About Kentik
This article provides a basic introduction to Kentik, with answers to the following questions:
What is Kentik?
Kentik is an open, scalable platform for collecting, analyzing, and visualizing data about the health and performance of your organization's networks. Kentik covers both on-prem infrastructure (e.g. data centers) and cloud resources, correlates data from both actual traffic and synthetic testing, and provides instant answers based on both real-time and historical data.
Kentik's purpose-built data platform sets up in minutes and provides fast, simple tools that help isolate, identify, and explain unusual activity or behavior, alerting you in real time to performance issues and attacks. The Kentik portal is a Web-based user interface that allows you to run sophisticated analytics on traffic data, monitor availability with synthetic testing, and protect your network with alerts and mitigation. The Kentik platform also integrates with your own tools and systems using Kentik REST APIs.
What traffic data is collected?
Kentik utilizes two main sources of traffic data:
- Flow data: A flow is a collection of packets that traverses a physical device, such as a router, switch, or host, or a virtual device such as a VPN in a cloud resource (see Supported Device Types). The packets in a flow share certain properties including protocol and source and destination IP address (see About Flow). Flow collection varies depending on the setting:
- Data center: If a physical device is configured to enable it, flow data — in the flow protocols sFlow, IPFIX, or NetFlow (version 5 or 9) — can be collected in a cache and sent to Kentik at a specified interval.
- Cloud provider: If a virtual device (cloud resource) is configured to enable it, flow logs are published to a "bucket" in the cloud, from which they can be read by Kentik. - Metrics: Our Network Monitoring System (NMS) enables data collection from nearly any network entity that supports SNMP and/or Streaming Telemetry. Kentik NMS normalizes the collected data for consistency across dashboards, queries, and alerts regardless of the source. Our NMS implementation supports traditional use cases like detecting if a device goes down, graphing interface statistics, sending alerts, and creating dashboards, but we're also able to leverage the various other types of data we collect to perform analytics that go far deeper than generic network monitoring.
The traffic data collected by Kentik is enriched with a variety of additional data that is correlated and stored in time series flow records within the Kentik Data Engine, Kentik’s distributed back end. These data types include the following:
- SNMP (non-NMS): Used to determine interface names/descriptions and to validate flow levels (see SNMP OID Polling).
- GeoIP: Used to determine country, region, and city of flow source and destination.
- BGP: Correlated with flow data to extract source and destination AS Path and community information on a per-flow basis (see BGP Overview), enabling features such as Discover Peers.
- Host traffic data: Correlated with flow data to provide information from hosts, including URLs, DNS queries, and performance information (retransmits, fragments, etc.). See Host Traffic Dimensions and Host Traffic Metrics.
- Classification data: Information, useful for business intelligence, about the role of the interfaces through which your traffic enters and leaves the network (see Interface Classification).
- Threat feeds: Obtained daily from Spamhaus and correlated with flow data to identify source and destination hosts and IPs that have been identified as a security threat (see Threat Feed Columns).
For a more detailed look at the kinds of data we store in KDE, see Dimension Categories and Dimensions Reference.
What synthetic testing is supported?
Kentik's Synthetics workflows are easy to set up and cost effective to run. Testing is enabled by Kentik's ksynth software agent (see About Synthetics Agents), which is deployed in two contexts:
- Public agents: Accessible to all Kentik customers, the public agents that make up our Kentik Global Agent Network are located in all major Internet hubs and cloud regions (AWS, GCP, Azure, OCI, etc.).
- Private agents: Accessible only to your organization, private agents are deployed in your physical infrastructure or your cloud resources.
Ping and traceroute tests performed continuously with public and/or private agents generate key metrics (latency, jitter, and loss) that are evaluated for network health and performance. Kentik is also unique in its ability to intelligently guide synthetic testing based on patterns in your actual traffic, enabling you to focus testing resources where they can have the greatest impact. For further information see Synthetics Overview.
How is flow data collected?
Kentik can receive flow data from physical sources — routers and switches as well as hosts/servers — and resources in supported cloud providers (e.g. AWS, Azure, GCP, and OCI). Host monitoring provides enhanced debugging of performance issues because data from the host agent enables display and analysis of TCP retransmits per flow.
Flow data may come to Kentik from any of the following sources:
- Direct: From routers or switches directly to Kentik servers (see About Devices).
- Host agent: From hosts that are monitored using kprobe, Kentik’s software host agent (see Host Configuration).
- Proxy agent: From routers or switches via a locally hosted instance of kproxy, Kentik's NetFlow Proxy Agent, which can be configured to collect, munge, encrypt, and redirect both flow and SNMP.
- Cloud providers: Resources in Kentik-supported providers can be configured to generate flow logs and publish them to a bucket in a provider account, from which Kentik can access the logs via an API (see Cloud Overview).
How do I access my data?
Kentik provides three ways to access and view your stored traffic data (flow records, BGP, etc.):
- Portal: Access via the views available in the Kentik portal (UI), including the Data Explorer, Dashboards, and the Query Editor.
- APIs: Access via one of the Kentik APIs; see About Kentik APIs.
- Firehose: Supported by our ktranslate agent, Kentik Firehose enables you to integrate Kentik-enriched flow records into other (non-Kentik) analytics systems, either directly or through a data lake; see Using Kentik Firehose.
Anything else I should know?
The following resources should help you get up to speed with Kentik:
- Check the rest of this Knowledge Base for helpful information on the setup and use of Kentik. A good place to start is the Portal Overview, which covers the key features of Kentik's v4 portal.
- To get the most out of this KB:
- Take a minute to check the KB Tips, which open from the question mark icon in the KB's main navbar.
- To get around in the KB, use the main menu, which opens from the hamburger icon at the left of the main navbar, or the sidebar at left, where the selector at the top of the Contents tab shows you the articles in each of the KB's three main sections: Platform, v4 Portal, and v3 Portal (deprecated).
- At the top of the sidebar's Search tab, click on Search Tips for a quick explanation that will help you speed your searches by searching within results.
- The How-Tos library, accessed from the Contents tab, enables you to browse or search for step-by-step procedures to accomplish specific tasks. - We’re happy to answer any questions you may have about setting up and using Kentik. Learn how to contact us at Customer Support.