The quest for Network Observability…


It has been a multi-year journey to try to achieve some level of network observability that makes sense – and doesn’t require tons of hands-on attetntion to accomplish. The initial install – and compiling of apps from scratch – then configuring them – it just eats up so much time… And for a rank beginner, much of that time is spent figuring it all out rather than using it.

The first battle was with Snort – and it was a long one. I started plucking away at Snort IDS on Ubuntu years ago – before I even had the first clue how to use it – or Linux for that matter. Following guide after guide online – becoming a fairly proficient “copy and paste” administrator along the way – I managed to get it “kind of” functional – but it was woefully configured – and I had a long way to go to understand the physical and logical networking steps required to have it function “as designed”.

Quite simply put – I just didn’t know what I was doing. I realized this – and shelved it for several years. I think I was on Ubuntu 12 or 16 when I initially started to fiddle with it. I had a long way to go… We’re now at 24.04 and the current install I have running is Snort 3.5.2.0 on Ubuntu 20.04.6. At this stage it is running and fetching rules via PulledPork3 – and dumping log files where they belong. The next task is to automate the ingestion into Splunk.

There’s another one – Splunk SIEM – I haven’t even begun to scratch the surface with it – but it too is up and running and waiting to be learned. At least I have data to feed it.

For continuous monitoring – I would like to thank the fine people at Paessler for being so generous with their PRTG Network Monitor – which thus far is doing a fine job in the auto-discovery process – yet needs to have the VLANs and the various Cisco nodes added by hand. Still it’s a great piece of monitoring kit – and once again – something that I have yet to entirely crack open. But – it is keeping an eye on the connectivity of all of my network devices and even monitoring Redfish events from the Dell server.

The Dell is now home to all of the various VMs that I was running on my workstations. It’s nice to get that workload off of them – and onto something designed to actually run them. I have a variety of virtualized devices running that all need further exploitation and configuration. PRTG is watching them too.

The ultimate goal is to get everything automated and eventually figure out how to tie it into a better centralized visualization platform – yet that part still eludes me. Thus far – I have achieved some decent monitoring – but I am some distance from obtaining true “obeservability” and being able to discover anomalous activity and traffic without having to ferret it all out by hand with WireShark or Splunk searches.


Leave a Reply

Your email address will not be published. Required fields are marked *