03. 04. 2023 Damiano Chini Log Management, Log-SIEM, NetEye

Introducing Observability in El Proxy

If you’re familiar with the NetEye SIEM module you probably also know El Proxy, the solution integrated into NetEye to ensure the integrity and inalterability of the logs produced by the SIEM module.

Since its introduction in NetEye, the only way to understand what El Proxy was doing was to inspect its logs, but as we know this is not an ideal solution for getting an overview of the behavior of any piece of software. This means that until now, El Proxy has been like a black box for most users, who may be have been wondering for example:

  • Is El Proxy signing and processing all logs correctly? Or is it perhaps encountering some error?
  • What is the workload in El Proxy? Are El Proxy and Elasticsearch keeping up with all the logs produced by the SIEM module?

To answer these types of questions we started introducing observability into El Proxy. In particular, we started with metrics, which will allow users to easily spot anomalies in the infrastructure and analyze the behavior of El Proxy over time.

The technologies involved in the process of exposing and visualizing El Proxy metrics in NetEye are:

  • OpenTelemetry: used by El Proxy to generate the metrics and expose them via an HTTP endpoint using the Prometheus format
  • Telegraf: polls the metrics from the HTTP endpoint and writes them to InfluxDB
  • InfluxDB: stores the time-series metrics
  • Grafana: visualizes the metrics via multiple dashboards installed in NetEye

To design the metrics and the visualizations, we divided the metrics into two main topics. The first one is troubleshooting. For which users may ask: Did El Proxy fail to process some logs? If so, for what reason? Did it store logs in DLQ? If so, when?

To answer these questions we created the “Troubleshooting” dashboard, based on metrics constructed from these use cases.

El Proxy Troubleshooting dashboard. In the first 2 panels, we can see that around 15:28 El Proxy had an error contacting Elasticsearch, probably due to an infrastructure incident, which led to 2 logs not being processed and sent back to Logstash. On the bottom half instead, we gain insights into the single requests performed by El Proxy to Elasticsearch. In particular, the 1st panel shows all the failed requests to Elasticsearch, while the 2nd and 3rd ones show the number of “retries”, i.e., the ones that failed and the ones that were successful, respectively.

Another topic of interest is the performance metrics of El Proxy and Elasticsearch. Hence NetEye also provides a dedicated dashboard for this:

El Proxy Performance dashboard. The 2 top-left panels give an overview of how many requests and logs El Proxy receives over time, while the third panel on the left shows how many logs are inside El Proxy at any moment, which can help you understand if El Proxy is managing to process and write logs at a faster rate than the rate of logs received as input. On the top right instead we have information on the timing of the requests to El Proxy and to Elasticsearch over time. This lets you understand for example if Elasticsearch is slowing down when it’s under heavy load, which may be a sign of a lack of resources.

Finally, a third dashboard gives an overview of the number of logs generated by each Tenant present in the infrastructure:

El Proxy Tenant Performance dashboard. In this dashboard, a panel is generated for each tenant present in your environment. Each panel displays the number of logs received from each Tenant, and also gives an insight into each of the Tenant’s blockchains if they has multiple ones.

We hope this first improvement on the observability of El Proxy will enable users to better and more easily get a grasp on the behavior of El Proxy. Any feedback is appreciated, please report it through the Wuerth Phoenix channels!

These Solutions are Engineered by Humans

Are you passionate about performance metrics or other modern IT challenges? Do you have the experience to drive solutions like the one above? Our customers often present us with problems that need customized solutions. In fact, we’re currently hiring for roles just like this as well as other roles here at Würth Phoenix.ext

Damiano Chini

Damiano Chini

Author

Damiano Chini

Latest posts by Damiano Chini

22. 10. 2024 Bug Fixes, NetEye
Bug Fixes for NetEye 4.38
03. 10. 2024 Bug Fixes, NetEye
Bug Fixes for NetEye 4.38
03. 10. 2024 Bug Fixes, NetEye
Bug Fixes for NetEye 4.37
21. 08. 2024 Bug Fixes, NetEye
Bug Fixes for NetEye 4.37
07. 08. 2024 Development
How Feature Toggles Can Improve Agile Development
See All

Related Content

Tags: , , , , ,

22. 11. 2024 Atlassian, Service Management

Managing Alerts with JSM: Focus on Incident Management – Part 1

Alerts are critical signals that demand immediate attention to minimize disruptions and maintain smooth operations. Proactively managing alerts throughout their lifecycle is key to effective event-driven workflows, incident response, and business continuity. By leveraging alerting tools within Jira Service Management Read More
06. 11. 2024 AI, Log-SIEM, Machine Learning, NetEye

The New NetEye User Guide Search: From POC to Production

Hello everyone! As you may remember, a topic I like to discuss a lot on this blog is the Proof of Concept (POC) about how we could enhance search within our online NetEye User Guide. Well, we're happy to share Read More
24. 10. 2024 Log Management, Log-SIEM

Categories of documents – create more namespaces within an agent’s environment

In the ever-evolving landscape of IT monitoring and management, the ability to efficiently handle multi-dimensional namespaces is crucial. Within NetEye, Log-SIEM (Elastic), provides a comprehensive solution for managing the single namespace dimension with the namespace of a data_stream. This blog Read More
04. 10. 2024 APM, ITOA

How to Restrict Viewing Access in Grafana Dashboards Based on Alyvix Tags

With the introduction of Alyvix Tags in NetEye 4.38, we’ve given users the ability to filter test cases and reports based on their tags, making it easier to focus on the specific test cases that matter to each department or Read More
02. 10. 2024 Log Management, Log-SIEM, Machine Learning, NetEye

Perform KNN Classification Using Elasticsearch

Hey everyone! We played around a bit last time with our radar data to build a model that we could train outside Elasticsearch, loading it through Eland and then applying it using an ingest pipeline. But since our data is Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive