What You Need to Know About Hyperconvergence Monitoring
Every systems administrator knows that Security Information and Event Management (SIEM) is the cornerstone of IT. Without monitoring, alerting and analytics, even modest IT deployments can quickly get out of hand. Hyperconverged infrastructure (HCI) is something of a black box, and this can create complications.
While there are many SIEM solutions available, all follow a basic pattern. Log files are captured, warehoused centrally, and analysis is then performed on them. Alerts, reports, pretty charts, and/or Network Operations Center (NOC) dashboards are created from the analyses.
The Black Box Problem
HCI solutions collapse storage, compute and sometimes networking into a single solution. While some HCI solutions offer verbose logs and are quite transparent about what’s going on under the hood, this isn’t a common approach.
Some HCI solutions are highly automated infrastructure black boxes where the vendors in question have put a significant amount of effort into creating self-healing solutions. Here, one could expect to find HCI solutions that are internally highly instrumented, with highly sophisticated internal monitoring and automation intelligence.
Some HCI vendors have solutions that monitor and analyze hundreds or even thousands of parameters to ensure that everything is working as intended, but make almost none of this information available to the administrator directly. Administrators can expect to receive an e-mail if a disk needs replacing, or if a network link drops, but the level of insight most SIEM solutions expect may not be available.
Most HCI solutions are somewhere between the two extremes of infrastructure visibility. Frequently offered is the ability to send logs to a syslog sink. This gives SIEM solutions the ability to collect at least some log information, even if full access to the host logs isn’t made available by that HCI solution.
HCI solutions should all expose enough information that a SIEM solution will be able to generate an alert if a disk needs replacing, a host in a cluster has gone down, or there’s something wrong with an HCI node’s networking. If nothing else, the HCI solution’s native alerting features can be set up to send e-mail alerts to a mailbox monitored by the organization’s preferred SIEM solution.
Instrumentation visibility is one place that HCI vendors can truly set themselves apart in what has become a crowded and competitive market.
Much of the value that SIEM solutions bring to the table, however, is their ability to correlate log information and assist with root cause analysis. SIEM solutions will look at logs from the applications that make up a workload, Operating System Environments (OSEs), and various pieces of the underlying infrastructure.
When a web server starts to show performance issues, the ability to point to, for example, a storage array as the root cause saves a lot of trouble. But with many HCI solutions, the deeper analytics of SIEM solutions won’t be much help. The SIEM solutions just won’t have enough visibility into the nuts and bolts of various performance indicators to help determine what’s causing problems.
Unique Selling Point
Instrumentation visibility is one place that HCI vendors can truly set themselves apart in what has become a crowded and competitive market. Organizations considering HCI should at a minimum look for the ability to send logs to a syslog sink. Ideally, logging and diagnostic information should be made available via a REST API for more nuanced consumption.
The key differentiator between HCI vendors regarding instrumentation is the availability of performance data. Many HCI vendors have built their own monitoring and analytics solutions into their HCI offering. Integrating these capabilities makes up a significant portion of their market differentiation.
If an organization has a small number of clusters, or plans to observe and manage their infrastructure entirely from within the HCI solution’s interface, integrated reporting and analytics are fantastic. Many organizations don’t have robust SIEM solutions in place, and having this built in to one’s HCI provides a basic SIEM offering that is absolutely better than nothing.
On a larger scale, however, this approach is problematic. Organizations implement SIEM solutions to gain visibility into all of their IT, not just HCI. From switches to OSEs, from applications to hypervisors, administrators need to see what’s working and what’s not at a glance. This is where NOC dashboards usually come into play.
As always, having a long conversation with proposed HCI vendors is a good idea before deciding on which HCI solution to choose. Access to both state and performance data should be a key question, especially for organizations planning to do HCI at scale.