All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add-on for Infoblox and extractions for src_ip when DNS client is IPV6

wryanthomas
Contributor
‎08-01-2019 07:02 AM

We're seeing DNS events (sourcetype=infoblox:dns) where "client" has IPV6 address not getting extracted. For example, the following does not get extracted correctly -- while events with IPV4 addresses are getting extracted correctly:

2019-07-31T16:00:15+00:00 dns1.illinois.edu named[23473]: client 2001:558:fe04:a:69:252:244:142#53661 (xxxx.ad.uillinois.edu): query 'xxxx.ad.uillinois.edu/A/IN' denied

I see some add-ons have specifically addressed IPV6:
https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Extractions

Does Infoblox add-on need this done too?

Reply
1 Solution
Solved! Jump to solution
Solution

djl
Explorer
‎08-14-2019 03:24 AM

For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.

Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.

#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3

#Props.conf
[infoblox:dns]
REPORT-dns_fields_2  = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16

View solution in original post

Reply
Solved! Jump to solution
Solution

djl
Explorer
‎08-14-2019 03:24 AM

For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.

Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.

#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3

#Props.conf
[infoblox:dns]
REPORT-dns_fields_2  = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16
Reply
Solved! Jump to solution

chaispaquichui
Explorer
‎08-02-2019 02:04 AM

The regex used by the add-on is currently limited to extract IPv4 addresses...

[dns_request]
 REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

And the regex doesn't work at all if you use NIOS 8.4.x

https://answers.splunk.com/answers/752080/splunk-add-on-for-infoblox-v110-field-extractions.html

If you have the possibility to open a case with splunk to fix the add-on, please do it

If you can provide more samples of logs with IPv6 addresses, I can try to fix the regex

0 Karma
Reply
Solved! Jump to solution

wryanthomas
Contributor
‎08-02-2019 06:14 AM

Also -- it looks like we're still on 8.2.x (not 8.4.x).

0 Karma
Reply
Solved! Jump to solution

wryanthomas
Contributor
‎08-02-2019 05:08 AM

Thanks. I did submit a support request and referenced this post.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...