Splunk – the perfect Wi-Fi operations companion!
Enterprise Wi-Fi vendors go to considerable effort to provide a level of operational visibility for the systems they provide. Information is available on traffic volumes, number of clients per access point (AP), devices experiencing high retries and radio frequency (RF) coverage. Some vendors also provide application level volumetric information, derived from data packet inspection (DPI). However, only a small degree of customisation is usually possible in relation to selection of metrics to be made available to operators, so the vendors have to decide a priori what information will be useful. Whether an AP, controller/switch or the Cloud is selected by vendors as the principal metric repository, the overall volume of historical data is generally low – sometimes providing just a few days’ worth of statistics.
Splunk delivers better visibility than that available from vendor Wi-Fi management dashboards in relation to depth of content, customisation and the timeframes covered. How is this possible? Enterprise Wi-Fi systems output reams of data into logs which can in-turn be output using syslog or other protocols. Further data enrichment is available by utilising Simple Network Management Protocol (SNMP) polling and by sourcing log data from application servers, authentications systems and DHCP/DNS services. Integration with tools such as HelpSystems InterMapper is a good way to facilitate SNMP polling of Wi-Fi systems, delivering an abundant range of data types for use with Splunk.
Splunk easily ingests all of the information available without the need for a schema. It then timestamps and separates the input into event data with useful fields such as client address, Service Set Identifier (SSID), number of associated clients, authentication errors and so-on. This data, once indexed by Splunk, becomes immediately available for customised searches, leading to simple production of presentation dashboards and notifications.
The upshot is that managing Wi-Fi operations and security is significantly easier using Splunk. Here are a couple of examples showing how this can work for you:-
- A subset of users report that they are experiencing Wi-Fi roaming problems. By using Splunk, we can table device information by vendor type and roaming history (from the Wi-Fi system logs). By correlating these within Splunk to extracted fields taken from the associated RADIUS server logs, we might quickly note that only devices from a particular vendor are experiencing problems. Now we only need to focus on issues related to these devices - perhaps a recent patch has caused problems?
- Switches are swapped out at a single campus building over the weekend. We don’t want to get lots of alarms for uncontactable Wi-Fi sensors during this period. Using a pre-built Splunk app, we can set a time-limited filter to mask such alarms from this location for the coming weekend, but continue to present those from all the other sites. Just because we know maintenance is being carried out somewhere within the organisation’s estate during the weekend, we won’t now become blasé and ignore legitimate sensor offline alarms - our approach ensures security monitoring is not compromised.
You can probably think of lots of examples that would help you manage your own Wi-Fi System! Managing Wi-Fi with Splunk simultaneously delivers significant time saving and greatly increases effectiveness. If you would like to know more about how you can use Splunk to help improve management of your Wi-Fi system, contact MarQuest on 01482 886161 or firstname.lastname@example.org, we will be happy to provide support and advice