Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Cisco StealthwatchCustomer SuccessMetrics Configuration Guide 7.2
Table of ContentsOverview 3
Contacting Support 3
Configuration 4
Configuring the Network Firewall 4
Configuring the Stealthwatch Management Console 4
Configuring the Flow Collector 4
Disabling Customer Success Metrics 5
Customer Success Metrics Data 6
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 2 -
OverviewCustomer Success Metrics (CSM) enables Stealthwatch system data to be sent to thecloud so that Customer Experience can access vital information regarding thedeployment, health, performance, and usage of your system. The data is also availablein a .csv file accessible on your appliance.
Contacting SupportIf you need technical support, please do one of the following:
l Contact your local Cisco Partner
l Contact Cisco Stealthwatch Supporto To open a case by web: http://www.-cisco.com/c/en/us/support/index.html
o To open a case by email: [email protected] For phone support: 1-800-553-2447 (U.S.)o For worldwide support numbers: https://www.-cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 3 -
Overview
ConfigurationCustomer Success Metrics is automatically enabled on your Stealthwatch ManagementConsole and Flow Collector(s). You will need to configure your network firewall to allowcommunication from your appliances to the cloud, using the directions provided in theConfiguring the Network Firewall section. To opt out of CSM, use the directions in theDisabling Customer Success Metrics section.
l Customer Success Metrics requires all enabled appliances to have inter-net access.
l Each appliance generates a separate .csv file.
Configuring the Network FirewallConfiguring the StealthwatchManagement ConsoleConfigure your network firewall to allow communication from the StealthwatchManagement Console to the following IP addresses and port 443:
AWS Elastic IPsl 34.242.41.248
l 34.242.94.137
l 34.251.54.105
Cisco Streamline IPsl 146.112.59.0/24
l 208.69.38.0/24
If public DNS is not allowed, you will need to configure the resolution locally onthe Stealthwatch Management Console.
Configuring the Flow CollectorConfigure your network firewall to allow communication from the Flow Collector(s) to thefollowing IP address and port 443:
AWS Elastic IPs l 34.242.41.248 l 34.251.210.21
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 4 -
Configuration
l 34.242.94.137
l 34.251.54.105
l 34.255.162.33
l 54.194.49.205
Cisco Streamline IPsl 146.112.59.0/24
l 208.69.38.0/24
If public DNS is not allowed, you will need to configure the resolution locally onthe Flow Collector(s).
Disabling Customer SuccessMetricsTo disable CSM on your appliance, complete the following steps:
1. Log in to Stealthwatch Management Console.
2. Click on the Global Settings icon, and then click Central Management.3. From the context menu in the Actions column for the applicable appliance, choose
Edit Appliance Configuration.4. Click the General tab.5. Scroll down to the External Services section and uncheck the Enable Customer
Success Metrics check box.6. Click Apply Settings.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 5 -
Configuration
Customer Success Metrics DataThere are three data types for Customer Success Metrics:
l Cumulative: One entry for a 24-hour periodl Interval: One entry every 5 minutes (total of 288 entries per 24-hour period)l Snapshot: One entry for the point in time you generate the report
The following table lists the data collected by Customer Success Metrics:
System Data Description Data Type
collector.collect.duration_s Duration it took to collect all metricsSnapshot
Freq:Hourly
devices.cache.activeNumber of active MAC addressesfrom ISE in the devices cache
Snapshot
devices.cache.deletedNumber of deleted MAC addressesfrom ISE in the devices cachebecause they have timed out
Cumulative
devices.cache.droppedNumber of dropped MAC addressesfrom ISE because the devices cacheis full
Cumulative
devices.cache.maxMaximum number of MAC addressesfrom ISE
Interval
devices.cache.newNumber of new MAC addresses fromISE added into the devices cache
Cumulative
events.vertica.day.{event_id}.-count
Total number of each type of secur-ity event over one day (delayed byone day)
Interval
Freq: Daily
flow_statsFlow statistics per minute exportedto Vertica and ZMQ
Interval
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 6 -
Customer Success Metrics Data
System Data Description Data Type
flow_stats.fpsOutbound flows per second in thelast minute
Interval
flows Inbound flows processed Interval
flows.cache.activeNumber of active flows in the FlowCollector's flow cache
Snapshot
flows.cache.droppedNumber of flows dropped becausethe Flow Collector's flow cache isfull
Cumulative
flows.cache.endedNumber of flows ended in the FlowCollector's flow cache
Interval
flows.cache.maxMaximum size of the Flow Col-lector's flow cache
Interval
flows.cache.percentPercent of capacity of the Flow Col-lector's flow cache
Interval
flows.cache.startedNumber of flows added to the FlowCollector's flow cache
Cumulative
flows.dropped Inbound number of flows dropped Interval
flows.fps Inbound number of flows per second Interval
flows.vertica.all.count Total number of flow in the databaseSnapshot
Freq: Daily
flows.vertica.all.last_time.minApproximation of the oldest flow indatabase
Snapshot
Freq: Daily
flows.vertica.hour.client_ip_address.distinct.catch_all.count
Total number of distinct client IPsbelonging to the catch-all group(one hour of data sampled)
Interval
Freq:Hourly
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 7 -
Customer Success Metrics Data
System Data Description Data Type
flows.vertica.hour.client_ip_address.distinct.count
Total number of distinct client IPs(one hour of data sampled)
Interval
Freq:Hourly
flows.vertica.hour.countTotal number of flows in one hour(one hour of data sampled)
Interval
Freq:Hourly
flows.vertica.hour.distinct.count
Approximate number and ratio ofunique flow (based on the flow id).Ratio in [0,1] (one hour of datasampled).
Interval
Freq:Hourly
flows.vertica.hour.*
- inside.inside.count
- inside.outside.count
- outside.inside.count
- outside.outside.count
Total number of flows grouped by dir-ection (one hour of data sampled)
Interval
Freq:Hourly
flows.vertica.hour.server_ip_address.distinct.catch_all.count
Total number of distinct server IPsbelonging to the catch-all group(one hour of data sampled)
Interval
Freq:Hourly
flows.vertica.hour.server_ip_address.distinct.count
Total number of distinct server IPs(one hour of data sampled)
Interval
Freq:Hourly
flows.vertica.sample.client_ip_address.distinct.catch_all.ratio
Ratio of client IPs belonging to thecatch-all group. Ratio in [0,1] (onehour of data sampled)
Interval
Freq:Hourly
flows.vertica.sample.distinct.ratio
Approximate number and ratio ofunique flow (based on the flow id).Ratio in [0,1] (one hour of datasampled).
Interval
Freq:Hourly
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 8 -
Customer Success Metrics Data
System Data Description Data Type
flows.vertica.sample.server_ip_address.distinct.catch_all.ratio
Ratio of server IPs belonging to thecatch-all group. Ratio in [0,1] (onehour of data sampled)
Interval
Freq:Hourly
hosts.cache.cached Number of hosts in the host cache Interval
hosts.cache.deletedNumber of hosts deleted in the hostcache
Cumulative
hosts.cache.droppedNumber of hosts dropped becausethe host cache is full
Cumulative
hosts.cache.max Maximum size of the host cache Interval
hosts.cache.newNumber of new hosts added into thehost cache
Cumulative
hosts.cache.percentPercent of capacity of the hostcache
Interval
hosts.cache.probationary.deleted
Number of probationary hosts*deleted in the hosts cache
*Probationary hosts are hosts thathave never been the source ofpackets and bytes. These hosts aredeleted first when clearing up spacein the host cache.
Cumulative
interfacesOutbound number of interface stat-istics exported to Vertica
Interval
interfaces.fpsOutbound number of interface stat-istics per second exported to Vertica
Interval
platformHardware platform (ex: Dell 13G,KVM Virtual Platform)
N/A
product Stealthwatch product (ex: SMC, N/A
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 9 -
Customer Success Metrics Data
System Data Description Data Type
Flow Collector NetFlow)
report.completeName of the report and the run-timein milliseconds (SMC only)
N/A
report.filters
Filters used when the SMC queriesthe FC databases.
Data exported per query:
l maximum number of rows
l include-interface-data flag
l fast-query flag
l exclude-counts flag
l flows direction filters
l order-by column
l default-columns flag
l Time window start date andtime
l Time window end date andtime
l Number of device ids criteria
l Number of interface ids criteria
l Number of IPs criteria
l Number of IP ranges criteria
l Number of hostgroups criteria
l Number of hosts pairs criteria
l Whether results are filtered byMAC addresses
l Whether results are filtered byTCP/UDP ports
l Number of usernames criteria
l Whether results are filtered bynumber of bytes/packets
Snapshot
Freq: PerRequest
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 10 -
Customer Success Metrics Data
System Data Description Data Type
l Whether results are filtered bytotal number of bytes/packets
l Whether results are filtered byURL
l Whether results are filtered byprotocols
l Whether results are filtered byapplications ids
l Whether results are filtered byprocess name
l Whether results are filtered byprocess hash
l Whether results are filtered byTLS version
l Number of ciphers in ciphersuite criteria
security_events.cache.activeNumber of active security events inthe security events cache
Snapshot
security_events.cache.droppedNumber of security events droppedbecause the security events cacheis full
Cumulative
security_events.cache.endedNumber of ended security events inthe security events cache
Cumulative
security_events.cache.insertedNumber of security events insertedinto the database table
Interval
security_events.cache.maxMaximum size of the security eventscache
Interval
security_events.cache.percentPercent of capacity of the securityevents cache
Interval
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 11 -
Customer Success Metrics Data
System Data Description Data Type
security_events.cache.startedNumber of started security events inthe security events cache
Cumulative
serial Serial number of the appliance N/A
sessions.cache.activeNumber of active sessions fromISE in the session cache
Snapshot
sessions.cache.deletedNumber of deleted sessions fromISE in the session cache
Cumulative
sessions.cache.droppedNumber of sessions fromISE dropped because the sessionscache is full
Cumulative
sessions.cache.max Maximum size of the sessions cache Interval
sessions.cache.newNumber of new sessions fromISE added into the session cache
Cumulative
users.cache.activeNumber of active users in the userscache
Snapshot
users.cache.deletedNumber of deleted users in theusers cache because they havetimed out
Cumulative
users.cache.droppedNumber of users dropped becausethe users cache is full
