Page Comparison

Introduction

The tags beginning with ddi.infoblox identify events generated by Infoblox.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed asddi.infoblox. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

...

Technology

...

Brand

...

Type

...

Subtype

...

ddi

...

infoblox

• audit

...

• serialconsole

• sshd

• httpd

...

• dhcp

...

• dhcpd

• validate_dhcpd

...

• dns

...

• general

• client

• config

• dtc

• lameServers

• network

• notify

• queries

• rateLimit

• resolver

• infobloxResponses

• rpz

• security

• xferIn

• xferOut

• unknown

• update

• updateSecurity

...

• nios

...

• ntp

• ntpdate

• monitor

• syslogNg

• rabbitmq_control

These are the valid tags and corresponding data tables that will receive the parsers' data:

...

Tag

...

Data table

...

ddi.infoblox.audit.serialconsole

...

ddi.infoblox.audit.serialconsole

...

ddi.infoblox.audit.sshd

...

These are the valid tags and corresponding data tables that will receive the parsers' data:

Infoblox DNS Logging Categories

Relay rule names

DDI Infoblox - DNS Categories

DDI Infoblox - DNS Category DTC 1

DDI Infoblox - DNS Category DTC 2

DDI Infoblox - unknown DNS Categories

general

✓

client

✓

config

✓

database

✓

dnssec

✓

lame servers

✓

network

✓

notify

✓

queries

✓

rate-limit

✓

resolver

✓

responses

✓

rpz

✓

security

✓

transfer-in

✓

transfer-out

✓

update

✓

update-security

✓

DTC load balancing

✓

DTC health monitors

✓

Rules

Relay screenshot

DDI Infoblox - DNS Categories

• Source Port → Customer source port, for example 13004

• Source data → ^.named[\d]:\s+([\S]+):

• Target Tag → ddi.infoblox.dns.\\d1

• Sent without syslog tag → True

• Is Prefix → False (by default)

• Stop processing → True

Image Removed

Product / Service	Tags	Data tables
Infoblox solutions	ddi.infoblox.audit.httpd ddi.infoblox.dns.dtc ddi.infoblox.audit.serial_console ddi.infoblox.dns.config ddi.infoblox.dns.resolver ddi.infoblox.dns.database ddi.infoblox.dns.queries ddi.infoblox.dns.infoblox-responses ddi.infoblox.dns.query-errors ddi.infoblox.unknown.unknown	ddi.infoblox
	ddi.infoblox.audit.httpd ddi.infoblox.audit. httpd serial_console ddi.infoblox. dhcp audit. dhcpd sshd	ddi.infoblox.dhcp.dhcpdaudit
	ddi.infoblox.dhcpaudit.validate_dhcpdhttpd	ddi.infoblox.dhcpaudit.validate_dhcpdhttpd
	ddi.infoblox.dnsaudit.generalserial_console	ddi.infoblox.dnsaudit.generalserial_console
	ddi.infoblox.dnsaudit.clientsshd	ddi.infoblox.dnsaudit.clientsshd
	ddi.infoblox.dnsdhcp.configvalidate_dhcpd	ddi.infoblox.dns.configdhcp
	ddi.infoblox.dnsdhcp.databasedhcpd	ddi.infoblox.dnsdhcp.databasedhcpd
	ddi.infoblox.dnsdhcp.dtcvalidate_dhcpd	ddi.infoblox.dnsdhcp.dtcvalidate_dhcpd
	ddi.infoblox.dns. lame-servers dtc ddi.infoblox.dns. lameServers config ddi.infoblox.dns. network database ddi.infoblox.dns. network resolver ddi.infoblox.dns. notify query-errors ddi.infoblox.dns. notify queries ddi.infoblox.dns. queries infoblox-responses	ddi.infoblox.dns.queries
	ddi.infoblox.dns.rate-limitclient	ddi.infoblox.dns.rateLimitclient
	ddi.infoblox.dns.resolverconfig	ddi.infoblox.dns.resolverconfig
	ddi.infoblox.dns.infoblox-responsesdatabase	ddi.infoblox.dns.infobloxResponsesdatabase
	ddi.infoblox.dns.rpzdtc	ddi.infoblox.dns.rpzdtc
	ddi.infoblox.dns.securitygeneral	ddi.infoblox.dns.securitygeneral
	ddi.infoblox.dns.xferinfoblox-inresponses	ddi.infoblox.dns.xferIninfobloxResponses
	ddi.infoblox.dns.xferlame-outservers	ddi.infoblox.dns.xferOutlameServers
	ddi.infoblox.dns.unknownnetwork	ddi.infoblox.dns.unknownnetwork
	ddi.infoblox.dns.updatenotify	ddi.infoblox.dns.updatenotify
	ddi.infoblox.dns.update-securityqueries	ddi.infoblox.dns.updateSecurityqueries
	ddi.infoblox.niosdns.ntpdqueries_responses	ddi.infoblox.nios.ntpd.dns.queries_responses Note Union table This is a union table that collects events from a set of tables for easy access and analysis. Learn more about this union table in this article.
	ddi.infoblox.niosdns.ntpdatequeryErrors	ddi.infoblox.niosdns.ntpdatequeryErrors
	ddi.infoblox.nios.monitordns.rate-limit	ddi.infoblox.dns.rateLimit
	ddi.infoblox.dns.resolver	ddi.infoblox.niosdns.monitorresolver
	ddi.infoblox.niosdns.syslog-ngrpz	ddi.infoblox.niosdns.syslogNgrpz
	ddi.infoblox.niosdns.rabbitmq_controlsecurity	ddi.infoblox.niosdns.rabbitmq_controlsecurity
	ddi.infoblox.unknowndns.unknown	ddi.infoblox.unknowndns.unknown

