Solution To Splunk for Network Transactions


#1

Had an interesting use case that others may benefit from. A large number of IP transactions connecting to a single L3 device.

How do you capture per client metrics and cross correlate that info for billing purposes and to ensure that these clients are only connecting to resources they are supposed to ?

We wanted to be able to bill back users of these connections for usage outside of the terms of service ( anything not application related) and monitor transaction anomalies.

Opendata Stream - RSYSLOG out per ClientIP / Port and ServerIP/Port w/ client/server bytes

We can cross correlate these details with IP / end user details in splunk and provide detailed analysis by client for usage that is considered out of normal parameters and may be billed for.

Word to the wise - use as starting point and tweak amount you send to splunk- you can uncomment the log code and watch in EH run time log to ensure that you are sending the correct data before turning on the remote.syslog piece.

var time = getTimestamp();
        server = Flow.server.ipaddr;
        serverPort = Flow.server.port;
        client = Flow.client.ipaddr;
        clientPort = Flow.client.port;
        proto = Flow.l7proto;
        clientBytes = Flow.client.l2Bytes;
        serverBytes = Flow.server.l2Bytes;
    
    /*
    log ("eh_event=FLOW_TICK" +
         " Time=\""+ time + "\", " +
         " ClientIP=\"" + client + "\", " +
         " ClientPort=" + clientPort + ", " +
         " ServerIP=\"" + server + "\", " +
         " ServerPort="+serverPort + ", " +
         " Proto=\"" + proto + "\", " +
         " BytesIn=" + clientBytes + ", " +
         " BytesOut=" + serverBytes + ""
        );
    */
    
     Remote.Syslog.info(
         "eh_event=FLOW_TICK" +
         " Time=\""+ time + "\", " +
         " ClientIP=\"" + client + "\", " +
         " ClientPort=" + clientPort + ", " +
         " ServerIP=\"" + server + "\", " +
         " ServerPort="+serverPort + ", " +
         " Proto=\"" + proto + "\", " +
         " BytesIn=" + clientBytes + ", " +
    
         " BytesOut=" + serverBytes + ""