Infoblox¶
About¶
Infoblox, formerly, is a privately held IT automation and security company based in California's Silicon Valley. The company focuses on managing and identifying devices connected to networks—specifically for the Domain Name System, Dynamic Host Configuration.
Infoblox NIOS is the world's leading on-premises platform for automating DNS, DHCP and IPAM (DDI)—and simplifying complex, dynamic network services for any sizeProtocol, and IP address management.
Product Details¶
Vendor URL: Infoblox | Cloud-First Security & Networking
Product Type: DNS, DHCP
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Configuring Syslog Forwarding - Infoblox Documentation Portal
Log Guide: Infoblox Log Guide
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 75%
Data Label: INFOBLOX
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| _q | network.dns.questions |
| act | metadata.product_event_type |
| app | metadata.product_event_type |
| cat | metadata.description |
| dhost | target.hostname |
| dhost | target.ip |
| dipaddress | target.ip |
| dpt | target.port |
| dvc | src.ip |
| dvchost | src.hostname |
| ipaddress | principal.ip |
| msg | metadata.description |
| msg_json_log.additional.0.value | principal.hostname |
| msg_json_log.metadata.description | metadata.description |
| msg_json_log.metadata.product_name | metadata.product_name |
| msg_json_log.metadata.product_version | metadata.product_version |
| msg_json_log.metadata.vendor_name | metadata.vendor_name |
| prod_version | metadata.product_version |
| product | metadata.product_name |
| rule_name | sr.summary |
| ruleID | sr.rule_id |
| shost | principal.hostname |
| shost | principal.ip |
| spt | principal.port |
| vendor | metadata.vendor_name |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| Login_success | USER_LOGIN |
Log Sample¶
<28>Dec 1 15:23:47 OBSERVER.DOMAIN.COM hostservice: 410 Login_success, Username: john.doe, Src: hostname1.SUBDOMAIN.US.DOMAIN.COM, Src IP: 10.11.11.49, Dst IFace: default, Dst IP: 10.12.12.129, Src Port: 65384, Dst Port: 22, Ver: SSH-2.0-OpenSSH_5.2 Secure_Shell-v6, Session-Id: 1234
Sample Parsing¶
metadata.event_timestamp = "2021-12-01T15:23:47Z"
metadata.event_type = "USER_LOGIN"
metadata.product_event_type = "Login_success"
metadata.description = "SSH-2.0-OpenSSH_5.2 Secure_Shell-v6"
metadata.ingested_timestamp = "2021-12-01T19:23:49.914177Z"
additional.Dst IFace = "default"
additional.Session-Id = "1234"
principal.hostname = "hostname1"
principal.user.userid = "john.doe"
principal.ip = "10.11.11.49"
principal.port = 65384
principal.administrative_domain = "SUBDOMAIN.US.DOMAIN.COM"
principal.application = "SSH-2.0-OpenSSH_5.2"
principal.namespace = "DOMAIN"
principal.asset.ip = "10.11.11.49"
target.ip = "10.12.12.129"
target.port = 22
target.namespace = "DOMAIN"
target.asset.ip = "10.12.12.129"
observer.hostname = "OBSERVER.DOMAIN.COM"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon