This information is extremely useful, allowing traffic analytics software to combine telemetry obtained from network devices with information obtained using the Microsoft REST API in order to identifying clients, links, and devices carrying the traffic, as well as any issues, such as link errors, and congestion, that may be impacting performance.
The sFlow-RT analytics engine is programmable and includes a REST client that can be used to query the Microsoft API and combine the information with industry standard sFlow telemetry from network devices. The following script, office365.js, provides a simple example:
var api = 'https://endpoints.office.com/endpoints/worldwide'; function uuidv4() { return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) { var r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8); return v.toString(16); }); } var reqid = uuidv4(); function updateAddressMap() { var res, i, ips, id, groups; try { res = http(api+'?clientrequestid='+reqid); } catch(e) { logWarning('request failed ' + e); } if(res == null) return; res = JSON.parse(res); groups = {}; for(i = 0; i < res.length; i++) { ips = res[i].ips; id = res[i].id; if(ips && id) groups[id] = ips; } setGroups('o365',groups); } updateAddressMap(); setIntervalHandler(function() { updateAddressMap(); },60*60*24);Note: See Writing Applications for an introduction to sFlow-RT's scripting API.
The chart at the top of this page demonstrates how the address information can be used. The screen capture shows real-time, up to the second, traffic flowing from Microsoft Office servers to local hosts. The open source Flow Trend application shown is easily launched using Docker:
docker run -v $PWD/office365.js:/sflow-rt/office365.js \ -e "RTPROP=-Dscript.file=office365.js" -p 6343:6343/udp -p 8008:8008 \ sflow/flow-trendThe application web interface is accessed on port 8008.
Type the following expression in the Keys: field to define the flow:
group:ipsource:o365,ipdestinationNote: See Defining Flows for details.
The sFlow-RT engine can be programmed to use the classified flow information in a variety of ways: pushing control actions to orchestration tools (e.g. OpenStack, Mesos, Docker Swarm, etc.) or SDN controllers (OpenDaylight, ONOS, Faucet, etc), generating metrics for DevOps tools (e.g. InfluxDB, Prometheus, etc.), and reporting policy violations to an SIEM tool (e.g. Splunk, Logstash, etc.).
No comments:
Post a Comment