Agentic Analysis for NMS

This article covers how to configure and use Kentik’s AI Advisor agent to correlate NMS device configurations with real-time network performance.

AI Advisor performing an NMS device configuration analysis, highlighting changes and their impacts.

IMPORTANT: Early Access Feature
Status: This feature is in open Early Access. Functionality may change.
Requirement: Requires an active NMS device license (see Licenses).
Security: AI Advisor is read-only. It cannot push changes or execute write memory/commit commands (see SSH Access & Security Policy).

Overview

Unlike traditional Network Monitoring System (NMS) tools that store configurations in siloed databases, Kentik feeds device configurations directly into the Kentik portal’s AI Advisor tool. This allows the system to analyze configuration changes alongside flow data, metrics, and network topology.

The primary advantage of this agentic analysis is the ability to move beyond simple "diffs" and ask intent-based questions in natural language:

"Show me why my network performance dropped after last night's edge router change."

Key Capabilities

Config Monitoring and Network Intelligence: Provide visibility into how configurations impact network behavior.
Config Backup: Automatically scrape and store configurations from critical network devices.
Change Tracking: View "config diffs" over time to identify exactly what changed and when.
Config Search: Perform text searches across configuration history to locate specific code snippets.

Prerequisites

Before configuring AI Advisor for network device analysis, ensure your environment meets the following requirements:

Licensing: An active NMS Device License is required for each device you intend to monitor (see Licenses).
Kentik Universal Agent: You must have the latest version of the Universal Agent deployed within your infrastructure with network reachability to the target devices.
Connectivity: Port TCP/22 (SSH) must be open between the Universal Agent and the device management IP.
Note: The Universal Agent must have a direct route to the device's Management IP; it does not scrape configuration data via the data plane.
Supported Platforms: Ensure your device OS is supported for configuration scraping:
Platform
Support Level
Recommended Role
Juniper Junos
Full
read-only class
Cisco NX-OS
Full
network-operator
Arista EOS
Full
network-operator
Cisco IOS-XE
Full
Parser View (Custom)

Platform	Support Level	Recommended Role
Juniper Junos	Full	`read-only` class
Cisco NX-OS	Full	`network-operator`
Arista EOS	Full	`network-operator`
Cisco IOS-XE	Full	`Parser View` (Custom)

Credentials: A read-only SSH user account must be configured on the device (see Configuration Examples for platform-specific templates).

SSH Access & Security Policy

Kentik brings context to your observability data by securely pulling state data via SSH.

Read-Only: Kentik does not request, nor want, write access to your infrastructure.
Zero Configuration Changes: Kentik’s features are designed to scrape config diffs and execute ad-hoc troubleshooting commands. Kentik will never execute configure terminal or commit changes.
Audit Trail: All activity is initiated via your local Collection Agent, ensuring every command is logged in your local AAA (TACACS+/RADIUS) systems.

Configure SSH for Agentic Analysis

To enable AI Advisor to "see" your device’s state, navigate to the SSH tab in the Device Settings.

Configuration settings for SSH access and device diagnostics.

SSH Command Access

This section establishes the secure tunnel required for Kentik to interact with the device CLI.

Enable SSH command access: Toggle this ON. This is the master switch for configuration fetching and AI diagnostics.
Credential: Select your pre-configured SSH key or password.
Collection Agent: Select the Universal Agent (e.g., nomad-0) that has network reachability to the device.
Device Platform: Recommended setting is Autodetect. This ensures AI Advisor uses the correct syntax for the specific OS (e.g., Junos, EOS, IOS-XE).
SSH Hostname (or IP): The Fully Qualified Domain Name (FQDN) or IP address the agent will use to connect.

TIP: If the connection fails initially, verify that the Universal Agent has accepted the device's SSH host key or that your firewall isn't blocking the initial handshake on TCP/22.

Configuration Sync & Backup

These settings govern Change Tracking and Config Diffs, allowing you to see how your network evolves.

Enable device configuration sync and backup: When enabled, Kentik periodically scrapes the running config to track historical changes.
Fetch Interval: Determines frequency of scraping. A 5-minute interval is recommended for high-visibility environments to catch "flapping" configurations or unauthorized changes made between maintenance windows.

Device Diagnostics Commands

These settings give AI Advisor a "live" view of the device.

Enable Read-Only Diagnostic Commands: This empowers AI Advisor to securely run "show" commands (e.g., show ip bgp summary) to provide immediate context during troubleshooting.
Note: These results are used for immediate context and are not shared between users.

Configuration Examples

Use these configuration snippets to create a restricted, read-only service account for Kentik.

Juniper Junos

Junos offers a native "read-only" class that is perfect for this use case. It allows the user to view configuration and interface statistics but prevents any system changes.

configure
set system login user kentik_ro class read-only
set system login user kentik_ro authentication plain-text-password
! Enter password when prompted
commit

Cisco NX-OS (Nexus)

On Nexus devices, use the built-in network-operator role. This allows full visibility into show commands but denies configuration changes.

username kentik_ro password <PASSWORD> role network-operator

Arista EOS

Similar to NX-OS, Arista provides a standard network-operator role for read-only access.

username kentik_ro secret <PASSWORD> role network-operator

Cisco IOS / IOS-XE

On classic IOS, show running-config is often a privileged command. To provide read-only access without granting full "superuser" rights, we recommend using a Parser View:

enable view
configure terminal
! 1. Create a view that allows all 'show' commands
parser view kentik-view
 secret <VIEW_PASSWORD>
 commands exec include all show
 ! specifically ensure show run is allowed
 commands exec include show running-config
 exit
! 2. Create the user and assign them to this view
username kentik_ro view kentik-view secret <USER_PASSWORD>
end

TIPS:
Creating a Parser View requires privilege level 15 or enable access initially to set up, even though the resulting account is read-only.
An alternative for TACACS+ users with a central AAA server (ISE/TACACS+): simply create a standard user and restrict authorization policies to deny configure terminal.

Example Results from AI Advisor

Recent configuration changes for tor301.our1.kentik.com (Device ID: 483375) have been retrieved:

Configuration Revision Summary

Revision	Timestamp	Size	Status
11 (Latest)	2025-12-23 19:34:32 UTC	42,780 bytes	✅ Success
10	2025-12-15 12:40:51 UTC	42,408 bytes	✅ Success
9	2025-12-15 12:35:51 UTC	42,780 bytes	✅ Success
8	2025-12-14 15:55:51 UTC	42,408 bytes	✅ Success
7	2025-12-14 15:50:51 UTC	42,780 bytes	✅ Success

Recent Activity Analysis

The most recent change (Revision 11) occurred just moments ago:

When: 2025-12-23 19:34:32 UTC
Size Change: Increased from 42,408 to 42,780 bytes (+372 bytes)
Last Commit: 2025-11-18 23:47:11 UTC by user "alistair"

A pattern in the configuration sizes suggests that there may be configuration changes being applied and then reverted, or periodic updates occurring approximately every 5 minutes during certain time windows.

Key Configuration Details (from latest revision)

Device Information:

Model: Juniper QFX5100-48S-6Q
Location: iad1-dc3-5310 (Equinix DC3)
Junos Version: 14.1X53-D46.7
Serial Number: TA3718040593
Autonomous System: AS4200000301

Active Protocols include:

BGP (IPv4 and IPv6) with multiple peer groups
OSPF and OSPFv3
sFlow monitoring
LLDP/LLDP-MED
BFD for link monitoring

Example Prompts for AI Advisor

Below are categorized example prompts that demonstrate how to effectively interact with AI Advisor for network management tasks.

Collect & Store (Backups)

These prompts test if the system is successfully capturing and cataloging automated backups.

"When was the last successful backup for [Device Name], and were there any errors during the process?"
"Show me a list of all devices that haven't had a successful configuration backup in the last 24 hours."
"Verify the integrity of the most recent backup for the core switch in the [Location] data center."

View & Read Configs

Use these to test the chatbot's ability to parse and present specific configuration data.

"Show me the current running configuration for [Device Name]."
"Find all interfaces on [Device Name] that are currently configured with a description containing the word 'Uplink'."
"Extract the BGP neighbor configuration from [Device Name] and list the remote AS numbers."

Compare & Diff (Visualization)

These prompts evaluate the tool's ability to identify and explain changes between different points in time.

"Compare the current configuration of [Device Name] with the version from last Tuesday. What changed?"
"Identify any changes made to the Access Control Lists (ACLs) on [Device Name] over the last 48 hours."
"Summarize the impact of the configuration changes made to [Device Name] during last night's maintenance window."

AI-Powered Search & Advisor

Test the "intelligence" of the advisor by asking for analysis rather than just text matching.

"Search all device configurations for SSH version 1 and flag them as security violations."
"Based on the current configs, are there any inconsistent MTU settings across the trunk links between [Switch A] and [Switch B]?"
"Review the configuration for [Device Name] and suggest three hardening improvements based on NIST standards."

Find Config Snippets (Historical Search)

These test the tool's "grep-like" capabilities across your entire network history.

"Find all instances where the IP address 10.0.5.5 was used in a static route across the entire network history."
"Search for all configuration snippets related to SNMP community strings and show me which devices are still using 'public' or 'private'."
"Locate the last known working configuration snippet for the VLAN 100 interface on any device in the branch office."

Troubleshooting

The following topics offer some troubleshooting assistance with using AI Advisor with NMS devices.

Why Configuration History May Be Unavailable

Configuration collection in Kentik typically requires several key components:

Device Configuration Backup Feature: This must be enabled in your Kentik plan to allow for configuration history tracking.
Proper Device Credentials: Ensure that read-only SSH/API credentials or NETCONF access is correctly configured.
Universal Agent Configuration: Agents need the necessary permissions to collect configurations from the devices.
Supported Device Types: Not all device types support configuration collection, which may limit the ability to track changes.

Alternative Ways to Track Device Changes

When configuration history isn't available via AI Advisor, you can monitor device changes through:

Configs Tab in Device Details: View config versions and diffs directly from the Device Details page.
Syslog Monitoring: Filter by device name to see configuration-related events. Look for messages such as "config commit" or "configuration changed".
SNMP Traps: Many devices send traps on configuration changes. Check for coldStart, warmStart, or config change traps.
NMS Metrics: Monitor device uptime, track component changes in hardware inventory, and watch for routing protocol changes (e.g., BGP, OSPF state changes).