EfficientIP DDI¶
About¶
DDI is a collective reference term that covers domain name system (DNS), dynamic host configuration protocol (DHCP), and IP address management (IPAM). DDI in networking is short for DNS-DHCP-IPAM. DNS assures the association of hostnames and IP addresses. It enables access routing to almost all applications and services to keep HTTP web traffic and network traffic flowing. DHCP provides dynamic IP address assignment for nodes logging into the network, together with configuration capability automatically inherited from the address plan tree. IPAM supports these critical technologies by enabling efficient management of IP addresses across the network. Together they make up DDI.
Product Details¶
Vendor URL: EfficientIP DDI
Product Type: DDI
Product Tier: Tier I
Integration Method: Syslog
Integration URL: N/A
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 99%
Data Label: EFFICIENTIP_DDI
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| mechanism | extensions.auth.mechanism |
| "MACHINE" | extensions.auth.type |
| additional.dest.dvchost, device, dvc, inter_host, relayHostnam | intermediary.hostname |
| additional.dest.dvc_ip, dvc, inter_host, relayIp | intermediary.ip |
| data, description, type | metadata.description |
| See "Product Event Types" section | metadata.event_type |
| eventType | metadata.product_event_type |
| "DDI" | metadata.product_name |
| "EfficientIP" | metadata.vendor_name |
| application_protocol, "DHCP", "SSH" | network.application_protocol |
| "1" | network.dns.questions.class |
| query | network.dns.questions.name |
| query_type | network.dns.questions.type |
| flags | network.dns.recursion_desired |
| resp_code | network.dns.response_code |
| targetEmail | network.email.to |
| "UDP", "TCP", protocol | network.ip_protocol |
| received_bytes | network.received_bytes |
| sent_bytes | network.sent_bytes |
| sessionId | network.session_id |
| application | principal.application |
| srcHostname, dvc | principal.asset.hostname |
| client_id | principal.group.product_object_id |
| device, t_host | principal.hostname |
| ciaddr, src_ip | principal.ip |
| chaddr | principal.mac |
| "LINUX" | principal.platform |
| src_port | principal.port |
| command, comm | principal.process.command_line |
| additional.PWD, name | principal.process.file.full_path |
| pid | principal.process.pid |
| pid | principal.process.file.full_path |
| userId, "root", username, principalUser, acct | principal.user.userid |
| exe | security_result.about.process.file.full_path |
| uid | security_result.about.user.userid |
| "ALLOW", "BLOCK", action, outcome | security_result.action |
| desc, action, reason | security_result.description |
| log_level | security_result.severity |
| outcome, desc, action, hashing_algo, proto | security_result.summary |
| src_host | src.hostname |
| process, | target.application |
| json_data.resource.labels.zone | target.asset.attribute.cloud.availability_zone |
| "GOOGLE_CLOUD_PLATFORM" | target.asset.attribute.cloud.environment |
| json_data.resource.labels.project_id | target.asset.attribute.cloud.project.id |
| filepath, pwd | target.file.full_path |
| t_host, targetHostname, dvc, node | target.hostname |
| response_ip, ciaddr, targetIp, dvc, dstIp, | target.ip |
| response_port, targetPort, dstPort, | target.port |
| additional.COMMAND, command, process, | target.process.command_line |
| additional.TTY, additional.file_name, dev | target.process.file.full_path |
| additional.dest_process_id, pid, | target.process.pid |
| _ResourceId, instance_id, json_data.resource.labels.instance_id | target.resource.id |
| json_data.labels.compute.googleapis.com/resource_name | target.resource.name |
| "VIRTUAL_MACHINE" | target.resource.resource_type |
| additional.duser, username, | target.user.userid |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| Default and failover if missing DHCP/DNS fields | GENERIC_EVENT |
| If log is DHCP event | NETWORK_DHCP |
| If log doesn't match known filters | NETWORK_UNCATEGORIZED |
Log Sample¶
<30>Jan 31 01:23:45 intermediary1 dhcpd[62794]: DHCPREQUEST for 10.31.12.100 from a1:b2:c3:d4:e5:f6 via 10.31.12.1
Sample Parsing¶
metadata.event_timestamp.seconds = 1643592225
metadata.event_type = NETWORK_DHCP
metadata.product_name = "Linux DHCP"
principal.process.pid = "62794"
principal.ip = "10.31.12.100"
principal.application = "dhcpd"
intermediary.hostname = "intermediary1"
network.direction = INBOUND
network.ip_protocol = UDP
network.application_protocol = DHCP
network.dhcp.ciaddr = "10.31.12.100"
network.dhcp.giaddr = "10.31.12.1"
network.dhcp.chaddr = "a1:b2:c3:d4:e5:f6"
network.dhcp.type = REQUEST
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon