Guide

Real-time Connector Metrics using SIEM providers

Suggest Edits

You can use SIEM providers like DataDog and TrafficPeak to monitor, analyze, investigate any health issue, security incidents, and perform data visualization for your EAA Connectors. You can send CPU, Memory, and Network metrics of the EAA Connectors for creating Dashboards for visualization.

📘

Note:

This is a limited-availability (LA) feature and can be enabled in your contract by contacting Akamai Support.

It involves these steps:

  1. Contact Akamai support to obtain the mapping between the Connector GUID and the connector name. The Connector GUID is sent to the SIEM provider.
  2. Configure the EAA Management Portal to send the metrics to a SIEM provider.
  3. Select the SIEM provider of your choice
    • View the metrics, create graphs, dashboards in Datadog.
    • To view the metrics, create graphs and dashboards in TrafficPeak, you need to message the TrafficPeak's Customer Success Engineering (CSE) team and request the deployment of the EAA integration. For metrics integration, the eaa_metrics table should be enabled. If you request all available EAA tables, the EAA metrics will also be included.

Send metrics to a SIEM provider

Prerequisite: You must have a connector version greater than 24.03.00.150

You can send different connector metrics like CPU, memory, and network to your DataDog SIEM provider.

Follow this procedure to send these metrics:

  1. Log in to the Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > General Settings > Settings > Company Settings.
  3. Go to the System monitoring SIEMs section.
  4. Enable Send metrics, to send the connector metrics like CPU, memory and network to your SIEM provider to monitor, investigate issues, and perform data visualization. When you disable this setting, no data is retained or sent to the SIEM provider.

The connector metrics sent to SIEM providers are:

CPU Metrics:

Metric nameDescription
cpu.usage_activePercentage of time spent by CPU doing active work across all the CPU cores.
cpu.usage_idlePercentage of time spent by CPU being idle.

Memory Metrics:

Metric nameDescription
mem.totalTotal physical RAM installed on the machine in bytes.
mem.availableAmount of memory available in bytes, for new processes without swapping.
mem.available_percentPercentage of RAM available. Calculated as mem.available / mem.total * 100
mem.usedRAM used in bytes.
mem.used_percentRAM used in bytes, expressed as a percentage of total memory. Calculated as mem.used / mem.total * 100
mem.dirtyMemory pages modified in RAM but not yet written to disk, expressed in bytes.
mem.mappedSize of memory mapped files and devices, expressed in bytes.

Network Metrics: net.bytes_recv, net.bytes_sent, net.drop_in, net.drop_out, net.err_in, net.err_out, net.packets_recv, net.packets_sent, net.speed

Metric nameDescription
net.bytes_recvTotal bytes received by the interface.
net.bytes_sentTotal bytes transmitted by the interface.
net.packets_recvTotal packets received by the interface.
net.packets_sentTotal packets transmitted by the interface.
net.err_inTotal receive errors detected on the interface.
net.err_outTotal transmit errors detected on the interface.
net.drop_inTotal received packets dropped by the interface.
net.drop_outTotal transmitted packets dropped by the interface.
net.speedLatest reported interface speed in Mbits/sec (If unsupported, it is represented as -1).

  1. Active SIEM. Select the name of the SIEM provider. Datadog and TrafficPeak are supported for this release. You can also click on the edit SIEM (pencil icon) to edit the SIEM parameters. You can click remove SIEM, to delete the SIEM provider and start another configuration.
  2. You must provide the parameters needed to connect to the SIEM Server of your choice. The parameters are different for different SIEM providers.
    • To connect to TrafficPeak SIEM server, provide these parameters:
      SIEM type. TrafficPeak

Encryption Token. Provide the token to securely send the connector metrics data to the SIEM provider. You can obtain the encryption token from the Hydrolix

Username. Specify the username you use to login to the server.

Password. Specify the password you use to login to the server.

  • To connect to DataDog SIEM provider, provide these parameters:

SIEM type. DataDog.

Server. Provide the server hostname of the SIEM provider.

Copy hostname server

Encryption Token. Provide the token to securely send the connector metrics data to the SIEM provider. You can obtain the encryption token from the API Keys from DataDog. See Add an API key or Client Token in Datadog documentation. You can click on the show encryption token (eye icon) to check if you entered it correctly, in case you have trouble connecting to the SIEM server.

Copy Datadog API keys

  1. Click Test and Save, to test the connectivity. If EAA can communicate to Datadog SIEM correctly, changes are saved.

You should be able to receive the EAA Connector metrics in your SIEM provider dashboard to perform diagnosis, data visualization, and troubleshoot any security incidents.


View metrics in Datadog Explorer

In Datadog Metrics Explorer, follow these steps for data visualization:

  1. Use the Add Query, to add the name of the Metrics you want to visualize in a graph.
  2. For the from option, add the agent-id: of the EAA connector. You can obtain this information from Akamai support.
  3. Select the time period.

A graph is generated for the chosen metrics.

Here’s an example of the EAA Connector’s CPU usage metrics in Datadog Metrics Explorer:

Datadog visualization example

For more details on data visualization, see Datadog documentation.

View metrics in TrafficPeak

You can visualize EAA connector metrics as follows:

  1. Go to https://dashboards.trafficpeak.live/
  2. Log into your Grafana account.
  3. Click the + sign at the top-right corner and select New Dashboard.
  4. Click + Add visualization button.
  5. For Select data source, select grafana-clickhouse-datasource
  6. For Editor Type, select SQL Editor.
  7. For Query Type, select Time Series.
  8. You can add custom variables for the table, time, and sql in the Settings of your dashboard:

table:

SELECT concat(project,'.',name) as table FROM (SELECT database as project, name FROM system.tables WHERE engine = 'TurbineStorage' AND (project != 'sample_project' AND project != 'hdx'))

time:

SELECT primary_key FROM system.tables WHERE database = splitByChar('.','${table}')[1] AND table = splitByChar('.','${table}')[2]

sql:

SELECT name FROM system.columns WHERE database = splitByChar('.','${table}')[1] AND table = splitByChar('.','${table}')[2] LIMIT 1

You can reuse these variables in your queries.

  1. Set the table name, duration, and refresh period of your dashboard:

  1. In your panel editor, time series is selected as the default visualization style.
    You can add different panels to your dashboard. Provide a Title, optional Description under Panel Options, and click Save Dashboard.

For example, here you can see a time series graph for net bytes received:

net bytes received

For more information, refer to Building Dashboards, Time Series Visualization sections of Grafana documentation.

Switching between SIEM provider

You can switch between different SIEM providers like DataDog and TrafficPeak.

Follow this procedure to switch SIEM providers:

  1. Log in to the Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > General Settings > Settings > Company Settings.
  3. Go to the System monitoring SIEMs section.
  4. You should have enabled Send metrics.
  5. Active SIEM. Select the SIEM that you wish to change like DataDog or TrafficPeak.
    For the dialog box, SIEM switch confirmation, click Confirm.
  6. Provide the respective parameters to connector to the SIEM server as described in Send Metrics to SIEM server.
  7. This SIEM provider is switched to the new one and data is streamed to it for visualization.

Updated 5 days ago