All Apps and Add-ons

Can I get some fields from Splunk App for Stream capturing HTTPS?

Contributor

Hi.

I have deployed SplunkTAStream to all the workstations, and was wondering if it is at all possible to get certain fields when the transport is HTTPS, logically I think it should be possible, as the only fields I'm interested in are as follows:

destip:
dest
port:

endtime:
site:

status:

sum(bytesin):

sum(bytes
out):

sum(timetaken):
timestamp:

uri
path:

The only one I can see might give some troubles are status, the rest is routing information or calculated fields, but I might be mistaken.

Any help is much appreciated.

Kind regards
Lars

0 Karma

Splunk Employee
Splunk Employee

Yep absolutely, here is an example of the tcp stream i configured in my lab capturing SSL traffic to apple

{   [-] 
     app:    apple  
     client_rtt:     5489   
     client_rtt_packets:     8  
     connection:     17.178.104.14:443  
     count:  1  
     data_packets_in:    8  
     data_packets_out:   6  
     dest_ip:    17.178.104.14  
     dest_mac:   xxxxxxxxxxx    
     dest_port:  443    
     endtime:    2017-06-06T14:16:13.119283Z    
     network_interface:  enp2s0f0   
     packets_in:     27 
     packets_out:    22 
     protocol_stack:     ip:tcp:ssl:apple   
     refused:    0  
     request_time:   0  
     response_time:  0  
     server_rtt:     83024  
     server_rtt_packets:     6  
     src_ip:     10.10.242.2    
     src_mac:    xxxxxxxxxxxxxxxx   
     src_port:   27090  
     sum(bytes):     12102  
     time_taken:     31431955   
     timestamp:  2017-06-06T14:16:13.119283Z    
}
0 Karma

Contributor

Hi.

Thanks for the info.
Your example is on the TCP protocol, and I'm unsure if it is possible to match a HTTP request/response to the count and time_taken in the TCP protocol, or there might take multiple TCP requests.

My ultimate goal is to capture the user experience as closely as possible, thats why I have deployed the UF on workstations, where the user are working. If at all possible I would rather have a log from the browser, that told me how log it took to build the page - but I haven't found that yet. I can directly use the HTTP stream when SSL is not employed.

Kind regards
Lars

0 Karma

Splunk Employee
Splunk Employee

Do you own/operate the server that you are trying to monitor the experience of?

Have you looked at boomerang.js or some of the browser plugins that report on web performance?

0 Karma

Contributor

Hi mmodestino.

I do the monitoring on workstations, and do not have access to the servers.

Kind regards
Lars

0 Karma

Splunk Employee
Splunk Employee

ok, so couple things,

  1. I'll do some testing on being able to infer some semblance of experience from the https traffic...I believe despite the traffic being encrypted I still may be able see what i might need to get an idea of an issue based on deviation from "normal"..obviously at less granularity. You cant report on uris and what not, but you can report on general accessibility. https://docs.splunk.com/Documentation/StreamApp/7.1.0/User/StreamFieldDetails#Latency_information

  2. Depending on the config of the web server, there is an option for SSL decryption of RSA keys:
    https://docs.splunk.com/Documentation/StreamApp/7.1.0/DeployStreamApp/EnableSSLforStreamForwarder

  3. There are web browser plugins that can do client side web performance tracking. What browser do your users use?

0 Karma

Contributor

Hi mmodestino.

Our primary browsers are IE 11, I have tried looking for plugins, but have so far been unsuccessful, so any hint in that direction would be great.

Kind regards

Lars

0 Karma

Splunk Employee
Splunk Employee

yuck, IE.

Anyways i played with capturing the tcp traffic hitting my splunk server which is ssl, and i still get rtt and timetaken, so you may be a le to get at least some indication of an issue if respinses to the tcp ssl spiked...have to keep digging to see if this would be worth trying...

0 Karma