Automatic Gigamon Data Enrichment for Enhanced Network Security

‍Gigamon’s vast array of security products help thousands of customers secure and manage their hybrid cloud infrastructure. By delivering network-derived intelligence and insights directly into cloud, observability, and security platforms, Gigamon empowers organizations to gain enhanced visibility and optimize their security operations to stay ahead of cyber threats.

Gigamon’s Application Metadata Intelligence (AMI) product is one such example. It strengthens network security by extracting metadata attributes across all running applications and services to help teams rapidly identify and remediate performance bottlenecks, network security risks, quality issues, and much more. 

To efficiently distribute AMI data into cloud platforms like Datadog, Splunk, and Edge Delta, Gigamon’s Application Metadata Exporter (AMX) automatically converts the CEF-formatted AMI output metadata into the JSON format. The re-formatted data is then shipped via https directly into the desired destinations:

Edge Delta’s Gigamon Pipeline Pack is a specialized collection of processors pre-built specifically for automatically enhacing Gigamon AMI data into structured logs to fuel analysis without hassle. Our packs easily slot into your Edge Delta Telemetry Pipelines — all you need to do is export the JSON-formatted data into the associated https endpoint, route the data into the Gigamon Pack, and let it begin processing. 

Edge Delta Telemetry Pipelines offer end-to-end control and visibility for all your log, metric, trace, and event data. By shifting processing left, you can strengthen insights, reduce MTTR, identify and remediate anomalies, and much more, all at a far lower cost. 

In this blog post we’ll talk about how the Gigamon Pack works, the benefits you’ll get once it’s up and running, and instructions on how to get it set up within your Edge Delta environment.

How does the Gigamon Pipeline Pack Work?

The Gigamon Pack’s pre-built collection of processors is specifically designed for Gigamon data exported via AMX. The pack automatically parses and enriches the data, after which it can be easily filtered, aggregated, and analyzed within the downstream platforms of your choosing. The pack consists of a few different processing steps, each of which play a vital role in allowing teams to use Gigamon data to ensure their networks are protected and operating smoothly.

Here’s a quick breakdown of the pack’s internals:

JSON Extraction

The pack begins by using an Edge Delta Extract JSON Field node to extract all root elements from each JSON-formatted log and properly structure the new log item being created. All logs that fail this extraction step are segmented from the rest, and are then routed through a separate pack output.

- name: split_json_array
  type: extract_json_field
  field_path: "[*]"

Data Transformation

After extraction, the pack uses an OTTL Transform Node to parse and structure attributes from within the JSON-formatted logs by:

• Decoding the log’s body field and saving it in a temporary cache
• Setting the log’s attributes to values extracted from within the cache

- name: transform
  type: ottl_transform
  statements: |-
// Decode body
set(cache["parsed_body"], Decode(body, "utf-8"))
// Parse body as JSON
set(attributes["fields"], ParseJSON(cache["parsed_body"]))

Pack Outputs

In total, there are two outputs from the Gigamon Pack:

• parsed_logs – all logs that successfully passed through extraction and transformation
• other_logs – logs that failed either extraction or transformation

Gigamon Pack in Practice

‍You can locate the Gigamon Pack by navigating to our list of packs, which are organized alphabetically. Once you’ve found it, select “Add to pipeline” and choose the pipeline you’d like to add it to. If you don’t already have a pipeline setup, you’ll need to create one first. Once you’ve added the Gigamon Pack to your pipeline, you can process the outbound data streams further in a variety of ways, and route it to any combination of downstream destinations. For instance, you can route all logs from the parsed_logs output into Splunk for further analysis, and send patterns derived from both the parsed_logs and other_logs output into Edge Delta to power our anomaly detection capabilities:

Getting Started

‍Ready to see it in action? Visit our pipeline sandbox to try it out for free. If you’re already a customer, simply add the Gigamon Pack to any running pipeline.