9.1. Overview

NetSpyGlass provides software infrastructure that enables customers to collect, process, store, analyze, and react to Syslog messages collected from monitored network devices.

Messages collecting happens in the NSG Agent that can work as a Syslog server (in accordance with RFC3164 and RFC5424) by accepting messages from plain unencrypted TCP/UDP connections. Processing phase is also part of NSG Agent responsibility. When the agent receives a message, it extracts meaningful information by means of Grok parser and sends structured data to the NetSpyGlass server running in the cloud. NetSpyGlass server appends originating device information to the inbound message and submits it to ElasticSearch for indexing and storage.

Analysis of network events that spawned syslog messages can be done with NSGQL, Kibana or directly with ElasticSearch API.

NSG Agent has to be installed within the reach of the source of Syslog messages. NSG Agent can collect syslog messages directly from network devices, or get them from a syslog forwarder, such as rsyslogd.

Additional configuration needs to be done on monitoring devices or Syslog forwarders to make them send messages to the agent.