Scrutinizer#
Monitor
Monitor and investigate alarm policy violations and network activity
Explore
Look up any host and inspect exporters and entities
Investigate
Collaborate in investigations and generate forecasts from reports
Reports
Monitor and investigate network activity using custom reports
Admin
Manage system settings, users, integrations and more
The Scrutinizer web interface is accessed by pointing any supported browser to https://SCRUTINIZER_ADDRESS/ui/, after the server has been deployed and set up. To use the Classic UI, use the URL https://SCRUTINIZER_ADDRESS/oldui/ instead.
The preferred UI can also be set from within the web interface under the user menu.
UI overview#
Show content
The Scrutinizer web interface enhances NetOps and SecOps workflows through a comprehensive feature set that transforms raw flow data into fully contextualized network intelligence.
The web interface pages/views are divided into four general categories that correspond to the most essential NetOps and SecOps workflows.
Hint
Scrutinizer users can toggle between the persistent header tabs and the collapsible sidebar for navigation using the Slim Navigation option in the Admin > Users & Groups > User Accounts > Preferences tray.
Click the Help (?) button in the header of any page to access the Scrutinizer online documentation at any time.
Tab/section |
Description |
|---|---|
Monitor |
- Use customizable alarm policies to receive alerts when problematic or dangerous behavior is discovered on the network |
Explore |
- Drill down into flow-generating devices to examine activity, resource usage, and events generated |
Investigate |
- Define collections of one or more alarms, events, and/or reports and assign them to analysts for investigation |
Reports |
- Create/run custom or preconfigured network activity reports that can be saved and used to generate ML-based forecasts |
If the local Replicator instance is enabled, an additional Replicator tab/page can also be accessed to monitor and manage flow replication parameters.
The functions and workflows under each UI tab are explained in further detail in the succeeding sections of this documentation.
Data aggregation method#
Show content
Scrutinizer’s SAF (Summary and Forensic) data aggregation method is an optimized system of storing flow data that makes use of summary tables to condense collected information without compromising transparency or accuracy.
How SAF works
With SAF, any incoming flow template with the required data elements is aggregated into a new template definition based on a tuple that includes commonPort. The resulting “summarized” template will omit all data elements that prevent aggregation (e.g., source and destination transport ports) but still contain all information required for the vast majority of reporting needs.
Hint
The aggregation logic used to create summary tables can be modified to suit different scenarios. Contact Plixer Technical Support for assistance.
The data elements retained in the summary tables are but not limited to:
intervalTimecommonPortingressInterfaceegressInterfacesourceIpAddressdestinationIpAddressoctetDeltaCountoctetDeltaCount_revpacketDeltaCountpacketDeltaCount_revflowDirectionapplicationIdprotocolIdentifier
Once five 1m summary tables are available, the data averages for the top 1000 (default) conversations are rolled up into 5m tables, and the system continues the rollups to create 30m, 2h, and 12h tables.
Note
If a collector’s disk capacity will support it, the Flow Maximum Conversations value under Admin > Settings > Data History can be increased, which may improve reporting accuracy. Since this results in larger tables and certain report types taking longer to run, the value should be increased in increments until an ideal balance is achieved.
When Auto History Trimming (under Data History settings) is enabled, 1m and 5m historical tables are trimmed to maintain the configured Minimum Percent Free Disk Space before Trimming value. Automatic trimming is also used to retain a similar level of historical data for all configured exporters.
Benefits of SAF aggregation
Because the summary tables created under SAF aggregation are drastically smaller in size than regular full-template tables, they benefit the Scrutinizer system in the following ways:
Reduced disk utilization per table
Increased historical data capacity
Improved report render times
Faster lookups before drilling into forensic data
While only summary data is rolled up into higher interval tables, Scrutinizer still retains the original forensic data, which is used by a handful of reports that require data elements not included in the summary tables. At the same time, the system also maintains a separate totals table for in/out byte counts per interface to allow for accurate utilization reporting without relying on SNMP.
Note
Systems that have been upgraded from versions prior to 18.x may still use the legacy data aggregation method that was the default in their original installs. To check, navigate to Admin > Settings > Data History and if the Rollup Type is not set to Summary and Forensic, contact Plixer Technical Support for assistance with switching.
Notes on collecting sFlow
When collecting sFlow, packet samples and interface counters should both be forwarded to the collector. Packet samples will be saved to the raw tables, and interface counters will be saved to the totals tables at one-minute intervals.
Important
Having an sFlow exporter (e.g., switch) that sends multiple templates for different flows may result in overreporting, if the flows contain the same or very similar information. Scrutinizer’s frontend will run reports using data from all templates that match the information. To avoid this, use filters to specify a single template.