ddi.infoblox
Introduction
The tags beginning with ddi.infoblox identify events generated by Infoblox.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as ddi.infoblox. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type | Subtype |
---|---|---|---|
ddi | infoblox |
|
|
|
| ||
|
| ||
|
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
ddi.infoblox.audit.serialconsole | ddi.infoblox.audit.serialconsole |
ddi.infoblox.audit.sshd | ddi.infoblox.audit.sshd |
ddi.infoblox.audit.httpd | ddi.infoblox.audit.httpd |
ddi.infoblox.dhcp.dhcpd | ddi.infoblox.dhcp.dhcpd |
ddi.infoblox.dhcp.validate_dhcpd | ddi.infoblox.dhcp.validate_dhcpd |
ddi.infoblox.dns.general | ddi.infoblox.dns.general |
ddi.infoblox.dns.client | ddi.infoblox.dns.client |
ddi.infoblox.dns.config | ddi.infoblox.dns.config |
ddi.infoblox.dns.database | ddi.infoblox.dns.database |
ddi.infoblox.dns.dtc | ddi.infoblox.dns.dtc |
ddi.infoblox.dns.lame-servers | ddi.infoblox.dns.lameServers |
ddi.infoblox.dns.network | ddi.infoblox.dns.network |
ddi.infoblox.dns.notify | ddi.infoblox.dns.notify |
ddi.infoblox.dns.queries | ddi.infoblox.dns.queries |
ddi.infoblox.dns.rate-limit | ddi.infoblox.dns.rateLimit |
ddi.infoblox.dns.resolver | ddi.infoblox.dns.resolver |
ddi.infoblox.dns.infoblox-responses | ddi.infoblox.dns.infobloxResponses |
ddi.infoblox.dns.rpz | ddi.infoblox.dns.rpz |
ddi.infoblox.dns.security | ddi.infoblox.dns.security |
ddi.infoblox.dns.xfer-in | ddi.infoblox.dns.xferIn |
ddi.infoblox.dns.xfer-out | ddi.infoblox.dns.xferOut |
ddi.infoblox.dns.unknown | ddi.infoblox.dns.unknown |
ddi.infoblox.dns.update | ddi.infoblox.dns.update |
ddi.infoblox.dns.update-security | ddi.infoblox.dns.updateSecurity |
ddi.infoblox.nios.ntpd | ddi.infoblox.nios.ntpd |
ddi.infoblox.nios.ntpdate | ddi.infoblox.nios.ntpdate |
ddi.infoblox.nios.monitor | ddi.infoblox.nios.monitor |
ddi.infoblox.nios.syslog-ng | ddi.infoblox.nios.syslogNg |
ddi.infoblox.nios.rabbitmq_control | ddi.infoblox.nios.rabbitmq_control |
ddi.infoblox.unknown.unknown | ddi.infoblox.unknown.unknown |
How is the data sent to Devo?
Set up the Devo relay rules
You will need to set up a rule on the relay to correctly process and forward the events received from Infoblox. In the example below, you should use any port that you can dedicate to these events.
Infoblox - DNS Categories
Infoblox classifies the DNS logs in different categories. You can know more about this in their documentation: Setting DNS Logging Categories. The table below depicts which Devo Relay rule would process each DNS Logging Category.
Infoblox DNS Logging Categories | Relay rule names | |||
DDI Infoblox - DNS Categories | DDI Infoblox - DNS Category DTC 1 | DDI Infoblox - DNS Category DTC 2 | DDI Infoblox - unknown DNS Categories | |
general | ✓ |
|
|
|
client | ✓ |
|
|
|
config | ✓ |
|
|
|
database | ✓ |
|
|
|
dnssec |
|
|
| ✓ |
lame servers | ✓ |
|
|
|
network | ✓ |
|
|
|
notify | ✓ |
|
|
|
queries | ✓ |
|
|
|
rate-limit | ✓ |
|
|
|
resolver | ✓ |
|
|
|
responses | ✓ |
|
|
|
rpz | ✓ |
|
|
|
security | ✓ |
|
|
|
transfer-in | ✓ |
|
|
|
transfer-out | ✓ |
|
|
|
update | ✓ |
|
|
|
update-security | ✓ |
|
|
|
DTC load balancing |
|
| ✓ |
|
DTC health monitors |
| ✓ |
|
|
Rules | Relay screenshot |
---|---|
DDI Infoblox - DNS Categories
| |
DDI Infoblox - DNS Category DTC 2
| |
DDI Infoblox - unknown DNS Categories
| |
DDI Infoblox - DNS Category DTC 1
|
Infoblox - DHCP
Rules | Relay screenshot |
---|---|
DDI Infoblox - DHCP
|
Infoblox - NIOS
Rules | Relay screenshot |
---|---|
DDI Infoblox - NIOS
|
Infoblox - Audit
Rules | Relay screenshot |
---|---|
DDI Infoblox - AUDIT
|
|
Infoblox - unknown
Rules | Relay screenshot |
---|---|
DDI Infoblox - unknown
|
Configure Infoblox NIOS to send logs to the Relay
Before starting the configuration, please read the Infoblox documentation.
Setting DNS Logging Categories
Infoblox DNS logs have different categories. You can select which categories you would like to send into Devo by following these steps:
Select Data Management tab
Select the DNS tab
Click Grid DNS Properties from the Toolbar
Enable de Advanced Mode by clicking on “Toggle Expert Mode” if the editor is in the basic mode.
Select the Logging tab
Select the Logging Categories you would like to send to Devo.
Save & Close
Enabling some logging categories can increase disk space usage and adversely affect DNS services and performance. Check with Infoblox whether you are recommended to logging some of these categories. |
After saving the changes, you may be prompted to restart the DNS service for the changes to take effect.
Specifying Syslog Servers
Follow the next steps to configure your Infoblox to send messages to the Devo Relay:
Select the Grid tab
Select the Grid Manager tab
Select the Members tab
Click Grid Properties from the Toolbar.
In the Grid Properties editor, select the Monitoring tab. You will see a window like this below.
Select “Log to External Syslog Servers” to enable the Infoblox appliance to send messages to a specified Syslog server.
Select also the “Copy Audit Log Message to Syslog” so you will be able to send audit logs to Devo.
To define a new Devo Relay, click the Add icon and complete the following fields:
Address: Devo Relay IP address
Transport: Secure TCP, TCP or UDP. If selecting Secure TCP, you will need to configure Stunnel in front of the Devo Relay so Stunnel will decrypt the logs and send them decrypted to the Devo Relay. Here you can read more about integrating Stunnel with the Devo Relay.
Interface: at your convenience.
Node ID: at your convenience.
Source: at your convenience.
Severity: at your convenience.
Port: Devo Relay port or Stunnel port listening for logs. If using the Infoblox option Transport TCP or UDP you must use the Source port of the relay rules you configured previously. If you selected Secure TCP, then you must enter the Stunnel listening port.
Logging category: you must select the option “Send selected categories” and then move to the “Selected” space all the categories you want to send to Devo. The reason for selecting the option “Send selected categories” instead of the option “Send all” is that logs will be prefixed and the Devo parsing will only work for prefixed logs of Infoblox. Read more about Infoblox log prefixes here.
Then click on the Add button and you will see the configured Devo Relay as part of the list of Syslog Servers.
Save & Close
After saving the changes, you may be required to do a service restart for the changes to take effect. Your Infoblox appliance will start to send Syslog to your Devo Relay.
Log samples
The following are sample logs sent to each of the ddi.infoblox data tables. Also, find how the information will be parsed in your data table under each sample log.
