Resources#
The Admin > Resources category provides access to pages/views for monitoring and managing Scrutinizer features and elements in the environment.
On this page:
Collectors#
The Admin > Resources > Collectors page is used to access management functions for Scrutinizer flow collectors and Plixer ML Engine deployments.
Managing collectors#
The Collectors tab lists the following details for each Scrutinizer collector currently deployed:
Rank |
Number assigned to the collector as part of a distributed cluster |
Collector |
Collector’s IP address or hostname |
Status |
Collector’s current operational status |
Exporter count |
Number of exporters sending flows to the collector |
First flow time |
Timestamp of the first flow received by the collector |
Last flow time |
Timestamp of the most recent flow received by the collector |
Flow rate |
Average number of flows received per second |
Packet rate |
Average number of packets received per second |
MFSNs |
Average number of MFSNs/missed flows per second |
To change the information displayed, click the Available Columns button and select the details to show. Full details can also be viewed in a tray by clicking the collector IP address or hostname.
Deleting collectors#
To remove one or more collectors from the environment, select them using the checkboxes, and then use the Delete option in the Bulk Actions tray.
Exporters#
The Admin > Resources > Exporters page is used to inspect and manage all flow-exporting devices in the Scrutinizer environment.
The page’s main view/table lists the following details for all exporters/interfaces:
Availability (icon):
Green: Up on all collectors
Red: Down on all collectors
Yellow: Flows not being received as expected
Grey: Exporter is disabled, unlicensed, or configured as a backup
Exporter’s configured name, IP address, or hostname
Flow format and version
Current status:
Enabled: Flows are being collected as normal
Backup: Enabled as a backup but does not count towards license limit
Unresourced Enabled: Disabled due to low resources but counts towards license; Automatically set to Enabled once resources become available
Unresourced Backup: Disabled due to low resources and does not count towards license; Automatically set to Backup once resources become available
Disabled: Manually disabled and does not count towards license
Unlicensed: Disabled due to license exporter limit
Average missed flow sequence numbers (MFSNs) per second
Average flow rate
Number of interfaces
Average packet rate
Timestamp of first flow received from the exporter (hidden by default)
Timestamp of most recent flow received from the exporter
IP address or hostname
Note
The default sorting order for the table/list is by flow rate (flows/s).
To change what details are displayed in the table, click the Available Columns button and select the columns to display.
Rates and other details displayed are relative to the specified collector
The Unresourced Enabled and Unresourced Backup states are automatically applied by Scrutinizer as part of its low resource fallback functions. However, they can also be manually set to prioritize disabling specific exporters before others, when the system becomes underprovisioned.
Configuring exporter settings#
Clicking on an exporter in the table opens a settings tray containing the following actions/functions:
Add or edit a custom exporter name
View collectors receiving flows from the exporter
View available interfaces and any custom interface speeds configured
Add or edit protocol exclusions
View or edit the SNMP credentials used to poll the device
Add or view tags associated with the device
Adding protocol exclusions
To ensure that only relevant traffic data is collected from an exporter, one or more protocol exclusions can be defined as follows:
After opening the settings tray for an exporter, click the edit (pencil) icon for Protocol Exclusions.
In the secondary tray, verify that the correct exporter is selected under Device.
Use the Interface dropdown to select the interface/instance to apply the protocol exclusion to.
Use the Protocol dropdown to select the protocol to exclude from collection.
Click the Add button to save the protocol exclusion for the exporter.
Protocol exclusions are saved by exporter and will be applied, even if a device is set to send flows to a new/different collector.
Exporter management#
The exporter management/configuration functions become available via the Bulk Actions tray, when one or more exporters are selected using the checkboxes in the list/table:
Change exporter status (e.g., enabled/disabled, backup, unresourced enabled/backup)
Set SNMP credentials to use for polling
Change polling method (IP address, hostname, or disabled)
Enable/disable Ignore Flow Duration option for selected exporters
Enable/disable Ignore MFSNs option for selected exporters
Enable/disable Ignore Outage option for selected exporters
Poll selected exporters to update saved SNMP information
Delete selected exporters
Additional exporter settings
Certain exporters may not send flow data according to Scrutinizer’s expected patterns, which will be indicated by a yellow availability icon in the main list/table.
The following settings can be toggled on to allow for such irregular behavior:
Ignore Flow Duration - Should be enabled for devices that export flows less frequently than the recommended once every minute
Ignore MFSNs - Should be enabled for devices that do not send flow sequence numbers correctly, resulting in MFSNs
Ignore Outage - Should be enabled for devices when intermittency is expected
FlowPro Capture Rules#
The Admin > Resources > FlowPro Capture Rules page is used to define and manage selective packet capture rules for FlowPro probes.
To learn more about selective packet capturing, see this page in the FlowPro documentation.
Adding a new rule#
To define a new rule, click the add (+) button in the main capture rules view, and then configure the following details in the tray:
Name: A name for the capture rule
Client IP: Client/destination IP address of packets to capture
Server IP: Server/source IP address of packets to capture
Well-Known Port: Well-known port to monitor for packets
Max Packets: Maximum number of packets to capture
Stops On: End date for capturing packets
Retain Until: End date for retaining captured packet data
Captures can be downloaded by clicking Download PCAP for events under the FlowPro Event Capture policy in the Alarm Monitor views.
Note
Packets will start being captured as soon as a rule is saved (if enabled). Rules with captured data will be indicated by a check in the Data column.
If the capture download link does not work, navigate to
https://FLOWPRO_MGMT_IP:8080/and clear the certificate error before trying again.The timezones configured on the Scrutinizer server and the FlowPro probe must be the same for the Stops On rule to be correctly observed.
Capture rules can also be created and managed via API.
Rule management#
Once the maximum number of packets has been captured, or the defined end date has been reached, a rule will automatically be disabled. Inactive rules will be marked with a yellow indicator in the main view/table instead of green (enabled/active).
To continue capturing packets, click on the rule name, make the necessary changes (Max Packets or Stops On) in the configuration tray, and then re-enable the rule.
Rules that are no longer needed can instead be deleted. To do this, use the checkboxes to select one or more rules to be deleted, and then use the Delete option in the Bulk Actions menu/tray.
FlowPro Probes#
The Admin > Resources > FlowPro Probes page is used to add/register, configure, and manage FlowPro probes/appliances (v20.0.0+ only).
The main view of this page lists all registered probes along with the following details for each one:
Name assigned to the probe
IP address of the probe’s MGMT interface
IP address of server/collector used for the probe
License support status
APM key registered for the probe
FlowPro APM status
FlowPro Defender status
Authentication token used by the probe
Clicking on a probe name opens a configuration tray where settings for that probe can be configured.
Adding a probe#
To add/register a new probe, click the add (+) button in the main view, and then configure the following details in the tray:
Name: A name for the probe
IP Address: IP address to be assigned to the probe’s MGMT interface
Collector: Scrutinizer server or remote collector to be assigned to the probe
The Default NIDS Rules option can also be toggled on to apply NIDS rules from open-source threat feeds for network event reporting.
Important
This step must be completed before the corresponding probe appliance is deployed. After the appliance’s first boot sequence, the IP address assigned to the MGMT interface must match the IP address entered in Scrutinizer.
Note
Additional probes can be registered and deployed if supported by the current license. Check the FlowPro licensing page for details.
If default NIDS rules are disabled, the probe will only send basic IPFIX observations unless custom rules are manually added.
Probe configuration/management#
After a probe has been registered, the following settings/options can be modified via the configuration tray:
Probe/appliance name
MGMT interface IP address
Collector assigned
Registered APM key
Enabled features by interface
Important
If a probe is deleted or the IP address registered for its MGMT interface is changed, the corresponding appliance will need to be re-deployed to assign the new IP address.
To delete/deregister one or more probes, select them using the checkboxes in the main view, and then select Delete in the Bulk Actions menu.
Interfaces#
The Admin > Resources > Interfaces page is used to manage interface settings for flow-exporting devices in the Scrutinizer environment.
