We’re delighted to announce the release of version 4.5 of NetFlow Traffic Analyzer (NTA)!
The latest release of SolarWinds® NetFlow Traffic Analyzer is designed to help create alerts based on application flows. In past releases, we could alert on the overall utilization of an interface and provide a view of the top talkers when the configured threshold was exceeded. In this release, you can set a threshold on the volume of a specific application in order to trigger an alert. We're making use of the Orion Platform alerting framework, so that flexibility is available to you.
You’ve outlined a small set of critical problems in multiple requests, and in this release, we’re delivering on the five most popular of these.
- Application traffic exceeds a threshold – Alert triggered when we observe a specific application rate exceeds a user-defined threshold
- Application traffic falls below a threshold – Alert that can provide visibility when an application “goes off the air” and stops communicating
- Application traffic appears in the “TopN” list of applications – This alert triggers when application traffic increases suddenly relative to other applications
- Application traffic drops from the “TopN” list of applications – Likewise, alert triggers for a sudden reduction relative to other applications
- Flow data stops from a configured flow source – Alerts on the loss of flow instrumentation, and prompts to take action to help restore visibility
The approach we're using to create alerts is built to guide users into a particular context—a source of flow where we see the application traffic—and then offers a simple user experience to create the alert.
To create an alert based upon any these triggers, we must first select a source of flow data as a point of reference. We can do these one of two ways.
We can visit the NTA Summary Page, and navigate to a particular source of flow data:
If the application of interest is in the TopN, we can expand it to see where this application is visible and select that source. That will take us to a detail page, which is already filtered by both application and source of the flow data.
We can also select our source of flow data directly in the Flow Navigator. We can build our alert based upon a node that reports flow, or upon a specific interface:
Once we have a context for an alert, we can select an application. If we use the "TopN Applications" resource, we have already identified both the application and the node or interface where it's visible.
Another way to arrive at this context can make use of the Flow Navigator, where we can explicitly select the application we’re interested in:
We can select either Applications, or NBAR2 Applications, to help describe the traffic. With the context now fully described, we are able to open the "Create a Flow Alert" panel and create our first alert:
At the top of the panel, we'll see the source of the flow data that we'll evaluate, and a default alert name prefix. We can customize the alert name to help make searching simpler. The severity of the alert is configurable:
For the Trigger Condition, we'll select one of the options described above. In this case, we'll select "Application Traffic exceeds Threshold," and we'll set a threshold of 50MBps on the ingress. We'll evaluate the last five minutes of traffic; this is configurable. This threshold will trigger when our traffic rate averages greater than 50MBps over the five min. time period.
Finally, we can specify one or several protocols; if we specify more than one, we'll sum the traffic volumes for all the protocols.
To create the alert, there are two options. We can select the "Create Alert" immediately, and this will simply log the alert when it triggers. Or, we can check the box to open the alert in the Advanced Alert Editor and then select "Create Alert." Selecting this option will redirect us to the last step in the "Add New Alert" wizard, where we can modify the trigger actions, reset actions, or time of day schedule.
The trigger condition is an advanced SWQL query, pre-populated with the contextual information on the source and application.
Before submitting this new alert, we'll see a message indicating whether the alert will trigger immediately.
Practical Alert Scenarios
Use the "exceeds threshold" alert for application traffic levels that average above or below the specified threshold.
Use the operation for ">" (greater than) or "<=" (less than or equal to) to determine then you can alert above or below the threshold. For example:
- To determine when backup application traffic is running out of schedule
- To identify large file transfers in the middle of the day
- To identify DDOS attacks, or when Port 0 traffic is present at all
Use the <= “exceeds threshold” to help detect when an application server process goes offline and stops sending traffic.
- The application service may have crashed
- An intermediate connectivity problem (firewall or outage) may have reduced traffic
Use alerts related to applications appearing in—or dropping out of—the TopN can be useful for detecting sudden changes in traffic volume relative to other applications. Examples include:
- Detecting streaming or peer-to-peer file sharing applications that are transient
- Detecting changes in the mix of applications that usually traverse an interface
You can also set up an alert for each of your NetFlow sources to help take action if the configuration is modified, or firewall rules block flow traffic.
User Experience Improvements
This release of NTA also includes a number of small but significant improvements in the user interface to help enhance scalability and improve ease of use. Several long lists are now uniformly ordered, and we’ve changed how we label certain features to be clearer in the navigation.
You can see these new features in action in the webcast, “Up, Down, and Gone: A Tale of Applications and Flow.”
This is an initial introduction of the traffic alerting feature. Be sure to enter additional feature requests and expanded functionality that you'd like to see with this capability!