Skip to content

Administration

Users

By opposition of large and complex platforms such as Hortonworks, a punch platform is focus on simplicity: 2 files to describe the system, only configuration to design pipeline etc...

End user

Punch help the customers to start using data by giving them a full search capability. So they can discover behaviours, patterns in their data and create dashboard to explain them. At punch, that's we call a end user.

In concrete terms, punch provides a secured kibana

The interface allows:

  • Use the intuitive UI and fast response with Lucene to discover data (for instance: outbound traffic, the total sale for the last month)
  • extract the result of a search in CSV or JSON
  • assemble visualisations in a dashboard to show bahaviours or patterns to the management.

Use an online dashboard to show the results of an investigation rather than a static image

Expert user

Usually, data are everywhere with miscellaneous format etc... To search easily into data, punch provides a declarative language to parsed the data and fill the data model.

Use case: The system collects 2 types of logs (string data):

type 1: key value format - a malware is detected

1
date=2018-11-02T10:41.00 ip=10.10.10.1 message=malware detected

type 2: JSON format - the firewall see a connection from the corrupted device probably to internet.

1
{{"timestamp"="1541151767",source"="10.10.10.1","deviceType"="firewall","event"="traffic allowed"}}

Analysis:

From the raw data, it's easy to understand and make a human correlation between these two events: the system has a security breach.

But in a big data context, it's impossible to navigate on all data. Expert user often use query to select events or discard noise. On raw data, it's extremely complex to make a efficient query. That's why we use punch :

type 1: parsed and normalized:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
{
    "alarm": {
        "name": "malware detected"
    },
    "init":{
        "host":{
            "ip": "10.10.10.1"
        }
    },
    "obs":{
        "ts":"2018.11.02T10.41.00.000Z"
    },
    "type": "nids"
}

type 2: parsed and normalized

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
{
    "alarm": {
        "name": "traffic allowed"
    },
    "init":{
        "host":{
            "ip": "10.10.10.1"
        }
    },
    "obs":{
        "ts":"2018.11.02T10.41.01.000Z"
    },
    "type": "fw"
}

Now, it's simple to ask: "give me all events from the init.host.ip: 10.10.10.1 the 2018.11.02". Then, we can see the malware infection, then the propagation of the virus.

To conclude:

This short tutorial show the role of the expert. He has to adapt existing configuration and build new ones to improve the data navigability.

Administrator user

The administrator is responsible for:

  • maintaining the system up.
  • making the capacity planning.
  • performing patching and non critical migrations.
  • raising tickets to punch help desk

Actions

The following list present the differents actions by role that can be executed on the punch platform:

End user actions

  • connect to kibana from external network
  • make a query through kibana
  • create visualisation
  • assemble a dashboard

Expert user actions

  • connect to advanced kibana from external&internal network
  • access through ssh to operator environment from internal network
  • start or stop a processing pipeline (channel)
  • start or stop an administration task (service)
  • design and run a batch processing job (pml job)
  • update a processing function (punchlet)
  • update configuration for a given tenant

Administrator user actions

  • connect to operator environment from internal network
  • connect to all devices with sudoers account from internal network

Software architecture

On punch there is two main way to access to the platform:

  • HTTP/HTTPS to kibana (normal or advanced)
  • SSH (operator environment or all devices)

End user access

End user

Expert user access

Expert user

we can also provide a expert user without ssh access for a Log Management As a service approach

Administrator user access

Administrator user

Features

Multi tenant by design

To mutualize cost and leverage the search capabilities, punch is design to be multi tenant:

  • the centralized configuration store all configuration is a tenant directory.
  • punch use multi tenant applicative stack, so all tenant are logical separates (kafka topic by tenant, elasticsearch indice by tenant, storm topologies by tenant).

For the consultation:

  • punch dedicates a kibana instance for each tenant
  • punch has developped an applicative firewall (WAF) to isolate the kibana access to the elasticsearch between several tenants. More details in Data protection section

Quick patching

The security level of a platform depends on the capability to patch vulnerabilities quickly.

Punch provides an efficient way to manage vulnerabilities by patching the platform. Here are the following helpful HOW procedures: