As a network infrastructure engineer responsible for a large multi-vendor and multi-domain network I am swamped with SYSLOG messages. Making sense of the data is super hard, which limits our visibility to what is going wrong in the network. Vendors make this problem harder because they do not all follow the same format. Even if they did, the format is generally unstructured text. So what we have effectively is a bunch of regular expression “grok” parsers to extract the data into meaningful fields so that we can turn the data into actionable information. My friends are in abusive co-dependent relationships with tools like logstash and Splunk.
Today I saw Augtera Networks demonstrate their solution applying Natural Language Processing (NLP) and other machine learning technologies so that I never have to write a “grok parser” ever again. Never.
To be clear, Augtera provides context aware insights into network anomalies beyond solving my SYSLOG problems. But I am going to focus on SYSLOG because the problem is so acute that talking about all their other features would just be a blog too long. I think of Network Observability as an approach-system that gives our team actionable insights into our network so that we go from “Oh crap” to “All clear!” quickly and accurately. We have to examine: (1) performance metrics, (2) SYSLOG, (3) network flows, and (4) TACACS+ accounting logs (who changed what-when). In my opinion, a perfect Network Observability system would be able to sift through all of that data and identify issues-anomalies. And then, with some degree of confidence, indicate the root cause and potential similar areas of the network at risk. Handing *any one* of those four aspects in a multi vendor network is exceptionally daunting. Putting together a single system that could handle off of them, correlate between them, and put into context my special network conditions seems like science fiction.
Augtera today showed they’ve already tackled three of the four: metrics, SYSLOGs, and flows. They can do this in a way that leverages a customer’s existing investments. For example they can ingest your metrics from your existing Prometheus system, rather than ask you to send a copy of your to them. So it looks like an easy win to quickly install their software on a network that securely forwards data to their SasS system for processing. They call this software a “proxy” which can run on any linux server. I could then configure my devices to send SYSLOG to their proxy, which would then forward to their cloud. What really excites me about this is that I can send any SYSLOGS from any systems, network or otherwise, and they will start to apply NLP and anomaly detection to whatever I throw at them.
I can finally start to see the real application of all the hype around ML. Their CEO said many times today “The proof is in the pudding”. The expression is an alteration of an older saying that makes the meaning a bit clearer: the proof of the pudding is in the eating. Really looking forward to “tucking in” with Augtera network.
Check out their presentation from Network Field Day 28 to learn more!