Drastic drop in concurrent connections-juniper-junos

Drastic drop in concurrent connections-juniper-junos
0

Drastic drop in concurrent connections-juniper-junos

Vendor: juniper

OS: junos

Description:
Alert when a drop was detected in the number of concurrent connections.

Remediation Steps:
Review why this may be happening.

How does this work?
This script runs the “show security flow session summary” command via ssh to retrieve the number of concurrent sessions.

Why is this important?
Concurrent-connections tell the number of connections going through the device. The administrator has to monitor the concurrent-connections to avoid traffic drops because of the high number of concurrent-connection.

Without Indeni how would you find this?
The administrator has to log on the device to retrieve the same information.

junos-show-security-flow-session-summary-cluster

name: junos-show-security-flow-session-summary-cluster
description: Retrieve security flow information for chassis cluster nodes
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall
    high-availability: true
comments:
    concurrent-connections-limit:
        why: "Each device has a limit for concurrent sessions or connections based\
            \ on the hardware capability. Exceeding this limit will cause traffic\
            \ drops. \n"
        how: |
            This script runs the "show security flow session summary" command via ssh to retrieve the limit for concurrent sessions.
        can-with-snmp: true
        can-with-syslog: false
    concurrent-connections:
        why: |
            Concurrent-connections tell the number of connections going through the device. The administrator has to monitor the concurrent-connections to avoid traffic drops because of the high number of concurrent-connection.
        how: |
            This script runs the "show security flow session summary" command via ssh to retrieve the number of concurrent sessions.
        can-with-snmp: true
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: show chassis hardware node local | display xml
    parse:
        type: XML
        file: show-security-flow-session-summary-cluster.parser.1.xml.yaml
-   run:
        type: SSH
        command: show security flow session summary node ${node} | display xml
    parse:
        type: XML
        file: show-security-flow-session-summary-cluster.parser.2.xml.yaml

concurrent_connections_drastic_change_down

package com.indeni.server.rules.library
/*

  * Rule is cancelled at the moment since we rewrote Change detection algorithm
  * Rule should be re written with the new algorithm


import com.indeni.apidata.data.conditions.True
import com.indeni.ruleengine._
import com.indeni.ruleengine.expressions.conditions.ResultsFound
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.scope.ScopableExpression
import com.indeni.ruleengine.expressions.Expression
import com.indeni.ruleengine.expressions.tools.changePointAnalysis.DropDetectionExpression
import com.indeni.server.params._
import com.indeni.server.rules._
import com.indeni.server.rules.library.ConcurrentConnectionsDrasticChangeDownRule._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.apidata.time.TimeSpan
*/
/**
  * Rule is cancelled at the moment since we rewrote Change detection algorithm
  * Rule should be re written with the new algorithm

case class ConcurrentConnectionsDrasticChangeDownRule() extends PerDeviceRule with RuleHelper {

  private val reviewedTimeframeParameter = new ParameterDefinition(REVIEWED_TIMEFRAME_PARAMETER_NAME,
    "",
    "Reviewed Timeframe",
    "The window of time we review to detect changes.",
    ParameterDefinition.UIType.TIMESPAN,
    TimeSpan.fromMinutes(120))


  override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "All Devices: Drastic drop in concurrent connections", "Alert when a drop was detected in the number of concurrent connections.", AlertSeverity.ERROR).configParameter(reviewedTimeframeParameter).build()

  override def expressionTree: StatusTreeExpression = {
    val numOfConnectionsTimeSeries = TimeSeriesExpression[Double]("concurrent-connections")
    val actualValue = numOfConnectionsTimeSeries.last
    val lastChange = DropDetectionExpression(numOfConnectionsTimeSeries).withLazy

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("concurrent-connections"), historyLength = getParameterTimeSpanForRule(reviewedTimeframeParameter)),

          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          ResultsFound(lastChange)

          // The Alert Item to add for this specific item
      ).withRootInfo(
            getHeadline(),
            scopableStringFormatExpression("A drop has been detected in the number of concurrent connections. %s.", new ScopableExpression[Any] {

              override protected def evalWithScope(time: Long, scope: Scope): String = s"Changed from ${lastChange.eval(time).head.before} to ${lastChange.eval(time).head.after}"
              override def args: Set[Expression[_]] = Set(lastChange)
            }),
            ConstantExpression("Review why this may be happening.")
        ).asCondition()
    ).withoutInfo()
  }
}

object ConcurrentConnectionsDrasticChangeDownRule {

  /* --- Constants --- */

  private[library] val NAME = "concurrent_connections_drastic_change_down"

  private[library] val REVIEWED_TIMEFRAME_PARAMETER_NAME: String = "reviewed_timeframe"
}
  */