...
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed asddi.infoblox
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|
Infoblox solutions | ddi.infoblox.audit.httpd
ddi.infoblox.dns.dtc
ddi.infoblox.audit.serial_console
ddi.infoblox.dns.config
ddi.infoblox.dns.resolver
ddi.infoblox.dns.database
ddi.infoblox.dns.queries
ddi.infoblox.dns.infoblox-responses
ddi.infoblox.dns.query-errors
ddi.infoblox.unknown.unknown
| ddi.infoblox
|
| ddi.infoblox.audit
|
ddi.infoblox.audit.httpd
| ddi.infoblox.audit.httpd
|
ddi.infoblox.audit.serial_console
| ddi.infoblox.audit.serial_console
|
ddi.infoblox.audit.sshd
| ddi.infoblox.audit.sshd
|
ddi.infoblox.dhcp.validate_dhcpd
| ddi.infoblox.dhcp
|
ddi.infoblox.dhcp.dhcpd
| ddi.infoblox.dhcp.dhcpd
|
ddi.infoblox.dhcp.validate_dhcpd
| ddi.infoblox.dhcp.validate_dhcpd
|
ddi.infoblox.dns.dtc
ddi.infoblox.dns.config
ddi.infoblox.dns.database
ddi.infoblox.dns.resolver
ddi.infoblox.dns.query-errors
ddi.infoblox.dns.queries
ddi.infoblox.dns.infoblox-responses
| ddi.infoblox.dns
|
ddi.infoblox.dns.client
| ddi.infoblox.dns.client
|
ddi.infoblox.dns.config
| ddi.infoblox.dns.config
|
ddi.infoblox.dns.database
| ddi.infoblox.dns.database
|
ddi.infoblox.dns.dtc
| ddi.infoblox.dns.dtc
|
ddi.infoblox.dns.general
| ddi.infoblox.dns.general
|
ddi.infoblox.dns.infoblox-responses
| ddi.infoblox.dns.infobloxResponses
|
ddi.infoblox.dns.lame-servers
| ddi.infoblox.dns.lameServers
|
ddi.infoblox.dns.network
| ddi.infoblox.dns.network
|
ddi.infoblox.dns.notify
| ddi.infoblox.dns.notify
|
ddi.infoblox.dns.queries
| ddi.infoblox.dns.queries
|
ddi.infoblox.dns.queries_responses
| ddi.infoblox.dns.queries_responses
Note |
---|
Union table This is a union table that collects events from a set of tables for easy access and analysis. Learn more about this union table in this article. |
|
ddi.infoblox.dns.queryErrors
| ddi.infoblox.dns.queryErrors
|
ddi.infoblox.dns.rateLimitrate-limit
| ddi.infoblox.dns.rateLimit
|
ddi.infoblox.dns.resolver
| ddi.infoblox.dns.resolver
|
ddi.infoblox.dns.rpz
| ddi.infoblox.dns.rpz
|
ddi.infoblox.dns.security
| ddi.infoblox.dns.security
|
ddi.infoblox.dns.unknown
| ddi.infoblox.dns.unknown
|
ddi.infoblox.dns.update
| ddi.infoblox.dns.update
|
ddi.infoblox.dns.updateSecurityupdate-security
| ddi.infoblox.dns.updateSecurity
|
ddi.infoblox.dns.xferInxfer-in
| ddi.infoblox.dns.xferIn
|
ddi.infoblox.dns.xferOutxfer-out
| ddi.infoblox.dns.xferOut
|
monitor | ddi.infoblox.nios
|
ddi.infoblox.nios.monitor
| ddi.infoblox.nios.monitor
|
ddi.infoblox.nios.ntpd
| ddi.infoblox.nios.ntpd
|
ddi.infoblox.nios.ntpdate
| ddi.infoblox.nios.ntpdate
|
ddi.infoblox.nios.rabbitmq_control
| ddi.infoblox.nios.rabbitmq_control
|
ddi.infoblox.nios.syslog-ng
| ddi.infoblox.nios.syslog-ngsyslogNg
|
ddi.infoblox.unknown.unknown
| ddi.infoblox.unknown.unknown
|
How is the data sent to Devo?
Set up the Devo relay rules
...
Infoblox DNS Logging Categories | Relay rule names |
---|
DDI Infoblox - DNS Categories | DDI Infoblox - DNS Category DTC 1 | DDI Infoblox - DNS Category DTC 2 | DDI Infoblox - unknown DNS Categories |
general | ✓ |
|
|
|
client | ✓ |
|
|
|
config | ✓ |
|
|
|
database | ✓ |
|
|
|
dnssec |
|
|
| ✓ |
lame servers | ✓ |
|
|
|
network | ✓ |
|
|
|
notify | ✓ |
|
|
|
queries | ✓ |
|
|
|
rate-limit | ✓ |
|
|
|
resolver | ✓ |
|
|
|
responses | ✓ |
|
|
|
rpz | ✓ |
|
|
|
security | ✓ |
|
|
|
transfer-in | ✓ |
|
|
|
transfer-out | ✓ |
|
|
|
update | ✓ |
|
|
|
update-security | ✓ |
|
|
|
DTC load balancing |
|
| ✓ |
|
DTC health monitors |
| ✓ |
|
|
Rules |
---|
DDI Infoblox - DNS CategoriesSource Port → Customer source port, for example 13004 Source data → ^.*named\[\d*\]:\s+([\S]+): Target Tag → ddi.infoblox.dns.\\d1 Sent without syslog tag → True Is Prefix → False (by default) Stop processing → True
|
DDI Infoblox - DNS Category DTC 2Source Port → Customer source port, for example 13004 Source data → ^named\[\d*\]:\s+request\s Target Tag → ddi.infoblox.dns.dtc Sent without syslog tag → True Is Prefix →False (by default) Stop processing → True
|
DDI Infoblox - unknown DNS CategoriesSource Port → Customer source port, for example 13004 Source data → ^(?:import_)?named\[\d*\] Target Tag → ddi.infoblox.dns.unknown Sent without syslog tag → True Is Prefix → False (by default) Stop processing → True
|
DDI Infoblox - DNS Category DTC 1Source Port → Customer source port, for example 13004 Source data → ^idns_health Target Tag → ddi.infoblox.dns.dtc Sent without syslog tag → True Is Prefix → False (by default) Stop processing → True
|
...
Select Data Management tab
Select the DNS tab
Click Grid DNS Properties from the Toolbar
Enable de Advanced Mode by clicking on “Toggle Expert Mode” if the editor is in the basic mode.
Select the Logging tab
Select the Logging Categories you would like to send to Devo.
Save & Close
Note |
---|
Enabling some logging categories can increase disk space usage and adversely affect DNS services and performance. Check with Infoblox whether you are recommended to logging some of these categories. |
...
After saving the changes, you may be prompted to restart the DNS service for the changes to take effect.
...
Rw ui tabs macro |
---|
ddi.infobloxField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | type | str
| vtype | | subtype | str
| vsubtype | | hostname | str
| | | server | str
| | | pid | int4
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
ddi.infoblox.auditField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | subtype | str
| vsubtype | | server | str
| | | pid | int4
| | | serverdate | timestamp
| | | admin_user | str
| | | action | str
| | | object_type | str
| | | object_name | str
| | | message | str
| | | srcIp | ip4
| | | to | str
| | | auth | str
| | | admin_group | str
| | | apparently_via | str
| | | info | str
| | | trigger_event | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
ddi.infoblox.audit.httpdField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | serverdate | timestamp
| | admin_user | str
| | action | str
| | object_type | str
| | object_name | str
| | message | str
| | srcIp | ip4
| | to | str
| | auth | str
| | admin_group | str
| | apparently_via | str
| | info | str
| | trigger_event | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.audit.serial_consoleField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | serverdate | timestamp
| | admin_user | str
| | action | str
| | object_type | str
| | object_name | str
| | message | str
| | srcIp | ip4
| | to | str
| | auth | str
| | admin_group | str
| | apparently_via | str
| | info | str
| | trigger_event | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.audit.sshdField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dhcpField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | subtype | str
| vsubtype | | server | str
| | | pid | int4
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
ddi.infoblox.dhcp.dhcpdField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | server | str
| | | | pid | int4
| | | | message_type | str
| | | | toAddress | str
| | | | toDeviceId | str
| | | | fromAddress | str
| | | | fromDeviceId | str
| | | | ofAddress | str
| | | | ofDeviceId | str
| | | | onAddress | str
| | | | onDeviceId | str
| | | | forAddress | str
| | | | forDeviceId | str
| | | | via | str
| | | | viaDeviceId | str
| | | | TransID | str
| | | | network | str
| | | | uid | str
| | | | message | str
| | | | leaseIpAddress | str
| Code Block |
---|
ifthenelse(message_type in set(["DHCPACK", "DHCPOFFER", "BOOTREPLY", "DHCPEXPIRE", "RELEASE"]), ifthenelse(isnull(onAddress), toAddress, onAddress), null) |
| onAddress toAddress message_type | | leaseHardwareAddress | str
| Code Block |
---|
ifthenelse(message_type in set(["DHCPACK", "DHCPOFFER", "BOOTREPLY", "DHCPEXPIRE", "RELEASE"]), ifthenelse(isnull(onAddress), toDeviceId, toAddress), null) |
| toDeviceId onAddress toAddress message_type | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
ddi.infoblox.dhcp.validate_dhcpdField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dnsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | subtype | str
| vsubtype | | hostname | str
| | | server | str
| | | pid | int4
| | | ib_category | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
ddi.infoblox.dns.clientField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | action | str
| | name_blacklist | str
| | query_name | str
| | client_ip | ip4
| | client_object | str
| | port | int4
| | dns_client_signer | str
| | dns_view | str
| | info | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.configField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.databaseField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.dtcField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.generalField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | quota_used | int8