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
ddi.infoblox.audit.httpd2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd[]: 2021-11-19 13:47:37.743Z [admin]: Login_Allowed - - to=AdminConnector ip=192.168.189.211 auth=LOCAL group=admin-group apparently_via=GUI
2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd[]: 2021-11-19 13:47:37.743Z [admin]: Called - GetMemberData message=downloaded\\040named.conf: Args message="downloaded named.conf"
2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd[]: 2021-11-19 13:47:37.743Z [admin]: Created NetworkView internal: Set extensible_attributes=[],comment="internal DNS view",name="internal"
2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd: 2022-02-10 13:03:52.091Z [admin]: shutdown node 192.168.1.17
2022-02-25 11:01:21.410 localhost=127.0.0.1 ddi.infoblox.audit.httpd: httpd: 2022-02-10 13:03:52.091Z [admin]: Deleted IdnsServer myserver2 And this is how the log would be parsed: Field Value Type Extra fields eventdate
hostname
server
serverdate
admin_user
action
object_type
object_name
message
srcIp
to
auth
admin_group
apparently_via
info
trigger_event
hostchain
✓ tag
✓ rawMessage
✓ ddi.infoblox.dhcp.dhcpd2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPACK to 192.168.123.123 (ab:c1:d2:e3:fg:hi) via eth2
2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPINFORM from 192.168.123.123 via 192.168.123.123
2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPDISCOVER from ab:c1:d2:e3:fg:hi via 192.168.123.123 TransID 2006c4c6: network 192.168.123.123/23: no permitted ranges with available leases
2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: DHCPRELEASE of 192.168.123.123 from ab:c1:d2:e3:fg:hi (WA605526N-BRL) via 192.168.123.123 (found) TransID 24da1881 uid ab:c1:d2:e3:fg:hi:ab:c1:d2:e3:fg:hi:ab:c1:d2:e3:fg:hi:30:38
2022-02-10 09:06:32.152 localhost=127.0.0.1 ddi.infoblox.dhcp.dhcpd: dhcpd[123]: BOOTREQUEST from ab:c1:d2:e3:fg:hi via 192.168.123.123: BOOTP from dynamic client and no dynamic leases And this is how the log would be parsed: Field Value Type Field transformation Source field name Extra fields eventdate
hostname
server
pid
message_type
toAddress
toDeviceId
fromAddress
fromDeviceId
ofAddress
ofDeviceId
onAddress
onDeviceId
forAddress
forDeviceId
via
viaDeviceId
TransID
network
uid
message
leaseIpAddress
onAddress message_type toAddress
leaseHardwareAddress
toDeviceId onAddress message_type toAddress
hostchain
✓ tag
✓ rawMessage
✓ ddi.infoblox.dns.general2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: Recursion client quota: used/max/soft-limit/s-over/hard-limit/h-over/low-pri = 0/0/900/0/1000/0/0
2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: Recursion cache view "_default": size = 56928, hits = 4, misses = 3
2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: all zones loaded
2022-02-25 11:01:54.076 localhost=127.0.0.1 ddi.infoblox.dns.general: named[123]: general: zone 0.0.127.in-addr.arpa/IN: autogenerated flag seen for unloaded zone, prioritizing its loading And this is how the log would be parsed: Field Value Type Extra fields eventdate
hostname
server
pid
ib_category
message
quota_used
quota_max
quota_soft_limits
quota_s_over
quota_hard_limit
quota_h_over
quota_low_pri
dns_view
dns_view_size
dns_view_hits
dns_view_misses
zone_name
zone_message
hostchain
✓ tag
✓ rawMessage
✓
ddi.infoblox.dns.clientAnd this is how the log would be parsed: Field Value Type Extra fields eventdate
hostname
server
pid
ib_category
message
action
name_blacklist
query_name
client_ip
client_object
port
dns_client_signer
dns_view
info
hostchain
✓ tag
✓ rawMessage
✓ ddi.infoblox.dns.infobloxResponsesAnd this is how the log would be parsed: Field Value Type Extra fields eventdate
hostname
server
pid
ib_category
message
serverdate
client_ip
port
dns_client_signer
query_name
dns_view
protocol
class
type
response_info
rcode
flags
recursion
authoritative_answer
truncated_response
edns_opt_record
dnssec
dnssec_records_validated
dtc_synthetic_record
rr_text
hostchain
✓ tag
✓ rawMessage
✓ ddi.infoblox.dns.queryErrorsAnd this is how the log would be parsed: Field Value Type Extra fields eventdate
hostname
server
pid
ib_category
message
client_object
client_ip
port
dns_client_signer
query_name
dns_view
info_error
error
action
hostchain
✓ tag
✓ rawMessage
✓
ddi.infoblox.nios.ntpdAnd this is how the log would be parsed: Field Value Type Extra fields eventdate
hostname
server
pid
message
hostchain
✓ tag
✓ rawMessage
✓ ddi.infoblox.nios.monitorAnd this is how the log would be parsed: Field Value Type Extra fields eventdate
hostname
server
pid
message
hostchain
✓ tag
✓ rawMessage
✓ |