Document toolboxDocument toolbox

ddi.infoblox

Owned by Former user (Deleted)
Last updated: Mar 04, 2022
8 min read

Introduction

The tags beginning with ddi.infoblox identify events generated by Infoblox.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as ddi.infoblox. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

ddi

infoblox

  • audit

 

  • serialconsole

  • sshd

  • httpd

  • dhcp

  • dhcpd

  • validate_dhcpd

  • dns

  • general

  • client

  • config

  • dtc

  • lameServers

  • network

  • notify

  • queries

  • rateLimit

  • resolver

  • infobloxResponses

  • rpz

  • security

  • xferIn

  • xferOut

  • unknown

  • update

  • updateSecurity

  • nios

  • ntp

  • ntpdate

  • monitor

  • syslogNg

  • rabbitmq_control

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

ddi.infoblox.audit.serialconsole

ddi.infoblox.audit.serialconsole

ddi.infoblox.audit.sshd

ddi.infoblox.audit.sshd

ddi.infoblox.audit.httpd

ddi.infoblox.audit.httpd

ddi.infoblox.dhcp.dhcpd

ddi.infoblox.dhcp.dhcpd

ddi.infoblox.dhcp.validate_dhcpd

ddi.infoblox.dhcp.validate_dhcpd

ddi.infoblox.dns.general

ddi.infoblox.dns.general

ddi.infoblox.dns.client

ddi.infoblox.dns.client

ddi.infoblox.dns.config

ddi.infoblox.dns.config

ddi.infoblox.dns.database

ddi.infoblox.dns.database

ddi.infoblox.dns.dtc

ddi.infoblox.dns.dtc

ddi.infoblox.dns.lame-servers

ddi.infoblox.dns.lameServers

ddi.infoblox.dns.network

ddi.infoblox.dns.network

ddi.infoblox.dns.notify

ddi.infoblox.dns.notify

ddi.infoblox.dns.queries

ddi.infoblox.dns.queries

ddi.infoblox.dns.rate-limit

ddi.infoblox.dns.rateLimit

ddi.infoblox.dns.resolver

ddi.infoblox.dns.resolver

ddi.infoblox.dns.infoblox-responses

ddi.infoblox.dns.infobloxResponses

ddi.infoblox.dns.rpz

ddi.infoblox.dns.rpz

ddi.infoblox.dns.security

ddi.infoblox.dns.security

ddi.infoblox.dns.xfer-in

ddi.infoblox.dns.xferIn

ddi.infoblox.dns.xfer-out

ddi.infoblox.dns.xferOut

ddi.infoblox.dns.unknown

ddi.infoblox.dns.unknown

ddi.infoblox.dns.update

ddi.infoblox.dns.update

ddi.infoblox.dns.update-security

ddi.infoblox.dns.updateSecurity

ddi.infoblox.nios.ntpd

ddi.infoblox.nios.ntpd

ddi.infoblox.nios.ntpdate

ddi.infoblox.nios.ntpdate

ddi.infoblox.nios.monitor

ddi.infoblox.nios.monitor

ddi.infoblox.nios.syslog-ng

ddi.infoblox.nios.syslogNg

ddi.infoblox.nios.rabbitmq_control

ddi.infoblox.nios.rabbitmq_control

ddi.infoblox.unknown.unknown

ddi.infoblox.unknown.unknown

How is the data sent to Devo?

Set up the Devo relay rules

You will need to set up a rule on the relay to correctly process and forward the events received from Infoblox. In the example below, you should use any port that you can dedicate to these events.

Infoblox - DNS Categories

Infoblox classifies the DNS logs in different categories. You can know more about this in their documentation: Setting DNS Logging Categories. The table below depicts which Devo Relay rule would process each DNS Logging Category.

Infoblox DNS Logging Categories

Relay rule names

DDI Infoblox - DNS Categories

DDI Infoblox - DNS Category DTC 1

DDI Infoblox - DNS Category DTC 2

DDI Infoblox - unknown DNS Categories

general

 

 

 

client

 

 

 

config

 

 

 

database

 

 

 

dnssec

 

 

 

lame servers

 

 

 

network

 

 

 

notify

 

 

 

queries

 

 

 

rate-limit

 

 

 

resolver

 

 

 

responses

 

 

 

rpz

 

 

 

security

 

 

 

transfer-in

 

 

 

transfer-out

 

 

 

update

 

 

 

update-security

 

 

 

DTC load balancing

 

 

 

DTC health monitors

 

 

 

 

Rules

Relay screenshot

Rules

Relay screenshot

DDI Infoblox - DNS Categories

  • Source Port → Customer source port, for example 13004

  • Source data → ^named\[\d*\]:\s+([\S]+):

  • Target Tag → ddi.infoblox.dns.\\d1

  • Sent without syslog tag → True

  • Is Prefix → False (by default)

  • Stop processing → True

DDI Infoblox - DNS Category DTC 2

  • Source Port → Customer source port, for example 13004

  • Source data → ^named\[\d*\]:\s+request\s

  • Target Tag → ddi.infoblox.dns.dtc

  • Sent without syslog tag → True

  • Is Prefix →False (by default)

  • Stop processing → True

DDI Infoblox - unknown DNS Categories

  • Source Port → Customer source port, for example 13004

  • Source data → ^(?:import_)?named\[\d*\]

  • Target Tag → ddi.infoblox.dns.unknown

  • Sent without syslog tag → True

  • Is Prefix → False (by default)

  • Stop processing → True

DDI Infoblox - DNS Category DTC 1

  • Source Port → Customer source port, for example 13004

  • Source data → ^idns_health

  • Target Tag → ddi.infoblox.dns.dtc

  • Sent without syslog tag → True

  • Is Prefix → False (by default)

  • Stop processing → True


Infoblox - DHCP

Rules

Relay screenshot

Rules

Relay screenshot

DDI Infoblox - DHCP

  • Source Port → Customer source port, for example 13004

  • Source data → ^(validate_dhcpd|dhcpd)

  • Target Tag → ddi.infoblox.dhcp.\\d1

  • Sent without syslog tag → True

  • Is Prefix → False (by default)

  • Stop processing → True

Infoblox - NIOS

Rules

Relay screenshot

Rules

Relay screenshot

DDI Infoblox - NIOS

  • Source Port → Customer source port, for example 13004

  • Source data → ^(ntpdate|monitor|ntpd|rabbitmq_control|syslog-ng)

  • Target Tag → ddi.infoblox.nios.\\d1

  • Sent without syslog tag → True

  • Is Prefix → False (by default)

  • Stop processing → True

Infoblox - Audit

Rules

Relay screenshot

Rules

Relay screenshot

DDI Infoblox - AUDIT

  • Source Port → Customer source port, for example 13004

  • Source data → ^-?(serial_console|httpd|sshd)

  • Target Tag → ddi.infoblox.audit.\\d1

  • Sent without syslog tag → True

  • Is Prefix → False (by default)

  • Stop processing → True

 

Infoblox - unknown

Rules

Relay screenshot

Rules

Relay screenshot

DDI Infoblox - unknown

  • Source Port → Customer source port, for example 13004

  • Target Tag → ddi.infoblox.unknown.unknown

  • Sent without syslog tag → True

  • Is Prefix → False (by default)

  • Stop processing → True

Configure Infoblox NIOS to send logs to the Relay

Before starting the configuration, please read the Infoblox documentation.

Setting DNS Logging Categories

Infoblox DNS logs have different categories. You can select which categories you would like to send into Devo by following these steps:

  1. Select Data Management tab

  2. Select the DNS tab

  3. Click Grid DNS Properties from the Toolbar

  4. Enable de Advanced Mode by clicking on “Toggle Expert Mode” if the editor is in the basic mode.

  5. Select the Logging tab

  6. Select the Logging Categories you would like to send to Devo.

  7. Save & Close

Enabling some logging categories can increase disk space usage and adversely affect DNS services and performance. Check with Infoblox whether you are recommended to logging some of these categories.

After saving the changes, you may be prompted to restart the DNS service for the changes to take effect.

Specifying Syslog Servers

Follow the next steps to configure your Infoblox to send messages to the Devo Relay:

  1. Select the Grid tab

  2. Select the Grid Manager tab

  3. Select the Members tab

  4. Click Grid Properties from the Toolbar.

  5. In the Grid Properties editor, select the Monitoring tab. You will see a window like this below.

  6. Select “Log to External Syslog Servers” to enable the Infoblox appliance to send messages to a specified Syslog server.

  7. Select also the “Copy Audit Log Message to Syslog” so you will be able to send audit logs to Devo.

  8. To define a new Devo Relay, click the Add icon and complete the following fields:

    • Address: Devo Relay IP address

    • Transport: Secure TCP, TCP or UDP. If selecting Secure TCP, you will need to configure Stunnel in front of the Devo Relay so Stunnel will decrypt the logs and send them decrypted to the Devo Relay. Here you can read more about integrating Stunnel with the Devo Relay.

    • Interface: at your convenience.

    • Node ID: at your convenience.

    • Source: at your convenience.

    • Severity: at your convenience.

    • Port: Devo Relay port or Stunnel port listening for logs. If using the Infoblox option Transport TCP or UDP you must use the Source port of the relay rules you configured previously. If you selected Secure TCP, then you must enter the Stunnel listening port.

    • Logging category: you must select the option “Send selected categories” and then move to the “Selected” space all the categories you want to send to Devo. The reason for selecting the option “Send selected categories” instead of the option “Send all” is that logs will be prefixed and the Devo parsing will only work for prefixed logs of Infoblox. Read more about Infoblox log prefixes here.

    • Then click on the Add button and you will see the configured Devo Relay as part of the list of Syslog Servers.

    • Save & Close

After saving the changes, you may be required to do a service restart for the changes to take effect. Your Infoblox appliance will start to send Syslog to your Devo Relay.

Log samples

The following are sample logs sent to each of the ddi.infoblox data tables. Also, find how the information will be parsed in your data table under each sample log.

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

 

 

ddi.infoblox.audit.httpd

2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd[]: 2021-11-19 13:47:37.743Z [admin]: Login_Allowed - - to=AdminConnector ip=192.168.189.211 auth=LOCAL group=admin-group apparently_via=GUI 2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd[]: 2021-11-19 13:47:37.743Z [admin]: Called - GetMemberData message=downloaded\\040named.conf: Args message="downloaded named.conf" 2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd[]: 2021-11-19 13:47:37.743Z [admin]: Created NetworkView internal: Set extensible_attributes=[],comment="internal DNS view",name="internal" 2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd: 2022-02-10 13:03:52.091Z [admin]: shutdown node 192.168.1.17 2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd: 2022-02-10 13:03:52.091Z [admin]: Deleted IdnsServer myserver2

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-02-25 11:01:21.41

timestamp

 

hostname

localhost

str

 

server

httpd[]

str

 

serverdate

2021-11-19 13:47:37.743

timestamp

 

admin_user

admin

str

 

action

Login_Allowed

str

 

object_type

-

str

 

object_name

-

str

 

message

to=AdminConnector ip=192.168.189.211 auth=LOCAL group=admin-group apparently_via=GUI

str

 

srcIp

192.168.189.211

ip4

 

to

AdminConnector

str

 

auth

LOCAL

str

 

admin_group

admin-group

str

 

apparently_via

GUI

str

 

info

null

str

 

trigger_event

null

str

 

hostchain

localhost=127.0.0.1

str

tag

ddi.infoblox.audit.httpd

str

rawMessage

httpd[]: 2021-11-19 13:47:37.743Z [admin]: Login_Allowed - - to=AdminConnector ip=192.168.189.211 auth=LOCAL group=admin-group apparently_via=GUI

str

ddi.infoblox.dhcp.dhcpd

2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPACK to 192.168.123.123 (ab:c1:d2:e3:fg:hi) via eth2 2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPINFORM from 192.168.123.123 via 192.168.123.123 2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPDISCOVER from ab:c1:d2:e3:fg:hi via 192.168.123.123 TransID 2006c4c6: network 192.168.123.123/23: no permitted ranges with available leases 2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPRELEASE of 192.168.123.123 from ab:c1:d2:e3:fg:hi (WA605526N-BRL) via 192.168.123.123 (found) TransID 24da1881 uid ab:c1:d2:e3:fg:hi:ab:c1:d2:e3:fg:hi:ab:c1:d2:e3:fg:hi:30:38 2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: BOOTREQUEST from ab:c1:d2:e3:fg:hi via 192.168.123.123: BOOTP from dynamic client and no dynamic leases

And this is how the log would be parsed:

Field

Value

Type

Field transformation

Source field name

Extra fields

eventdate

2022-02-10 09:06:32.152

timestamp

 

 

 

hostname

localhost

str

 

 

 

server

dhcpd

str

 

 

 

pid

123

int4

 

 

 

message_type

DHCPACK

str

 

 

 

toAddress

192.168.123.123

str

 

 

 

toDeviceId

ab:c1:d2:e3:fg:hi

str

 

 

 

fromAddress

null

str

 

 

 

fromDeviceId

null

str

 

 

 

ofAddress

null

str

 

 

 

ofDeviceId

null

str

 

 

 

onAddress

null

str

 

 

 

onDeviceId

null

str

 

 

 

forAddress

null

str

 

 

 

forDeviceId

null

str

 

 

 

via

 

str

 

 

 

viaDeviceId

null

str

 

 

 

TransID

null

str

 

 

 

network

null

str

 

 

 

uid

 

str

 

 

 

message

DHCPACK to 192.168.123.123 (ab:c1:d2:e3:fg:hi) via eth2

str

 

 

 

leaseIpAddress

192.168.123.123

str

ifthenelse(message_type in set(["DHCPACK", "DHCPOFFER", "BOOTREPLY", "DHCPEXPIRE", "RELEASE"]), ifthenelse(isnull(onAddress), toAddress, onAddress), null)

onAddress

message_type

toAddress

 

leaseHardwareAddress

ab:c1:d2:e3:fg:hi

str

ifthenelse(message_type in set(["DHCPACK", "DHCPOFFER", "BOOTREPLY", "DHCPEXPIRE", "RELEASE"]), ifthenelse(isnull(onAddress), toDeviceId, toAddress), null)

toDeviceId

onAddress

message_type

toAddress

 

hostchain

localhost=127.0.0.1

str

 

 

tag

ddi.infoblox.dhcp.dhcpd

str

 

 

rawMessage

dhcpd[123]: DHCPACK to 192.168.123.123 (ab:c1:d2:e3:fg:hi) via eth2

str

 

ddi.infoblox.dns.general

2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: Recursion client quota: used/max/soft-limit/s-over/hard-limit/h-over/low-pri = 0/0/900/0/1000/0/0 2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: Recursion cache view "_default": size = 56928, hits = 4, misses = 3 2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: all zones loaded 2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: zone 0.0.127.in-addr.arpa/IN: autogenerated flag seen for unloaded zone, prioritizing its loading

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-02-25 11:01:54.076

timestamp

 

hostname

localhost

str

 

server

named

str

 

pid

123

int4

 

ib_category

general

str

 

message

Recursion client quota: used/max/soft-limit/s-over/hard-limit/h-over/low-pri = 0/0/900/0/1000/0/0

str

 

quota_used

0

int8

 

quota_max

0

int8

 

quota_soft_limits

900

int8

 

quota_s_over

0

int8

 

quota_hard_limit

1000

int8

 

quota_h_over

0

int8

 

quota_low_pri

0

int8

 

dns_view

null

str

 

dns_view_size

null

int8

 

dns_view_hits

null

int8

 

dns_view_misses

null

int8

 

zone_name

null

str

 

zone_message

null

str

 

hostchain

localhost=127.0.0.1

str

tag

ddi.infoblox.dns.general

str

rawMessage

named[123]: general: Recursion client quota: used/max/soft-limit/s-over/hard-limit/h-over/low-pri = 0/0/900/0/1000/0/0

str

 

 

ddi.infoblox.dns.client 

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-02-25 11:02:05.2

timestamp

 

hostname

localhost

str

 

server

named

str

 

pid

123

int4

 

ib_category

client

str

 

message

Intercept (blacklist rule): 'example1.com.' matched ruleset-pattern (refusal): 'test_Blacklist' -- 'example1.com' (123.123.123.123)

str

 

action

refusal

str

 

name_blacklist

test_Blacklist

str

 

query_name

example1.com

str

 

client_ip

123.123.123.123

ip4

 

client_object

null

str

 

port

null

int4

 

dns_client_signer

null

str

 

dns_view

null

str

 

info

null

str

 

hostchain

localhost=127.0.0.1

str

tag

ddi.infoblox.dns.client

str

rawMessage

named[123]: client: Intercept (blacklist rule): 'example1.com.' matched ruleset-pattern (refusal): 'test_Blacklist' -- 'example1.com' (123.123.123.123)

str

ddi.infoblox.dns.infobloxResponses

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-02-25 11:03:35.594

timestamp

 

hostname

localhost

str

 

server

named

str

 

pid

123

int4

 

ib_category

infoblox-responses

str

 

message

02-Dec-2021 13:04:41.065 client 2001::2#52739: UDP: query: example1.com IN A response: REFUSED -

str

 

serverdate

2021-12-02 13:04:41.065

timestamp

 

client_ip

2001::2

str

 

port

52739

int4

 

dns_client_signer

null

str

 

query_name

example1.com

str

 

dns_view

null

str

 

protocol

UDP

str

 

class

IN

str

 

type

A

str

 

response_info

REFUSED -

str

 

rcode

REFUSED

str

 

flags

-

str

 

recursion

false

bool

 

authoritative_answer

false

bool

 

truncated_response

false

bool

 

edns_opt_record

false

bool

 

dnssec

false

bool

 

dnssec_records_validated

false

bool

 

dtc_synthetic_record

false

bool

 

rr_text

null

str

 

hostchain

localhost=127.0.0.1

str

tag

ddi.infoblox.dns.infoblox-responses

str

rawMessage

named[123]: infoblox-responses: 02-Dec-2021 13:04:41.065 client 2001::2#52739: UDP: query: example1.com IN A response: REFUSED -

str

ddi.infoblox.dns.queryErrors

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-02-25 11:03:24.485

timestamp

 

hostname

localhost

str

 

server

named

str

 

pid

123

int4

 

ib_category

query-errors

str

 

message

client @0x7f31780cc570 192.168.203.166#56164 (example1.com): query failed (REFUSED) for example1.com/IN/A at query.c:10267

str

 

client_object

@0x7f31780cc570

str

 

client_ip

192.168.203.166

str

 

port

56164

int4

 

dns_client_signer

null

str

 

query_name

example1.com

str

 

dns_view

null

str

 

info_error

query failed (REFUSED) for example1.com/IN/A at query.c:10267

str

 

error

failed

str

 

action

REFUSED

str

 

hostchain

localhost=127.0.0.1

str

tag

ddi.infoblox.dns.query-errors

str

rawMessage

named[123]: query-errors: client @0x7f31780cc570 192.168.203.166#56164 (example1.com): query failed (REFUSED) for example1.com/IN/A at query.c:10267

str

 

 

ddi.infoblox.nios.ntpd

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-02-25 11:06:12.894

timestamp

 

hostname

localhost

str

 

server

ntpd

str

 

pid

10962

int4

 

message

Command line: /usr/bin/ntpd -x -a -c /tmpfs/ntp.conf -f /storage/etc/ntp.drift

str

 

hostchain

localhost=127.0.0.1

str

tag

ddi.infoblox.nios.ntpd

str

rawMessage

ntpd[10962]: Command line: /usr/bin/ntpd -x -a -c /tmpfs/ntp.conf -f /storage/etc/ntp.drift

str

ddi.infoblox.nios.monitor

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-02-25 11:06:02.231

timestamp

 

hostname

localhost

str

 

server

monitor

str

 

pid

123

int4

 

message

Type: httpd, State: Red, Event: An Apache software failure has occurred.

str

 

hostchain

localhost=127.0.0.1

str

tag

ddi.infoblox.nios.monitor

str

rawMessage

monitor[123]: Type: httpd, State: Red, Event: An Apache software failure has occurred.

str