Arista Analytics Basic Operations

This chapter uses Arista Analytics to monitor and analyze traffic and events in the monitoring fabric and the DANZ Monitoring Fabric controller. This chapter includes the following sections:

Overview

Arista Analytics provides a non-proprietary extensible UI that integrates DMF Recorder Nodes, DMF Service Nodes, and the DANZ Monitoring Fabric controlled using an SDN Controller. The system has an extensive library of visualization components and analytics to compose new dashboards and answer further questions as they arise. The Arista Analytics node/cluster answers questions that would otherwise require specialized applications, such as Application Data Management (ADM) or Intrusion Protection Management (IPM). The Analytics node/cluster creates a document for each packet received. It adds metadata regarding the context, including the time and the receiving interface, which ElasticSearch can use to search the resulting documents quickly and efficiently.

Flows Dashboard

The following figure shows the Flows dashboard when accessing Arista Analytics.
Figure 1. Production Network > Flows Dashboard
The left panel provides the following options to access Arista Analytics features:
  • Fabric: The home page for Analytics provides a series of tabs and sub-tabs.
  • Controller: Opens the DANZ Monitoring Fabric GUI on the Controller identified using the System > DMF Controller option.
  • Discover: Use predefined indices to filter and display specific events.
  • Visualize: Customize the graphics displays provided by Arista Analytics.
  • Dashboard: Displays dashboards for DANZ Monitoring Fabric events.
  • Timelion: Displays events and other results according to time series.

The Kibana documentation documents the Analytics GUI, and most of its features and operations based on ElasticSearch are available at the following URL:

https://www.elastic.co/guide/en/kibana/7.2/index.html

Kibana 7.2 is the version used for Arista Analytics version 7.3.

Arista Analytics Fabric View

The Arista Analytics Fabric view displays in the following three tabs:
  • Production Network: View information about the production network.
  • DMF Network: View information about the monitoring network.
  • System: Manage system configuration settings.

Each page contains panels with different functions and features. The network panels provide visualizations, such as pie charts, line graphs, or other graphic displays that reflect the current dashboard contents based on the specific query. The bottom panel lists all the events that match the current query. A pop-up window provides additional details about the selection when mousing over a panel.

Using Two-ring (by Production Switch) Pie Charts

Pie charts that display information by the production switch have an inner and outer ring, as shown in the following example.
Figure 2. Two-ring Pie Chart

When a second ring appears in a pie chart, click any segment in the inner ring, and the outer ring provides a summary of information about the selected segment.

For example, in the Tracked Hosts by Production Device & IF pie chart , the outer ring shows hosts tracked on each interface, while the inner ring summarizes the tracked hosts on each switch. Clicking on a segment for a specific switch on the inner ring filters the outer ring to show the tracked hosts for the interfaces on the selected switch.

Filtering Information on a Dashboard

Filter the events displayed on a dashboard by choosing an area on the dashboard. This action limits the information displayed on the dashboard to events similar to those selected. Click any pie chart slice to limit the display to the specific activity chosen. To change the color assigned to a specific protocol or other object, click the label on the list to the right of the chart.

Selecting the Time Range

To restrict the current content to events occurring in a specific period, click the mouse and drag it to surround the area on a time visualization, such as the Flows Over Time.
Figure 3. Selecting the Time Range
To select the time range or to change the default refresh rate, click the Time Range control in the upper right corner. The system displays the following dashboard.
Figure 4. Time Range Control
This dialog provides the following options for setting the time range:
  • Quick: Simple settings, such as Today, Last 1 hour, etc.
  • Relative: Time offsets from a specific time, including the current time.
  • Absolute: Set a range based on date and time.
  • Recent: Provides a list of recently used ranges that you can reuse.
Select the range from the options provided, and the panels and displays update to reflect the new date and time range. To change the auto-refresh rate, click the Auto-refresh control. The system displays the following dashboard.
Figure 5. Change Auto Refresh Rate

Select the refresh interval from the options provided. Click Start to disable the auto-refresh function.

Using the Search Field

The search field at the top of the dashboard filters the current displays by any text or numbers you type into the field.
Figure 6. Search Field
The green bars under the Search field show the currently applied filters. When the pointer is over a green bar, it displays icons that let you control the filter.
  • Enable/Disable filter
  • Pin/Unpin filter
  • Exclude/Include matches
  • Remove filter
  • Edit filter

The Action option in the upper right corner applies these actions to all the currently applied filters.

Click a segment on a pie chart for the appropriate filter; it automatically inserts into the Search field. To undo the filter, click the Remove filter icon.

To filter the information in the displays, enter the characters to filter the display in the search field. For example, for entering the first part of an IP address, it updates the displays to show only those IP addresses that match the characters entered. The following are some of the most helpful search filters:
  • IP address
  • Host name (requires DNS services)
  • Protocol, for example, HTTP, HTTPS, ICMP, and so forth
  • DMF interface name

To define complex queries using field names, which can be seen by scrolling and clicking on an event row. For example, on the sFlow®* dashboard, the query proto : TCP AND tags : ext displays all externally bound TCP traffic. OR NOT ( ) are also permitted in the expression. For more details about the supported search syntax, refer to the following URL:https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax.

Search Performance Limitations

Refrain from executing a general query for 7 or 30 days. You should select a 7 or 30-day query with specific criteria, like querying a specific flow, filter interface, or DNS server.

To query NetFlow or sFlow for more extended periods, use the FLOW dashboard to determine the trend and then do a specific query, such as querying a specific flow or time, on the Netflow or sFlow dashboard.

For a great deal of NetFlow traffic, select one Analytics node only for NetFlow and another for other Analytics traffic.

Using Discover Mode

Select the Discover option in the left panel of the Analytics window, the system will display the following page.
Figure 7. Discover Mode

Use Discover mode to see the indices in the ElasticSearch database and identify the available data.

Managing Dashboards

Select the Dashboards option from the left panel on the Analytics window to manage dashboards. The system displays the following page.
Figure 8. Dashboard Mode
Refer to the Kibana documentation for details about creating and managing dashboards.https://www.elastic.co/guide/en/kibana/7.13/index.html
Note: Recommended Best Practices - Use the naming convention that suits your environment while creating a dashboard or saved objects. For example, select a prefix to identify the dashboard content, and then use the body of the dashboard name to determine the type of dashboard. For instance, in the above screenshots, it uses a naming pattern, prefixed with “ARISTA” and specifying type: dashboard allows a manageable set of things to appear to click or select all individually. Furthermore, exporting individual dashboards based on their type is a more appropriate option for easy tracking as modifications to a dashboard. Your dashboards should use only visualizations and searches you create for upgrades; do not depend on default objects that might change in the upgrade.

Custom Dashboards

Add or insert the custom dashboard by selecting the Dashboards option from the left panel on the Analytics window. The system displays the following page, which is the default dashboard:
Figure 9. Default Dashboard Mode
In the default dashboard, select the option to customize per your requirements.
Figure 10. Search for Dashboard
For the customization of the option on the dashboard, copy its ID as following.
Figure 11. Select the option and copy the ID
Note: Insert the ID into the dashboard in the same way as captured from the bar to work.
Figure 12. Setting custom Dashboard
Figure 13. Default Dashboard configuration
Open the menu to select the action.
Figure 14. Open the action menu
Select the Duplicate tab for the duplicate entries.
Figure 15. Duplicate the tab
Figure 16. Insert the name tag ID
Now, the dashboard shows the customization of the option selected by the user.
Figure 17. Selected option for the user

Mapping IP Address Blocks

Map an IP address or a range of addresses to a description, which searches for description text instead of the IP address. This feature identifies a specific group or organization sending or receiving traffic.

Complete the following steps to assign a single IP address or a block of IP addresses to a tool, group, or organization.

  1. Select System > Configuration and click the Edit control to the left of the IP Block section.
    Figure 18. Edit IP Blocks
  2. Copy an existing block by clicking on any square box along the left and select Duplicate from the pop-up menu.

    The duplicated block will be appended to the existing block list and assigned the next numerical sequence identifier.

  3. Scroll down to the end of the tags section to the numerical identifier assigned to the new block.
    Figure 19. Key Value Pairs
    It automatically copies the first four keys.. The purpose of each of these default keys is as follows.
    • Desc: A short descriptive text entry.
    • ASNum: Automatically populated with the BGP Autonomous Systems (AS) numbers for well-known networks.
    • VPC: Virtual Private Cloud (tenant), automatically populated with the VPCs used in an integrated Converged Cloud Fabric network.
    • Segment: Network segment within a Converged Cloud Fabric VPC.

    To identify a user, application, tool, group, or organization, use the Desc key. You can leave the other fields blank.

  4. Type a value for the Desc key in double quotation marks (“).
  5. (Optional) To define an additional key, select any key and choose Duplicate from the pop-up menu. Then, type over the existing value with the correct value for the new key.

    Existing dashboards use the default keys. The customized dashboards can use added key pairs. The fifth and sixth keys can be custom.

    These keys are added to the flow for the source and destination IPv4 address. For example, the source description would be sDesc and the destination description would be dDesc.
    Note: Remember to match values in the same order as the corresponding key positions.

Mapping DHCP to OS

DHCP signatures can map to known operating systems. These unique signatures are from fingerbank.org. As shown in the following image, several two-digit numbers are assumed signatures of each OS (derived from fingerbank.org).
Figure 20. Unique OS Signatures from fingerbank.org
Figure 21. OS Information Received through DHCP Signatures

Mapping Ports and Protocols

The Analytics Node maps typically used ports for their L4 applications and protocols. These protocols and ports can also be user-defined for custom application ports and custom protocols.
Figure 22. Edit Ports
Figure 23. Edit Protocols

SNMP Collector

SNMP collectors facilitate third-party NetFlow/IPFIX sources. The Analytics Node supports both SNMPv2 and SNMPv3.
Figure 24. SNMP Collector

Mapping OUI to Hardware

Map ARP Organizational Unique Identifiers (OUIs) for various hardware vendors.
Figure 25. OUIs of Various Hardware Vendors

Topic Indexer on Arista Analytics

Description

The Analytics Node (AN) incorporates a feature known as topic_indexer, designed to facilitate data ingestion from customer Kafka topics and its subsequent storage into Elasticsearch indices.

This process involves modifying field names and specifying the supported timestamp field during the ingestion phase. The renaming of field names enables the creation of dashboards used to visualize data across multiple streams, including DNS and Netflow.

The resulting indices can then be leveraged as searchable indices within the Kibana user interface, providing customers with enhanced search capabilities.

Implementation Details
  • Configure a stream job using topic_indexer. Access the setting via the Kibana dashboard in the analytics node.
  • Locate the topic_indexer configuration on the Fabric Dashboard: Analytics > Fabric > System > Analytics Configuration, as shown in the following screenshots.
  • Figure 26. Analytics > Fabric
  • Another view:
    Figure 27. System > Analytics Configuration
  • The design section shows the configuration for a topic
  • Figure 28. Node selection
Configuration
Kibana Configuration
  • To perform the topic_indexer configuration, select the System > Configuration > Fabric page and open the Analytics Configuration panel:
    Figure 29. System > Configuration
  • Figure 30. Topic_indexer configuration

Field Details

Each topic maps in JSON with the following fields:
  • topic: Kafka topic name; type string and is a mandatory field.
  • broker_address: Broker address(es), this is of type array; this will be of format [IPv4|hostname:Port number] and is a mandatory field.
  • consumer_group: This is an optional field; however, there is always a consumer group if not specified explicitly in the configuration. It is topic_name + index_name. Setting this field is particularly useful when ingesting multi-partitioned topics from the client's end.
  • index: A dedicated index name for the topic; type string. In Elastic Search (ES), it is created as topic_indexer_<index_name> and is a mandatory field.
  • field_group: An optional JSON field mapping to specify any column rename/format transformations. It specifies format for modifications to incoming data.
  • type: To set timestamp field as the type.
  • source_key: The source field name in the incoming data.
  • indexed_key: The name of the destination field inserted in the outgoing ES index.

    The indexed_key may be a @timestamp field of an ES index. If you do not specify a @timestamp field, topic_indexer automatically picks the time the message was received as the @timestamp of that message.

  • format: Data format for the field (ISO8601).

Standards and Requirements

Input fields naming convention:

  • Kafka allows all ASCII Alphanumeric characters, periods, underscores, and hyphens to name the topic. Intopic_indexer, legal characters include: a-z0-9\\._\\-
  • Note that the only restriction topic_indexer has is on capitalizing topic names. topic_indexer does not support case-sensitive names. By default, topic_indexer treats the name as a lowercase topic. Hence, topic names should be lowercase only.
  • All numeric names are also invalid field text.
Note: These conventions are valid for all other input types as well.

Examples of names:

Valid text:
  • my-topic-name
  • my_topic_name
  • itlabs.mytopic.name
  • topic123
  • 123topic
  • my-index-name
Invalid text:
  • myTopicName
  • ITLabs-Website-Tracker
  • 12435
  • MY-Index-name
Broker Address Format:
  • A broker address in Kafka comprises two values: IPv4 address and Port Number.
  • When entering the broker address, use the format: IPv4:PORT.

