Console) isn’t viable. What most clients need is a solution that gives some flexibility, by integrating with these observability solutions. Naturally, if they don’t have these third party solutions, NetScaler Console could provide a solution.

This piece will show you how that can be achieved with NetScaler Console and the Service based Console( on-premises or service).

Who would be interested in this?

Any Network Admin, will be facing increasing complexity of modern applications, the challenges are in:

• Monitoring and troubleshooting applications.

• Gaining visibility into the behaviour of infrastructure and applications.

Observability bridges this gap by providing these insights into the entire infrastructure. Using the Observability Integration feature in NetScaler Console

Mastering sounds 'heavy'?

Ultimately, this is substack, who would be crazy enough to write technical content on this platform? 

What can NetScaler Console offer when working with Splunk?

Great question. It is possible to integrate NetScaler Console with Splunk to view analytics for the following data points:

• WAF violations

• Bot violations

• SSL Certificate Insights

• Gateway insights

• Events and metrics

• HDX insights

This add-on enables you to:

• Combine all other external data sources.

• Provide greater visibility of analytics in a centralized place.

NetScaler Console collects Bot, WAF, SSL events, and sends to Splunk periodically. The Splunk Common Information Model (CIM) add-on converts the events to CIM compatible data. As an administrator, using the CIM compatible data, you can view the events in the Splunk dashboard.

What do I need to do to set it up?

Read this Link

What does it look like?

After you complete the configuration in NetScaler Console, see the link in the previous section. The data gets exported from NetScaler Console and the events appear in Splunk. Splunk will display the view defined natively in the Splunk interface without any additional steps.

The following is an example for the WAF and Bot dashboard:

WAF and BOT dashboard in Splunk

This looks very similar to the native NetScaler Console SSL Dashboard, however it doesn’t require the admin to step outside of the Splunk Console, which is very handy.

SSL Dashboard In Splunk.

The following dashboard is an example for the updated events and metrics dashboard.

Events and Metrics.

If it is not clear, here is a scenario.

Bob and Alice have been using NetScaler Console Service in the scenarios for the last few days. 

Alice and Bob have been using Splunk forever. When looking at NetScaler metrics, they want all the data to be aggregated in the Splunk system as that is their corporate Standard. Apart from a dashboard, they can also view data in Splunk after creating the subscription.

1. In Splunk, click Search & Reporting.

2. In the search bar:

   • Type sourcetype="metrics" and select the duration from the list to view the NetScaler Console metrics data.

   • Type sourcetype="event" and select the duration from the list to view the NetScaler Console events data.

   • Type sourcetype="bot" or sourcetype="waf" and select the duration from the list to view bot/WAF data.

   • Type sourcetype="ssl" and select the duration from the list to view the SSL certificate insights data.

   • Type sourcetype="gateway_insights" and select the duration from the list to view the Gateway insights data.

   • Type sourcetype="hdx_insights" and select the duration from the list to view the Gateway insights data.

Happy days, as this allows Bob and Alice to focus time on other tasks that are important to Acme, as the combination of Splunk, NetScaler and the NS Console has them covered.

The Call to Action

Let me know if this piece raises any questions/comments, drop them into the space below. I will endeavour to answer directly or update the post to better address the question(s).

Summary

Buckle up. The NetScaler Console is the best tool for many different jobs when working in conjunction with the NetScaler Appliance. They are the perfect tag team. 🤼. The NetScaler Console can offer a one-stop shop to see all your appliances from one place, and deploy and update them and track those applications and the level of Security in-place that your business needs.

Let me show you how to make the most of it!

Have a good one.