Recently, I had the opportunity to evaluate a Savvius Insight appliance. Like most freelance network professionals, much of my interaction with my clients’ networks is remote. This leaves me with fewer options for network analysis and troubleshooting, so I jumped at the chance to look at something that might fill that gap.
The appliance hardware is the quad-core Intel Atom C2518 version of the Lanner FW-7525 network appliance with 8GB of RAM and 128GB of on-board flash storage. This includes a serial console, two USB 2.0 ports and six 1000BaseT interfaces: one for management, three for general use and two in a fail-to-wire bridge configuration for pass-through analysis.
The Insight is much more than an embedded system with limited functionality. It has a full-blown Ubuntu 12.04 LTS installation, with root privileges in the hands of the user, offering the ability to adjust or enhance the system as necessary. The base system boots from a squashfs image and then provides a persistent user environment via AUFS (Another Union File System); which means that that there are limits on how much playing can be done, but offers a safety net in trade by allowing the system to be easily reset to factory-default configuration.
Savvius Capture Engine for OmniPeek
The core component of the Insight is the Savvius Capture Engine for OmniPeek. This is the bit that’s constantly capturing traffic for analysis and the component that is tied directly to the hardware. This piece, when used with the bundled OmniPeek software, provides live remote packet capture, historical capture and extensive analysis capabilities for both.
The unit’s hardware features 1000BaseT interfaces and can pass nearly full bandwidth across its two bridge ports. The capture engine, on the other hand, is positioned for analysis of 100Mb traffic streams. For higher volumes, definitely consider upgrading to a dedicated Savvius Capture Engine and a full license of the OmniPeek software.
The Insight includes Splunk’s Universal Forwarder for tight integration with Splunk Enterprise, Splunk Enterprise Free or Splunk Cloud. The use of the Splunk Universal Forwarder rather than a baked-in reporter offers a lot of flexibility. In addition to its primary role of forwarding data to a Splunk server, the Universal Forwarder can be easily configured to export to non-Splunk systems, so other log aggregation platforms like ELK (Elasticsearch, Logstash and Kibana) or FEK (Fluentd, Logstash and Kibana) can be integrated as well, though not with the same ease.
Savvius Dashboards for Splunk
With the Insight appliance, Savvius has partnered with Splunk for extended monitoring and reporting. The Savvius Dashboards for Splunk allow for events and numbers from the device (or multiple devices) to be viewed either individually or collectively, drilling down to different time-frames for comparison or in-depth analysis.
The Whisper in the Wires
With the Insight, Savvius provides and affordable, open and extensible packet capture appliance. Its Splunk integration offers a high-level overview of what’s going on; its bundled OmniPeek software combined with its remote packet capture capability provides a detailed first-hand view of the network for troubleshooting current issues; and the same software allows forensic investigations into historical problems using the unit’s ongoing on-board storage of capture data.
The unit is targeted at SMBs and is attractive at its US$1,500 price, but may be equally intriguing to small IT firms supporting those SMBs. Forwarding multiple customers’ units’ data into a central OmniPeek/Splunk monitoring station has a lot of potential for these organizations.
Hosted and cloud solutions, on the other hand, are becoming more and more prevalent even in the SMB space. Adding an additional piece of hardware to these environments, were possible, incurs additional costs for power and space. With this in mind, a virtual appliance version of the Insight would offer more flexible deployment options.
Addendum: Self-contained Splunk Enterprise Free Hack
With a bit of work, coupled with an external USB drive, a minimal Splunk Enterprise Free installation can be hacked into the appliance itself. This allows for all of the benefits of the Savvius Dashboards for Splunk on a single appliance without an additional investment in hardware.
The appliance’s use of AUFS for the user file system provides good benefits for supportability, but does so at the expense of performance. The result is perfectly adequate for the core functionality of the Insight, but leaves something to be desired for user customization. Most notably, the full Splunk package does not support using this filesystem for its database, possibly due to this consideration.
That said, a self-contained Splunk Enterprise Free instance can be installed on the appliance using the following steps:
- Place a 64GB USB flash drive into a USB 2.0 port on the Insight appliance,
- Create an EXT4 filesystem on the flash drive and label it SPLUNKDB,
- Add the SPLUNKDB filesystem, mounting on “/opt/splunk/var/lib/splunk”, to “/etc/fstab”,
- Remove the existing Splunk Forwarder and nix packages from the appliance,
- Install Splunk Enterprise Free using the deb package downloadable from Splunk,
- Create a symbolic link “/opt/splunkforwarder” with “/opt/splunk” as the target for backward compatibility,
- Download and install the latest “Splunk Add-on for Savvius (nix)”,
- Add a permit entry for Splunk’s 8000/tcp web port to “/etc/iptables.rules”, and
- Reload the appliance.
Once complete, it was fairly simple to connect to the Splunk web interface on the appliance, add the Savvius for Splunk Dashboards and access the Insight’s forwarded data. The configuration performed well enough for simple testing and should be fine for anything within the performance parameters of the Insight, but don’t try this out where it really matters without some stress testing first.
Disclaimer: Savvius was kind enough to provide an Insight unit to evaluate, but did not pay for or otherwise influence the opinions expressed here.