How is the data sent to Devo?

Set up the Devo relay rules

You will need to set up a rule on the relay to correctly process and forward the events received from Infoblox. In the example below, you should use any port that you can dedicate to these events.

...

Infoblox - DNS Categories

Infoblox classifies the DNS logs in different categories. You can know more about this in their documentation: Setting DNS Logging Categories. The table below depicts which Devo Relay rule would process each DNS Logging Category.

How is the data sent to Devo?

Set up the Devo relay rules

You will need to set up a rule on the relay to correctly process and forward the events received from Infoblox. In the example below, you should use any port that you can dedicate to these events.

...

Infoblox - DNS Categories

Infoblox classifies the DNS logs in different categories. You can know more about this in their documentation: Setting DNS Logging Categories. The table below depicts which Devo Relay rule would process each DNS Logging Category.

Infoblox DNS Logging Categories	Relay rule names
	DDI Infoblox - DNS Categories	DDI Infoblox - DNS Category DTC 1	DDI Infoblox - DNS Category DTC 2

• Source Port → Customer source port, for example 13004

• Source data → ^named\[\d*\]:\s+request\s

• Target Tag → ddi.infoblox.dns.dtc

• Sent without syslog tag → True

• Is Prefix →False (by default)

• Stop processing → True

Image Removed

DDI Infoblox - unknown DNS Categories

• Source Port → Customer source port, for example 13004

• Source data → ^(?:import_)?named\[\d*\]

• Target Tag → ddi.infoblox.dns.unknown

• Sent without syslog tag → True

• Is Prefix → False (by default)

• Stop processing → True

Image Removed

DDI Infoblox - DNS Category DTC 1

• Source Port → Customer source port, for example 13004

• Source data → ^idns_health

• Target Tag → ddi.infoblox.dns.dtc

• Sent without syslog tag → True

• Is Prefix → False (by default)

• Stop processing → True

Image Removed

...

Rules
DDI Infoblox - DNS Categories Source Port → Customer source port, for example 13004 Source

data → ^.*(validate_dhcpd|dhcpd)

data → ^.*named\[\d*\]:\s+([\S]+): Target Tag → ddi.infoblox.

dhcp

dns.\\d1 Sent without syslog tag → True Is Prefix → False

 

(by default) Stop processing → True

Image Removed

...

Rules

Relay screenshot

DDI Infoblox -

NIOS

DNS Category DTC 2 Source Port → Customer source port, for example 13004 Source data →

^(ntpdate|monitor|ntpd|rabbitmq_control|syslog-ng)

^named\[\d*\]:\s+request\s Target Tag → ddi.infoblox.

nios

dns.

\\d1

dtc Sent without syslog tag → True Is Prefix →False (by default) Stop processing → True

Image Removed

...

Rules

Relay screenshot

DDI Infoblox -

AUDIT

unknown DNS Categories Source Port → Customer source port, for example 13004 Source data → ^

.*

(

serial_console|httpd|sshd)

?:import_)?named\[\d*\] Target Tag → ddi.infoblox.

audit

dns.

\\d1

unknown Sent without syslog tag → True Is Prefix → False (by default) Stop processing → True

Image Removed

Infoblox - unknown

Rules

Relay screenshot

DDI Infoblox -

unknown

DNS Category DTC 1 Source Port → Customer source port, for example 13004

Target

Source data → ^idns_health Target Tag → ddi.infoblox.

unknown

dns.

unknown

dtc Sent without syslog tag → True Is Prefix → False (by default) Stop processing → True

Image Removed

Configure Infoblox NIOS to send logs to the Relay

Before starting the configuration, please read the Infoblox documentation.

Setting DNS Logging Categories

Infoblox DNS logs have different categories. You can select which categories you would like to send into Devo by following these steps:

1. Select Data Management tab

2. Select the DNS tab

3. Click Grid DNS Properties from the Toolbar

4. Enable de Advanced Mode by clicking on “Toggle Expert Mode” if the editor is in the basic mode.

5. Select the Logging tab

6. Select the Logging Categories you would like to send to Devo.

7. Save & Close

...