Application Scenario

Querying Across DataStream using runtime-fields

Use runtime fields when making complex changes beyond simply renaming a field, such as converting it from a string type to an IP address. After every change to a runtime field, issue a 
POST <stream-name>/_rollover
Note: These changes are not persistent. Reapply is a must after any restart of AN.
Use Case:
  • Cross-index visualization - two data streams that need cross-querying:
  • Figure 31. Cross index visualization
  • Step 1. To view the documents in these indexes, create an index pattern (e.g., topic*spend) in Kibana.
  • Step 2. View the data in the Discover dashboard.
    Figure 32. Discover dashboard
  • Step 3. Create a common field (runtime field) between the two data streams by applying an API in Dev Tools.
    Figure 33. Dev Tools
    Note: Setting rollover policy on runtime fields can also be done in Dev Tools, as shown in the following examples: 
    POST /topic-indexer-service-spend/_rollover
POST /topic-indexer-product-spend/_rollover
    Note: These changes are not persistent. Reapply is a must after any restart of AN.
  • Step 4. Finally, create a visualization using this common field, for example, Customer. The illustration below shows the Top 5 customers with the highest spending across products and services.
    Figure 34. Visualization

Syslog Messages

The topic_indexer logs are stored in /var/log/analytics/ folder and are accessed using the following commands. 
an> debug bash
admin@an$ cd /var/log/analytics/
admin@an:/var/log/analytics$
admin@an:/var/log/analytics$ ls -ls topic_indexer.log
67832 -rw-rwxr-- 1 remoteuser root 69453632 Apr 27 11:05 topic_indexer.log

Troubleshooting

Below are some of the commonly known issues and their troubleshooting scenarios:
  1. The Save button in the topic_indexer config is disabled.
    When editing the configurations of topic_indexer in the Kibana User interface, default validations appear to ensure the correctness of the values entered in the fields. Specific standards and requirements are associated when filling in the config for topic_indexer as stated in the above section linked: Topic Indexer on Arista Analytics . As illustrated below, it may encounter validation errors when entering an invalid value in the configuration field. Topic Indexer on Arista Analytics
    Figure 35. Validation errors

    In such an event, the edited configuration will not save. Therefore, before saving the configuration, validate the fields and ensure there is no visible validation error in the topic_indexer configuration editor.

  2. The index for the topic_indexer is not created.

    After entering the correct fields in the topic_indexer configuration, the topic_indexer service will start to read the Kafka topic as documented in the configuration and load its data into the ElasticSearch index entered by the index field. The name of the index is prefixed by topic_indexer_.

    There is a wait time of several minutes before the index is created and loaded with the data from the Kafka topic. In the event the index is not created, or there is no index shown with the name topic_indexer_<index_name> value, Arista Networks recommends using the following troubleshooting steps:
    1. Check the configurations entered in the topic_indexer editor once again to see whether the spellings for the topic name, broker address configuration, and index name are correct.
    2. Verify the broker address and the port for the Kafka topic are open on the firewall. Kafka has a concept of listeners and advertised.listeners . Validate if the advertised.listeners are entered correctly into the configuration. Review the following links for more details:
      1. Kafka 3.5 Documentation
      2. Kafka Listeners – Explained | Confluent
    3. If all the above steps are correct, check now for the logs in the Analytics Node for the topic_indexer.
      Steps to reach the topic_indexer.log file in AN node:
      1. Secure remote access into the AN using the command line: ssh <user>@<an-ip>
      2. Enter the password for the designated user.
      3. Enter the command debug bash to enter into debug mode.
      4. Use the sudo user role when entering the AN node: hence the sudo su command.
      5. topic_indexer logs reside in the following path: /var/log/analytics/topic_indexer.log
      6. Since this log file can be more extensive, you should use the tail command.
      7. Validate if the log file shows any visible errors related to the index not being created.
      8. Report any unknown issues.
  3. Data is not indexed as per the configuration.
  4. Data ingestion is paused.

    When experiencing issues 3 or 4 (described above), use the topic_indexer log file to validate the problem.

  5. The index pattern for the topic_indexer is missing.

    In the Kibana UI, it creates a default topic_indexer_* index pattern. If this pattern or a pattern to fetch the dedicated index for a topic is missing, create it using the Kibana UI as described in the following link:

    Create an index pattern | Kibana Guide [7.17] | Elastic

*sFlow® is a registered trademark of Inmon Corp.