The page’s main view/table lists the following details for each device instance (if available or configured):
Configured name, IP address, or hostname of the device
Instance name
Custom description
ifAliasifNameifDescrifSpeedCustom inbound interface speed
Custom outbound interface speed
Metering directionality
The page’s Options tray also includes additional toggles to show/hide inactive interfaces and make hidden interfaces visible.
Note
Select Information in the three-dot menu to view basic details for a device. Selecting Summary of Device opens the Admin > Resources > Exporters view filtered on the device.
To change what details are displayed in the table, click the Available Columns button and select the columns to display.
Custom descriptions and interface speeds are only used by Scrutinizer (displaying utilization, threshold alerts, etc.). They are not applied to the device.
Interface Settings
Clicking on an instance name opens a settings tray where the following details can be configured for the interface:
Custom description
Custom inbound speed
Custom outbound speed
Hide/show setting
SNMP credentials
To hide an instance in the UI, select Yes in the Hidden dropdown or tick the Hide checkbox in the main view. These instances can be made visible by toggling on Show interfaces hidden in the UI in the Options tray.
Hint
The above settings can also be applied to multiple interfaces by selecting the instances in the main view and making the configuration changes in the Bulk Actions tray.
ML Engines#
The Admin > Resources > ML Engines page is used to add/register, configure, and manage Plixer ML Engine deployments.
The main view of this page lists all registered deployments along with the following details for each one:
Name assigned to the engine/deployment
Hostname or IP address
Type of deployment
Engine status/availability
Deployment status
Authentication token used
Last modified timestamp
Clicking on an engine name opens a configuration tray where settings for that engine can be configured.
Adding an ML engine#
To add/register a new ML engine, click the add (+) button in the main view, and then configure the following details in the tray:
Name: A name for the ML engine
Type: Type of ML engine that will be deployed:
Important
This step must be completed before the corresponding VM or cluster is deployed. The authentication token required for deployment can be copied from the configuration tray after an engine has been registered.
Engine configuration/management#
After an ML engine has been registered, the following settings/options can be modified via the configuration tray:
Engine/deployment name
Settings: Resource management settings
Collectors: Select/deselect Scrutinizer collectors to use as data ingestion sources
DGL IP Groups: Add IP groups to be observed for Deep Graph Learning detections (anomalous interactions between hosts)
Note
The above settings apply to individual ML engines. To learn more about global ML settings, see the following pages:
To delete/deregister one or more ML engines, select them using the checkboxes in the main view, and then select Delete in the Bulk Actions menu.
Replicators#
The Admin > Resources > Replicators page is used to manage basic Replicator settings for the local instance and any additional headless deployments registered (requires Replicator 20.0.0).
To learn more about Replicator licensing options, contact Plixer Technical Support.
The main view of this page lists the following details for all registered Replicator instances:
Name assigned to the Replicator
Hostname or IP address
Deployment type
HA Pair
License status
Authentication token used
Username that registered the Replicator
Date created timestamp
Clicking on a Replicator name opens a configuration tray where settings for that appliance can be configured.
Note
Instances that have been set as the secondary/backup in high availability configurations cannot be managed independently and will automatically be hidden from the list.
Adding headless Replicators#
Replicator 20.0.0+ supports “headless” deployments that have a smaller resource footprint and are managed from a main Replicator instance. Additional Replicator instances can be used to expand replication capabilities (e.g., multiple networks/data centers) and enable high availability configurations.
Headless deployments must first be registered from the Replicator management view before the VM/appliance is deployed. See these instructions for more details.
Managing Replicators#
After a Replicator has been added, the following settings can be modified via the configuration tray.
Ping Collectors: Enable to periodically check if Replicator collectors are up
Stop Replicator: Enable to stop Replicator when collectors are down
Stop Replication Timeout: Number of minutes the system will wait before stopping replication
Autoreplicate: Enable to automatically create and manage replication profiles for remote collectors
Clicking the View Replicator button in the same configuration tray opens the Replicator tab to view and monitor resources, set up replication profiles, and configure exporters and collectors for the Replicator.
SNMP Credentials#
The Admin > Resources > SNMP Credentials page can be used to add/manage sets of SNMP credentials for use with devices/exporters in the Scrutinizer environment.
