Appendix E Splunk Integration Support

N2WS Backup and Recovery Instance is now supporting the monitoring of backups, DR, copy to S3, alerts, and more by Splunk. The N2WS add-on features:

  • Ability to define data input from N2WS via a Technology Add-on (TA)

  • Ability to monitor resources and instances

  • An N2WS app with 2 dashboards for displaying operational insights:

    • N2WS activity monitor - Information about the data

    • N2WS Alerts

Limitations:

  • No support for Microsoft Azure

  • No support for multiple CPMs

  • Supported with Splunk Enterprise only

Integration consists of installing Splunk and configuring the TA for N2WS.

E.1 Configuration of N2WS for Splunk

To configure the N2WS Server:

  1. Edit the N2WS configuration file as follows:

>> su cpmuser
>> vi /cpmdata/conf/cpmserver.cfg
[external_monitoring]
enabled=True

​ 2. Restart apache:

>> sudo service apache2 restart

3. To check the status of the Splunk integration, in N2WS, go to Help > About and verify that 'External monitoring (Datadog / Splunk) enabled' is Yes.

E.2 Installation on Splunk

Splunk can work with a proxy for reaching N2WS APIs.

Verify that you have the correct app installation files:

  • N2WS_app_for_splunk.spl

  • ta_N2WS_for_splunk.spl

Both files can be downloaded from the Splunk MarketPlace.

To install:

  1. Log on to your Splunk Web and in the Enterprise Apps screen, select Settings .

The Manage Apps page opens.

2. In the upper right, select Install app from file.

3. For an initial installation: a. Browse for the N2WS_app_for_splunk.spl file. Select Upload.

b. Browse for ta_N2WS_for_splunk.spl. Select Upload.

4. For updates, browse for the current file and select Upgrade app.

Installation of Splunk is fully documented at https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/InstallonLinux

E.3 Configuration of TA for N2WS

Two configurations are required:

  • TA of the REST API

  • Data inputs from N2WS for Alerts and Dashboard information

To configure the TA:

  1. Go to splunk > App N2WS Add-on > Configuration.

  2. If needed, select the Proxy tab, complete the settings, and select Save.

3. In the Logging tab, select the TA Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL.

4. In the Add-on Settings tab, set the API Url of the target server and the API Key. You can copy and paste the API URL and API Key, or both can be left empty for the customer to fill in.

  • The API Url is the address of your N2WS server.

  • You can generate an API Key in N2WS at User > Settings > API Access.

5. Select Save.

To configure data Inputs:

Both Dashboard and Alerts inputs should be defined.

  1. In the App menu, select Inputs .

  2. In the Create New Input menu, select N2WS Dashboard information or N2WS Alerts .

  3. Enter the relevant data input information:

    1. Name - Unique name of the input.

    2. Interval - Time interval for fetching the data from N2WS in seconds. 300 is recommended.

    3. Index - The Splunk index (silo) to store the data in:

      • For Alerts, n2ws_alerts

      • For Dashboard information, n2ws_di

    4. Last alert ID - Leave blank.

  4. Select Update.

When finished, the Inputs should look like this:

To manage the Inputs, in the Actions column, select from the Action menu: Edit, Delete, Disable, or Clone.

To configure default data indexes:

  1. Select Settings on the upper right corner and then select Indexes.

2. Verify that the following indexes exist under the N2WS app. If not, select New Index to add indexes of the CPM information.

  • n2ws_alerts

  • n2ws_di

3. In the file system, copy macros.conf from the default folder to the local folder. For example, Source: C:\Program Files\Splunk\etc\apps\N2WS_app_for_splunk\default Target: C:\Program Files\Splunk\etc\apps\N2WS_app_for_splunk\local

4. Edit the macros.conf file under 'local' and change the default index to the new indexes that were created.

3. Restart the Splunkd service from Windows Services.

E.4 Viewing Dashboards

Go to Splunk Apps and find N2WS app for splunk. The N2WS app contains tabs for N2WS activity monitor and N2WS Alerts. Edit and Export options are available in the upper right corner of each dashboard.

E.4.1 N2WS activity monitor

  • Filter for Time Range (defaults to last 24 hours) and Users, including root and delegates.

  • Displays All Accounts, Policies, Protected Resources, Managed Snapshots, Backups DR, S3 Backups, Volume Usage, and other requested data.

For Protected Resources and Managed Snapshots, select the displayed number to drill down and view a table of the resources and the number of items for each resource type for the selected users, or managed snapshots, count of each type, and a total.

E.4.2 N2WS Alerts

The Alerts dashboard includes filters for:

  • Time range - Last 24 hours (default)

  • User - All (default) or username

  • Severity - All or Info or Warning

  • Category - All or Tag Scan, volume usage limit exceeded

The list defaults to descending sort order. Select any column to change sort order.

  • Time - Date, time, event ID

  • User

  • Severity

  • Category

  • Message