After saving the changes, you may be prompted to restart the DNS service for the changes to take effect.

Specifying Syslog Servers

Follow the next steps to configure your Infoblox to send messages to the Devo Relay:

...

Select the Grid tab

...

Select the Grid Manager tab

...

Select the Members tab

...

Click Grid Properties from the Toolbar.

...

Select “Log to External Syslog Servers” to enable the Infoblox appliance to send messages to a specified Syslog server.

...

Select also the “Copy Audit Log Message to Syslog” so you will be able to send audit logs to Devo.

...

To define a new Devo Relay, click the Add icon and complete the following fields:

• Address: Devo Relay IP address

• Transport: Secure TCP, TCP or UDP. If selecting Secure TCP, you will need to configure Stunnel in front of the Devo Relay so Stunnel will decrypt the logs and send them decrypted to the Devo Relay. Here you can read more about integrating Stunnel with the Devo Relay.

  Image Removed

• Interface: at your convenience.

• Node ID: at your convenience.

• Source: at your convenience.

• Severity: at your convenience.

• Port: Devo Relay port or Stunnel port listening for logs. If using the Infoblox option Transport TCP or UDP you must use the Source port of the relay rules you configured previously. If you selected Secure TCP, then you must enter the Stunnel listening port.

• Logging category: you must select the option “Send selected categories” and then move to the “Selected” space all the categories you want to send to Devo. The reason for selecting the option “Send selected categories” instead of the option “Send all” is that logs will be prefixed and the Devo parsing will only work for prefixed logs of Infoblox. Read more about Infoblox log prefixes here.

• Then click on the Add button and you will see the configured Devo Relay as part of the list of Syslog Servers.

  Image Removed

• Save & Close

...

Infoblox - DHCP

Infoblox - NIOS

Infoblox - Audit

Infoblox - unknown

Configure Infoblox NIOS to send logs to the Relay

Before starting the configuration, please read the Infoblox documentation.

Setting DNS Logging Categories

Infoblox DNS logs have different categories. You can select which categories you would like to send into Devo by following these steps:

1. Select Data Management tab

2. Select the DNS tab

3. Click Grid DNS Properties from the Toolbar

4. Enable de Advanced Mode by clicking on “Toggle Expert Mode” if the editor is in the basic mode.

5. Select the Logging tab

6. Select the Logging Categories you would like to send to Devo.

7. Save & Close

...

After saving the changes, you may be prompted to restart the DNS service for the changes to take effect.

Specifying Syslog Servers

Follow the next steps to configure your Infoblox to send messages to the Devo Relay:

1. Select the Grid tab

2. Select the Grid Manager tab

3. Select the Members tab

4. Click Grid Properties from the Toolbar.

5. In the Grid Properties editor, select the Monitoring tab. You will see a window like this below.
   
   Image Added

6. Select “Log to External Syslog Servers” to enable the Infoblox appliance to send messages to a specified Syslog server.

7. Select also the “Copy Audit Log Message to Syslog” so you will be able to send audit logs to Devo.

8. To define a new Devo Relay, click the Add icon and complete the following fields:

   • Address: Devo Relay IP address

   • Transport: Secure TCP, TCP or UDP. If selecting Secure TCP, you will need to configure Stunnel in front of the Devo Relay so Stunnel will decrypt the logs and send them decrypted to the Devo Relay. Here you can read more about integrating Stunnel with the Devo Relay.

     Image Added

   • Interface: at your convenience.

   • Node ID: at your convenience.

   • Source: at your convenience.

   • Severity: at your convenience.

   • Port: Devo Relay port or Stunnel port listening for logs. If using the Infoblox option Transport TCP or UDP you must use the Source port of the relay rules you configured previously. If you selected Secure TCP, then you must enter the Stunnel listening port.

   • Logging category: you must select the option “Send selected categories” and then move to the “Selected” space all the categories you want to send to Devo. The reason for selecting the option “Send selected categories” instead of the option “Send all” is that logs will be prefixed and the Devo parsing will only work for prefixed logs of Infoblox. Read more about Infoblox log prefixes here.

   • Then click on the Add button and you will see the configured Devo Relay as part of the list of Syslog Servers.

     Image Added

   • Save & Close

After saving the changes, you may be required to do a service restart for the changes to take effect. Your Infoblox appliance will start to send Syslog to your Devo Relay.

Table structure

These are the fields displayed in these tables:

ifthenelse(message_type in set(["DHCPACK", "DHCPOFFER", "BOOTREPLY", "DHCPEXPIRE", "RELEASE"]), ifthenelse(isnull(onAddress), toAddress, onAddress), null)

ifthenelse(message_type in set(["DHCPACK", "DHCPOFFER", "BOOTREPLY", "DHCPEXPIRE", "RELEASE"]), ifthenelse(isnull(onAddress), toDeviceId, toAddress), null)