Once defined/saved, credentials can be assigned to one or more specified exporters from the exporters management view. SNMP v1, v2, and v3 are all supported.
Defining new SNMP credentials#
To add a new set of SNMP credentials, follow these steps:
On the SNMP Credentials page, click the Add button.
Fill in the form with the following information:
A name to identify the credential(s) by
A description of the credential(s)
The SNMP credential type/version (dropdown)
The community string to send
The port to use for communication
The timeout value or number of minutes to wait for a response
The number retries after a failed request
The backoff value or number of minutes to wait between retries
Important
If SNMPv3 is selected as the credential type, the additional fields for the username, context, and authentication details (hash function, password, and encryption) must also be filled in.
Verify that the information entered is accurate, and then click Save.
Saved credentials can also be edited at any time by clicking on their name in the main view table. To delete one or more credential sets, tick their checkboxes and click the Delete button.
System Performance#
The Admin > Resources > System Performance page can be used to monitor resource utilization and performance for individual collectors in the Scrutinizer environment.
The page is divided into a graph/timeline and a summary table listing current allotment and utilization details for each collector.
Utilization timeline#
The timeline can display the following utilization details (select from the dropdown) for all collectors for the past 24 hours:
CPU utilization (%)
Available memory (GB)
Host index size (%)
Alarm database size (%)
To highlight utilization and view general information for a specific collector, hover over its line in the graph.
Collector utilization details
Drilling down into a collector from the summary table opens a more detailed view with the following information:
Current total vs. predicted utilization based on current disk capacity
Current vs. predicted maximum disk utilization, based on current flow volume and data retention settings
Current disk utilization per roll-up interval vs. predicted maximum, based on the number of days the data is configured to be stored
The default Data Retention graph shows the number of days of historical flow data currently saved compared against the total number of days that will be retained based on the current data history settings.
The Chart dropdown can also be used to access recommended resource allocation tables as well as the Feature Resources summary/management view (see below) for the collector.
Feature Resources#
The Feature Resources view can be used to inspect and manage resource usage by feature set.
The page’s main view lists all available feature sets, alongside the following details:
Current state (green: active, grey: inactive)
Number of active alarms indicating resource issues for the feature set
Expected CPU core usage per collector
Expected RAM usage per collector
Number of FA algorithms associated with the feature set
Number of alarm policies associated with the feature set
Users are also able to toggle between graphs showing algorithms, policies, CPUs, or RAM per feature set.
Enabling/disabling feature sets
To allow teams to better adapt Scrutinizer’s functions to monitoring and resource requirements, related FA algorithms and their associated alarm policies can be disabled/deactivated by feature set instead of individually disabling them via the respective management pages.
Clicking on a feature set name opens the information tray, where it can be activated or deactivated via a toggle. All FA algorithms and alarm policies included in the feature set are also listed in this tray.
Important
Deactivating services may result in loss of functionality and/or other issues. Contact Plixer Technical Support for assistance.
Low resource fallback modes#
When the total expected resource utilization results in the current allocations falling below the recommended values for the observed exporter count and flow rate, Scrutinizer can automatically pause certain functions as low resource fallback.
There are two low resource fallback modes that can be enabled:
LRF_mode_pauseFeatureSets- Pause feature sets before pausing exportersLRF_mode_pauseExporters- Pause only exporters
When low resource fallback becomes necessary, feature sets are paused based on their importance value (lowest first, 100 = never paused).
Features and/or exporters will automatically be resumed when the configured CPU core and RAM allocations can support additional computational load.
Hint
Regularly check the state of the server health (leftmost) virtual LED in the web interface admin views. As long as it remains green, features and/or exporters will not be paused. While in this state, Scrutinizer will also continuously attempt to resume paused feature sets.
Additional low resource fallback settings
The following settings under Admin > Settings > Collector can be modified to further customize low resource fallback behavior:
Cooldown period before pausing the next feature set or group of exporters
Number of exporters to pause or resume as a group/chunk
Flow rate multiplier/percentage for accommodating brief, recoverable spikes