Cumulative
users.cache.max Maximum size of the users cache Interval
users.cache.newNumber of new users in the userscache
Cumulative
versionStealthwatch version number (ex:7.1.0)
N/A
version.build Build number (ex: 2018.07.16.2249- N/A
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 12 -
Customer Success Metrics Data
System Data Description Data Type
0)
version.patch Patch number N/A
vertica.health.node.{node_name}.disk.*
- used_bytes
- free_bytes
- used_ratio
Disk current statusSnapshot
Freq:Hourly
vertica.health.node.{node_name}.event.{event_severity}
Count events (one hour of data)Interval
Freq: Daily
vertica.health.node.{node_name}.state
Node current stateSnapshot
Freq:Hourly
reset.hour Flow Collector reset hour N/A
csm.versionCustomer Success Metrics code ver-sion (ex: 1.0.24-SNAPSHOT)
N/A
power.{sensorId}.statusSMC and Flow Collector power sup-ply statistics
Snapshot
integration.ad.{domainId}.count Number AD connections Cumulative
rpe.{domainId}.count Number of role policies configured Cumulative
rp.{domainId}.countNumber of relationship policies con-figured
Cumulative
sw.app.{appId}Stealthwatch Apps installed on thesystem
N/A
hostgroups.changes.{domainId}.count
Changes to the Host Group con-figuration
Cumulative
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 13 -
Customer Success Metrics Data
System Data Description Data Type
integration.snmp SNMP agent usage N/A
integration.cognitiveCognitive Intelligence integrationenabled
N/A
services.{domainId}.count Number of services defined Snapshot
applications.default.count Number of applications defined Snapshot
smc.users.count Number of users in the Web App Snapshot
login.api.count Number of API log ins Cumulative
login.ui.count Number of Web App log ins Cumulative
report.concurencyNumber of reports running con-currently
Cumulative
vertica.stats.query.{user-}.duration_sec
Query response time by user Cumulative
vertica.stats.query.duration_sec.max
Maximum query response time Cumulative
vertica.stats.query.duration_sec.min
Minimum query response time Cumulative
vertica.stats.query.duration_sec.avg
Average query response time Cumulative
exporters.fc.countNumber of exporters per Flow Col-lector
Interval
apicall.ui.countNumber of SMC API calls using theWeb App
Cumulative
apicall.api.countNumber of SMC API calls using theAPI
Cumulative
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 14 -
Customer Success Metrics Data
System Data Description Data Type
licensing.smart.smartAccount Smart licensing account for the SMC N/A
licensing.smart.virtualAccountSmart licensing virtual account forthe SMC
N/A
licensing.smart.registrationStatusSmart licensing registration statusfor the SMC
N/A
licensing.smart.productInstanceName
Smart licensing product identifier N/A
ctr.ctr_enabled CTR integration enabled N/A
ctr.ats_integration_enabled ATS integration enabled N/A
ctr.alarm_sender_enabled Stealthwatch alarms to CTR enabled N/A
ctr.alarm_sender_minimal_sever-ity
Minimal severity of alarms sent toCTR
N/A
ctr.enrichment_enabledEnrichment request fromCTR enabled
N/A
ctr.enrichment_limitNumber of top Security Events to bereturned to CTR
Cumulative
ctr.enrichment_periodTime period for Security Events tobe returned to CTR
Cumulative
ctr.number_of_alarms Number of alarms sent to CTR Cumulative
ctr.number_of_enrichment_requests
Number of enrichment requestsreceived from CTR
Cumulative
ctr.number_of_refer_requestsNumber of requests for SMC pivotlink received from CTR
Cumulative
ctr.swe_visibility_app_metricsNumber of data requests to VisibilityAssessment SecureX tile
Cumulative
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 15 -
Customer Success Metrics Data
System Data Description Data Type
ctr.swe_visibility_app_network_metrics
Number of data requests to NetworkVisibility SecureX tile
Cumulative
ctr.swe_alarming_hosts_by_cat-egory
Number of data requests to AlarmingHosts By Category SecureX tile
Cumulative
ctr.swe_top_inside_groups_by_traffic
Number of data requests to TopInside Hosts SecureX tile
Cumulative
ctr.swe_top_outside_groups_by_traffic
Number of data requests to Top Out-side Hosts SecureX tile
Cumulative
ctr.swe_top_alarming_hostsNumber of data requests to TopAlarming Hosts SecureX tile
Cumulative
ctr.swe_top_alarms_by_type_overall
Number of data requests to TopAlarms By Count SecureX tile
Cumulative
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 16 -
Customer Success Metrics Data
Copyright InformationCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or itsaffiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned arethe property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are notintended to be actual addresses and phone numbers. Any examples, command displayoutput, network topology diagrams, and other figures included in the document areshown for illustrative purposes only. Any use of actual IP addresses or phone numbersin illustrative content is unintentional and coincidental.
© 2020 Cisco Systems, Inc. and/or its affiliates.
All rights reserved.