9.5. Analytics Data Lake Description

In this section, we will examine the data fields contained within different index-patterns. The available index-patterns for analysis are as follows:

• “bro-*”: Shows all the events captured by the ON Sensor.

• “identities”: When anonymization is activated in Logstash, the relation between the hash and the value is found in this index.

• “opennac-*”: Shows all the events for the user devices that can be enriched with OpenNAC Enterprise. That means that we have the MAC.

• “opennac_captive-*”: Shows all the events on the Captive Portal.

• “opennac_macport-*”: Shows all the macport events.

• “opennac_nd”: Shows the last event for the network devices.

• “opennac_nd-*”: Shows all the events for the network devices.

• “opennac_ud”: Shows the last event for the user devices that can be enriched with OpenNAC Enterprise, that means that we have the MAC.

• “radius-*”: Shows all the RADIUS events.

• “misc-*”: Shows all the logs that don’t match with the other index. This index should not have many logs. If it is not like that, contact your administrator.

• “external_syslog-*”: Shows the network events sended by the network devices.

• “third_party_vpn”: Shows all the events related to the Third Party VPN use case.

• “vpngw-*”: Shows all the events related with VPNGW module.

• 9.5.1. bro-*
• 9.5.2. identities
• 9.5.3. opennac-*
• 9.5.4. opennac_captive-*
• 9.5.5. opennac_macport-*
• 9.5.6. opennac_nd
• 9.5.7. opennac_nd-*
• 9.5.8. opennac_ud
• 9.5.9. radius-*
• 9.5.10. misc-*
• 9.5.11. external_syslog-*
• 9.5.12. third_party_vpn-*
• 9.5.13. vpngw-*