Features and Functionality¶
This section includes all necessary background information as well as detailed instructions for the use of Plixer Replicator’s core replication and stream monitoring functionalities.
Profile Management¶
Plixer Replicator relies on user-defined Profiles to determine where a packet it receives on a particular UDP port should be replicated and/or forwarded to any network management systems.
In addition to its name, In Port, and Out Port, each Plixer Replicator Profile contains the following details:
Exporters: Networked devices, such as routers, switches, or servers, that generate log data for use by network management systems and send it to the Plixer Replicator for replication and/or forwarding
Collectors: SIEMs, Flow Collectors, SNMPTrap Receivers, or other network management systems that analyze data forwarded by the Plixer Replicator from other networked devices
Policies: Used by the Plixer Replicator to automatically determine whether an Exporter should be included or excluded from the Profile
Note
When Collectors receive packets from the Plixer Replicator, they interpret its origin as the IP address of the Exporter that sent it.
When the Plixer Replicator receives a packet, it references all currently enabled Profiles and Policies to verify that the packet’s origin is a valid Exporter.
After the first Profile has been created during the appliance’s initial setup, additional Profiles can be created or configured using Interactive Mode or via the web interface.
Managing Profiles - web interface¶
Managing Profiles in the Plixer Replicator web interface is an alternative to using Interactive Mode commands. In addition, the Profiles tab of the web interface gives the user visibility over the current statuses and details of all existing Profiles.
Creating a new Profile¶
To add a new Profile from the Profiles tab of the web interface:
Click on the + icon near the upper-left corner of the page.
In the window that opens, enter a name for the Profile, the In Port, and the Out Port.
To automatically add devices sending packets to the Plixer Replicator as Exporters, leave the checkbox ticked.
Click on Save to create the Profile.
Once created, the new Profile should be accessible from the main list of the Profiles tab.
Adding an Exporter to an existing Profile¶
To add an Exporter to a Profile from the Profiles tab of the web interface:
Click on the pencil icon under the Actions column for the Profile.
On the Profile Details page, click on the + icon to the left of Exporters in the lower-half of the page.
Enter the IP address of the Exporter in the window that opens.
Click on Save to add the Exporter.
The new Exporter should now be visible under the Exporters column in the lower-half of the Profile Details page.
Adding a Collector to an existing Profile¶
To add a Collector to a Profile from the Profiles tab of the web interface:
Click on the pencil icon under the Actions column for the Profile.
On the Profile Details page, click on the + icon to the left of Collectors in the lower-half of the page.
Enter the IP address of the Collector in the window that opens.
Click on Save to add the Collector.
The new Collector should now be visible under the Collectors column in the lower-half of the Profile Details page.
Adding a Policy to an existing Profile¶
To add a Policy to a Profile from the Profiles tab of the web interface:
Click on the pencil icon under the Actions column for the Profile.
On the Profile Details page, click on the + icon to the left of Policies in the lower-half of the page.
Enter the subnet/CIDR of the Exporter(s) to include or exclude from the Profile.
Select include or exclude from the drop-down menu.
Click on Save to add the Policy.
The new Policy should now be visible under the Policies column in the lower-half of the Profile Details page.
For additional information on the Profiles tab, see the section on the Plixer Replicator web interface.
Managing Profiles - Interactive Mode¶
After connecting to the Plixer Replicator in Interactive Mode, the user can issue manage Profiles and their details using a number of different commands.
Creating a new Profile¶
To create a new Profile, enter the following at the Interactive Mode prompt:
REPLICATOR> profile add [profile_name] [in_port] [out_port]
This will create a Profile called profile_name with the specified In Port and Out Port.
To completely remove a Profile, along with any Policies associated with it, use:
REPLICATOR> profile remove [profile_name]
Profiles can also be temporarily disabled and later re-enabled using profile disable and profile enable, respectively.
Adding an Exporter to an existing Profile¶
To add an Exporter to an existing Profile, enter the following at the Interactive Mode prompt:
REPLICATOR> exporter add [exporter_ip] [profile_name]
This will add the Exporter from the specified Profile. To remove an Exporter from all existing Profiles, use the Interactive Mode command:
REPLICATOR> exporter allremove [exporter_ip]
Adding a Collector to an existing Profile¶
To add a Collector to an existing Profile, enter the following at the Interactive Mode prompt:
REPLICATOR> collector add [collector_ip] [profile_name]
This will add the Collector from the specified Profile. To remove a Collector from all existing Profiles, use the Interactive Mode command:
REPLICATOR> collector allremove [collector_ip]
Adding a Policy to an existing Profile¶
To add a Policy to include all Exporters on a given subnet/CIDR in a Profile, enter the following at the Interactive Mode prompt:
REPLICATOR> policy add [subnet/CIDR] [profile_name] include
This will add a Policy to the Profile that instructs the Plixer Replicator to replicate and/or forward packets from the specified subnet/CIDR to its Collectors. exclude Policies can be used in conjunction with include Policies to exempt packets from specific Exporters from being replicated and/or forwarded. To remove a Policy from a Profile, use the Interactive Mode command:
REPLICATOR> policy remove [subnet/CIDR] [profile_name]
For more information on other commands used for Profile management, see the section on Plixer Replicator’s Interactive Mode.
Web interface¶
The Plixer Replicator web interface provides full transparency into the appliance’s interfaces and processes. It also allows the user to configure its features and functionality.
Dashboard tab¶
The Dashboard tab provides an at-a-glance overview of the Plixer Replicator’s operations through the following visualizations:
Gauge charts displaying CPU usage, packets received/sent, and inbound/outbound bits per second
Live trend line graphs showing the last 20 traffic data points
Full summary of all associated devices, Profiles, and most recent traffic totals
The time period covered by the Dashboard tab’s data is based on the live data’s refresh rate, which can be configured in the Settings tab of the web interface.
Streams tab¶
The Streams tab displays details about the current status of all Exporters sending packets to the Plixer Replicator. Lines highlighted in red are Exporters whose packet streams have stopped and triggered Alarms.
The table of Exporters in the Streams tab supports the filtering options:
To view only streams that have triggered Alarms, tick the Alarms Only checkbox near the upper-left corner of the page
To filter the list based on a keyword match, use the search field near the upper-right corner of the page
To force the system to attempt to resolve the Exporter’s name, click on the corresponding globe icon under the DNS NAME column of the table.
Exporters tab¶
The Exporters tab displays detailed information about Exporters sending packets to the Plixer Replicator, and includes additional options for Exporter management.
If there are Exporters that have active Alarms, the number will be displayed in a notification badge in the upper-right corner of the tab label.
The table in the Exporters tab supports the filtering options:
Alarms-only view via the checkbox near the upper-left corner of the page
View only Exporters in Profiles or Exporters Not in a Profile using the dropdown near the upper-left corner of the page
Keyword match filtering using the search field near the upper-right corner of the page
Note
When viewing only Exporters that are not in any Profiles, only previously assigned Exporters will be highlighted in red.
Collector tab¶
The Collectors displays detailed information about all currently configured Collectors and includes options for Collector management.
If there are Collectors that have active Alarms, the number will be displayed in a notification badge in the upper-right corner of the tab label.
The table in the Collectors tab supports the filtering options:
Alarms-only view via the checkbox near the upper-left corner of the page
Keyword match filtering using the search field near the upper-right corner of the page
Hint
To set an Alarm threshold for packet volume for a Collector, click on the corresponding gauge icon under the THRESHOLD column of the table.
Profiles tab¶
The Profiles tab displays detailed information about all currently configured Profiles and includes options for Profile management.
If there are Profiles that include Exporters or Collectors that have active alarms, the number of will be displayed in a notification abdge in the upper-right corner of the tab label.
For more information and detailed instruction, see the section on managing profiles in the web interface.
Settings tab¶
The Settings tab allows the user to configure the Plixer Replicator to suit different scenarios.
By modifying the options, the user can:
Enable or disable Plixer Replicator features (e.g., pinging collectors at regular intervals)
Change default values (e.g., update refresh rate)
Configure login and connection settings (e.g., LDAP settings)
The appliance OS automatically verifies all settings modifications and will output an error message if a non-working value is entered.
Hint
The Plixer Replicator’s settings can also be configured using Interactive Mode. For more information on the CLI and the different commands supported, see the secion on Plixer Replicator’s Interactive Mode.
Server Health LED¶
The Server Health LED is a virtual notification LED that provides quick access to the status of the Plixer Replicator and all configured Profiles. It is located near the upper-right corner of the web interface, next to the Log Out icon.
Clicking on the Server Health LED will bring up a list of all currently active services. Services that have encountered issues will be marked with a yellow exclamation point (!) and have additional details about the issue as well as recommendations for its resolution.
Alarms¶
Plixer Replicator actively tracks the number of packets received and sent by the appliance as well as the status of all assigned Exporters and Collectors. When an Exporter stops sending packets or a Collector becomes uncreachable, all Profiles associated with the device are marked with the Alarm status and a syslog alarm is sent.
How Alarms are triggered¶
Once every minute, the Plixer Replicator scans the netstat details of each interface in either direction (Rx and Tx). When the OS detects interface drops, it sends a syslog alarm to the server configured in the Notification section of the web interface’s Settings tab. After a preset amount of time has passed, the unresponsive Exporter or Collector is flagged as being down and an Alarm is triggered for all Profiles it has been assigned to.
Alarms are also triggered when the Plixer Replicator OS detects high CPU usage or abnormal process termination.
Note
Plixer Replicator web interface metrics are a good reference point for packet activity but not for drops.
Configuring Alarms¶
To change the behavior of Alarms globally, the user can use the following arguments in conjunction with the Interactive Mode command setting:
Flag |
Description |
|---|---|
|
Sets the number of hours before an incoming stream is automatically acknowledged as being down Default: 24 hours |
|
Sets the number of minutes an incoming stream must stop or a Collector must be unreachable before it is considered down Default: 70 minutes |
|
Sets the threshold for CPU usage before an Alarm is triggered Default: 90% |
|
Sets the IP address and port of the server destination for Alarms and syslog notifications Format: [server_ip] [port] |
|
When disabled, the Plixer Replicator will continue trying replicate and/or forward packets to unreachable Collectors Default: enabled |
|
When disabled, the the Plixer Replicator will stop regularly pinging Collectors to confirm availability Default: enabled |
Hint
Plixer’s Scrutinizer Incident Response System includes policies for all possible Alarms triggered in Plixer Replicator.
For more information on issuing commands, see the section on Plixer Replicator’s Interactive Mode
Alarm reports¶
Exporters, Collectors, and Profiles that have triggered Alarms will all be highlighted in red in their respective tabs in the Plixer Replicator web interface. To view additional information about the Alarm, open the device’s or Profile’s details page.
As an alternative, the user may issue the following Interactive Mode command to generate a list of Exporters that have stopped sending data to or Collectors that are no longer reachable by the Plixer Replicator:
REPLICATOR> show alarms
The Interactive Mode commands show and setting can also be used to display additional metrics or generate reports based on live data. For more information on these commands and their directives, see the section on Plixer Replicator’s Interactive Mode.