IT Monitoring: How Do I Know Who is in My Network?

As WFH usage surges, an increasing number of users will be connecting from home laptops over the internet into a Citrix server that could be hosted in a data center. This will likely put strains on licensing, internet bandwidth and server performance hosting the Citrix environment. These are all key areas that Splunk can monitor with various add-ons.

Splunk Citrix Add-ons: There are several Splunk Citrix add-ons that can pull data into Splunk from Citrix. These apps are free and can provide detail into Citrix Netscaler and XenDesktop. These add-ons make it easy to consume NetScaler syslog, IPFIX, and Nitro API logs as an example. Other add-ons include a template for ZenDesktop 7 which allows visibility into alerting, ICA latency reporting, user experience investigation and logon details, performance visualization and monitoring, application usage and critical service monitoring.

Uber Agent: No, this isn’t an agent to connect and monitor your Uber driver... This is a Splunk agent for Windows end-user-computing. Whilst this is a paid add-on, it can collect data and report on everything you need to know about physical PCs, virtual desktops, Citrix XenApp/XenDesktop or VMware Horizon View without affecting your systems’ user density. It is possible to install trial versions on Windows machines to use for one off troubleshooting of End User compute.  

The uber agent has many Citrix dashboards that show login performance and allow you to troubleshoot login issues from a central location. On top of that it can show application performance on remote endpoints allowing administrators to troubleshoot from inside Splunk.

Remote Access VPN: Virtual Private Networks (VPN’s) give direct access to internal networks and allow remote users to access internal intranets, or other services inside the corporate network. With an abundance of users connecting in simultaneously this again could put strain on corporate internet, or concurrent usage. Troubleshooting dashboards that allow administrators to determine why users are not able to utilize the corporate VPN are critical for user experience.

Palo Alto Add-on: This Splunk add-on can pull data from their firewall, advanced endpoint security and threat intelligence cloud, allowing you to build operational reporting including bandwidth on key links, configurable dashboard views and adaptive response. Additionally, GlobalProtect VPN (shown below) can help customers with troubleshooting remote access.

Zscaler App: This Splunk application provides visibility and dashboards into remote access, for all Zscaler products, no matter where the users are connecting from. There are prebuilt reports for web usage, remote access usage, along with threat intelligence and DLP event and incidence reporting. 

Cisco App: This Splunk application provides similar functionality to the Palo Alto and Zscaler apps to help populate dashboards around remote access and bandwidth on key links. 

Below is an example screenshot from Palo Alto’s app that allows you to search for users having login issues, see how many people are connected and from what location.

Access Management
Access management provides cloud hosted portals that can redirect to internal services or other cloud services using single sign on (SSO) capabilities. In many cases customers will be using Okta as their SSO for both cloud hosted SaaS services and also connections to internal systems. Use the add-ons listed below can help troubleshoot issues you may be having with these services, or pinpoint user issues.

Okta Add-on: This Splunk add-on connects to the Okta Identity Cloud REST APIs to report on event log information, user information, group and group membership information and application and application assignment information.

SailPoint Add-on: This Splunk add-on provides an easy way to extract audit event data from SailPoint's IdentityNow product.

Multifactor Authentication
Multifactor authentication is often used for remote access to ensure a higher level of security, and these will become critical services as well. Being able to know who is having issues, troubleshooting Token assignment or even keeping a close eye on the number of licenses available is an important part of keeping your IT environment safe.

Splunk Add-on for RSA Multifactor Authentication: This Splunk add-on allows a Splunk software administrator to collect data from the RSA SecurID Authentication Manager (AM) server via syslog. There are prebuilt dashboard panels included to help you get moving quickly.

Duo Add-on for Multifactor Authentication: This developer add-on allows you to collect and report on Authentication Logs, Administrator Logs, Telephony Logs and Endpoint Logs. The connector comes populated with default dashboards as well to help users get up and running quickly. 

We hope this post was useful and please stay tuned for more in this blog series soon to come. Please click here to explore other best practice guides and tips.

Thanks to the contributors of this blog post, Cory Minton, Bryan Sadowski, William Von Alt, Matt Olsen, Chris Kline.

----------------------------------------------------
Thanks!
Nick Crofts