Appendix E Splunk Integration Support

N2WS Backup and Recovery Instance is now supporting the monitoring of backups, DR, copy to S3, alerts, and more by Splunk. The N2WS add-on features:

  • Ability to define data input from N2WS via a Technology Add-on (TA)

  • Ability to monitor resources and instances

  • An N2WS app with 2 dashboards for displaying operational insights:

    • N2WS activity monitor - Information about the data

    • N2WS Alerts

Integration consists of installing Splunk and configuring the TA for N2WS.

E.1 Installation of Splunk

Splunk can work with a proxy for reaching N2WS APIs.

Verify that you have the correct app installation file Splunk_app_for_N2WS.spl, which can be downloaded from the Splunk MarketPlace.

To install:

  1. Log on to your Splunk Web and in the Enterprise Apps screen, select Settings .

The Manage Apps page opens.

2. In the upper right, select Install app from file.

3. For an initial installation, browse for the Splunk_app_for_N2WS.spl file. Select Upload.

4. For updates, browse for the current file and select Upgrade app.

Installation of Splunk is fully documented at https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/InstallonLinux

E.2 Configuration of TA for N2WS

Two configurations are required:

  • TA of the REST API

  • Data inputs from N2WS for Alerts and Dashboard information

To configure the TA:

  1. Go to splunk > App N2WS Add-on > Configuration.

  2. If needed, select the Proxy tab, complete the settings, and select Save.

3. In the Logging tab, select the TA Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL.

4. In the Add-on Settings tab, set the API Url of the target server and the API Key. You can copy and paste the API URL and API Key, or both can be left empty for the customer to fill in.

  • The API Url is the address of your N2WS server.

  • You can generate an API Key in N2WS at User > Settings > API Access.

5. Select Save.

To configure data inputs:

Both Dashboard and Alerts inputs should be defined.

  1. In the App menu, select Inputs .

  2. In the Create New Input menu, select N2WS Dashboard information or N2WS Alerts .

  3. Enter the relevant data input information:

    1. Name - Unique name of the input.

    2. Interval - Time interval for fetching the data from N2WS in seconds. 300 is recommended.

    3. Index - The Splunk index (silo) to store the data in:

      • For Alerts, n2ws_alerts

      • For Dashboard information, n2ws_di

    4. Last alert ID - Leave blank.

  4. Select Update.

To manage the Inputs, in the Actions column, select from the Action menu: Edit, Delete, Disable, or Clone.

E.3 Viewing Dashboards

Go to Splunk Apps and find N2WS app for splunk. The N2WS app contains tabs for N2WS activity monitor and N2WS Alerts. Edit and Export options are available in the upper right corner of each dashboard.

E.3.1 N2WS activity monitor

  • Filter for Time Range (defaults to last 24 hours) and Users, including root and delegates.

  • Displays All Accounts, Policies, Protected Resources, Managed Snapshots, Backups DR, S3 Backups, Volume Usage, and other requested data.

For Protected Resources and Managed Snapshots, select the displayed number to drill down and view a table of the resources and the number of items for each resource type for the selected users, or managed snapshots, count of each type, and a total.

E.3.2 N2WS Alerts

The Alerts dashboard includes filters for:

  • Time range - Last 24 hours (default)

  • User - All (default) or username

  • Severity - All or Info or Warning

  • Category - All or Tag Scan, volume usage limit exceeded

The list defaults to descending sort order. Select any column to change sort order.

  • Time - Date, time, event ID

  • User

  • Severity

  • Category

  • Message

E.4 Configuration of N2WS for Splunk

To configure the N2WS Server:

>> su cpmuser
>> vi /cpmdata/conf/cpmserver.cfg
[external_monitoring]
enabled=True

To check your CPM configuration:

  1. GET /api/system/license/

    1. Look for "external_monitoring": true.

    2. If false, check your license (activation key/server account).

  2. GET /api/system/features/

    1. Look for "external_monitoring": true.

    2. If false, check the configuration file /cpmdata/conf/cpmserver.cfg.