| | quota_max | int8
| | quota_soft_limits | int8
| | quota_s_over | int8
| | quota_hard_limit | int8
| | quota_h_over | int8
| | quota_low_pri | int8
| | dns_view | str
| | dns_view_size | int8
| | dns_view_hits | int8
| | dns_view_misses | int8
| | zone_name | str
| | zone_message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.infobloxResponsesField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | serverdate | timestamp
| | client_ip | str
| | port | int4
| | dns_client_signer | str
| | query_name | str
| | dns_view | str
| | protocol | str
| | class | str
| | type | str
| | response_info | str
| | rcode | str
| | flags | str
| | recursion | bool
| | authoritative_answer | bool
| | truncated_response | bool
| | edns_opt_record | bool
| | dnssec | bool
| | dnssec_records_validated | bool
| | dtc_synthetic_record | bool
| | rr_text | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.lameServersField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | action | str
| | query_name | str
| | type | str
| | class | str
| | client_ip | ip4
| | port | int4
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.networkField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | client_ip | ip4
| | port | int4
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
ddi.infoblox.dns.notifyField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | zone | str
| | class | str
| | info | str
| | serial | int8
| | client_object | str
| | client_ip | ip4
| | port | int4
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
tag18tag18ddi.infoblox.dns.queriesField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | server | str
| | pid | int4
| | ib_category | str
| | message | str
| | client_object | str
| | client_ip | str
| | port | int4
| | dns_client_signer | str
| | query_name | str
| | dns_view | str
| | query | str
| | class | str
| | type | str
| | flags | str
| | recursion_desired | bool
| | query_signed | bool
| | edns | bool
| | edns_version | int4
| | tcp | bool
| | dnssec | bool
| | checking_disabled | bool
| | valid_dns_server_cookie_rcv | bool
| | dns_cookie_without_valid_server_cookie | bool
| | dnsServer | ip4
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
tag18tag18ddi.infoblox.dns.queries_responsesqueryErrorsanchortag18 | tag18 | ddi.infoblox.dns.queryErrors Anchor |
---|
tag18 | tag18 | ddi.infoblox.dns.rateLimit Anchor |
---|
tag18 | tag18 | ddi.infoblox.dns.resolver Anchor |
---|
tag18 | tag18 | ddi.infoblox.dns.rpzExtra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
client_object | str
| |
client_ip | str
| |
port | int4
| |
dns_client_signer | str
| |
query_name | str
| |
dns_view | str
| |
info_error | str
| |
error | str
| |
action | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.rateLimitField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
client_object | str
| |
client_ip | ip4
| |
port | int4
| |
dns_client_signer | str
| |
query_name | str
| |
dns_view | str
| |
info | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.resolverField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.rpzField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
action | str
| |
zone | str
| |
qname_entries | int4
| |
nsdname_entries | int4
| |
ip_entries | int4
| |
nsip_entries | int4
| |
clientip_entries | int4
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.securityField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
client_object | str
| |
client_ip | str
| |
port | int4
| |
dns_client_signer | str
| |
query_name | str
| |
dns_view | str
| |
security_info | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.unknownField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.updateField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
client_object | str
| |
client_ip | str
| |
port | int4
| |
dns_client_signer | str
| |
zone | str
| |
dns_view | str
| |
action | str
| |
update_info | str
| |
rr_action | str
| |
record | str
| |
type | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.updateSecurityField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
client_object | str
| |
client_ip | str
| |
port | int4
| |
dns_client_signer | str
| |
zone | str
| |
dns_view | str
| |
update_info | str
| |
action | str
| |
class | str
| |
permission | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.xferInField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
zone | str
| |
class | str
| |
client_ip | str
| |
port | int4
| |
transfer_info | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.dns.xferOutField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
ib_category | str
| |
message | str
| |
client_object | str
| |
client_ip | str
| |
port | int4
| |
dns_client_signer | str
| |
dns_view | str
| |
action | str
| |
zone | str
| |
class | str
| |
transfer_info | str
| |
type | str
| |
transfer_status | str
| |
since_serial | int8
| |
serial | int8
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.niosField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
hostname | str
| | |
subtype | str
| vsubtype | |
server | str
| | |
pid | int4
| | |
message | str
| | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
rawMessage | str
| | ✓ |
ddi.infoblox.nios.monitorField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.nios.ntpdField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.nios.ntpdateField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.nios.rabbitmq_controlField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.nios.syslogNgField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
ddi.infoblox.unknown.unknownField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostname | str
| |
server | str
| |
pid | int4
| |
message | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |