High level overview

Introduction

This document provides comprehensive information about the introduction and concepts around the Nexthink Event Connector, its high-level architecture and use cases.

The information contained herein is subject to change without notice and is not warranted to be error-free.

If you find any errors, please report them to us via the Nexthink support portal. This document is intended for readers with a detailed understanding of Nexthink technology.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Nexthink Event Connector

Concepts and Architecture

The purpose of the Nexthink Event Connector is to transform Nexthink data into meaningful events that will then be populated and utilized in a third-party application like ServiceNow, Splunk or Azure Data Lake Storage Gen2.

Integration with Splunk

Splunk allows digestion of high-frequency events with a high level of granularity, giving it the ability to populate many events in a short amount of time. The data is then visualized and correlated with other sources via dashboards.

Below is an example of a dashboard in Splunk that has been populated with events from Nexthink Data.

Integration with ServiceNow

The integration with ServiceNow is intended to send only those meaningful events that will require an action from the Service Desk, usually via the automatic creation of an Alert that will be transformed into an Incident or to a Problem, based on certain ServiceNow rules.

Below is an example of events received by ServiceNow from Nexthink.

Integration with Azure Data Lake Storage Gen2

The integration with Azure Data Lake Storage Gen2 is intended to export the configured Event Connector events to the Azure Data Lake as CSV files that can be consumed from external sources (for example, Microsoft Power BI).

Below is an example of events received by Azure Data Lake from Nexthink.

Concepts

  • Event: A predefined and meaningful occurrence or change of state in a device or user which is configured in the Event Connector to be reported in a third-party application with a certain frequency. Events are recorded by the Nexthink Engines and exported by the Event Connector using Web API queries. These events are then mapped and exported to the third-party APIs.

  • Event Management: The process responsible for managing events throughout their lifecycle. Event management is one of the main activities of IT operations. It is a way to consolidate all events/alerts from disparate monitoring systems in one place to give you more information while reducing noise for your teams. Not all events should become an alert and not all alerts should become incidents.

  • Incident: An unplanned interruption to an IT service or reduction in the quality of an IT service. Failure of a configuration item that has not yet affected service is also an incident.

  • Mapping: This is a configuration section in the Event Connector where the name of the fields in the NQXL data model is translated into the names in the third party API, either Splunk HTTP Event Collector or ServiceNow Event Management API.

  • Frequency: The frequency is the time window in which the times of an event will be checked. It always falls behind the Connector’s execution time. The Engine takes several minutes to update its data, which is the reason behind the delay type of time. The frequency will always fall behind the delay so that the next Connector’s execution can grab an event time that would otherwise be missed.

General architecture

The Event Connector is an extra component of the Nexthink core product with the goal of adding Nexthink intelligence into ServiceNow or Splunk instances.

Please note that running the Event Coordinator in a separate appliance rather than in the Nexthink Portal or Engines is recommended.

Event modes

  1. Punctual: This is a one-time event, for example, an Outlook crash.

  2. Listing: This type of event is intended to list any type of object (devices, connections, events, etc.). Its main purpose is reporting/inventory– it is the most common event used in Splunk.

  3. Listing advanced: This is very similar to the Listing event, but intended to list all events. As there are several updates for the given event, more processing is required.

Long-lasting (Splunk only): this is a durable event, one that lasts through a given period of time. The connector will report a start event and subsequent updates, for example, a situation in which a device is experimenting with high memory consumption. Multiple updates for a given event may slow down performance.

Event types

Device Errors

These are errors that directly impact the device’s hardware or OS which requires quick IT attention. Often critical, these errors prevent the user from working properly.

Examples:

  • System Crash (BSOD, Blue Screen of the Death)

  • Hard reset

  • SMART disk failure

  • Long Log-on times

  • Device boot

Execution Errors

These are errors where application and productivity tools crash or are non-responsive. They tend to create significant employee frustrations and can be business-critical.

  • Frozen applications, such as Office 365 being non-responsive

  • Crashes, such as an Outlook crash

  • Long-lasting executions

Device Warnings

These are warnings about the state of the device and activities that can lead to future issues. They are early symptoms of issues that will soon impact employees.

  • High CPU usage

  • High memory usage

  • High IO usage

  • High number of page faults

Software metering

This is Real-time monitoring of either all or selected applications running on the computers.

  • Software installation

  • Software uninstallation

Connections monitoring

  • Failed connections such as Teams not connecting

  • Established connections

  • Failed web requests, such as a web browser not loading

  • Established web requests

  • Port scan

Use cases

  1. Business Services real-time status: One place for all the information needed to proactively monitor your business services.

  2. Compliance: Ensures your endpoints respect IT standards and best practices are followed to minimize risk to your infrastructure.

  3. Event Management and Incident Management: Events get reported, and rule configuration in ServiceNow enables the creation of incidents and problems.

  4. Change management: Offers a more accurate impact analysis utilizing actual service usage information which will allow you to plan better and follow up on changes.

Limitations

The Event Connector can be installed to populate ServiceNow, Splunk services or Azure Data Lake Storage Gen2, although not all simultaneously. Three installations are required if all are desired.

Support

Nexthink provides support for the application following the terms and conditions of the Support and Maintenance Agreement applicable between the customer and Nexthink. If you have any questions, please contact us via the Nexthink support portal.

Last updated