We're seeing DNS events (sourcetype=infoblox:dns) where "client" has IPV6 address not getting extracted. For example, the following does not get extracted correctly -- while events with IPV4 addresses are getting extracted correctly:
2019-07-31T16:00:15+00:00 dns1.illinois.edu named[23473]: client 2001:558:fe04:a:69:252:244:142#53661 (xxxx.ad.uillinois.edu): query 'xxxx.ad.uillinois.edu/A/IN' denied
I see some add-ons have specifically addressed IPV6:
https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Extractions
Does Infoblox add-on need this done too?
For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.
Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.
#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3
#Props.conf
[infoblox:dns]
REPORT-dns_fields_2 = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16
For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.
Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.
#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3
#Props.conf
[infoblox:dns]
REPORT-dns_fields_2 = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16
The regex used by the add-on is currently limited to extract IPv4 addresses...
[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)
And the regex doesn't work at all if you use NIOS 8.4.x
https://answers.splunk.com/answers/752080/splunk-add-on-for-infoblox-v110-field-extractions.html
If you have the possibility to open a case with splunk to fix the add-on, please do it
If you can provide more samples of logs with IPv6 addresses, I can try to fix the regex
Also -- it looks like we're still on 8.2.x (not 8.4.x).
Thanks. I did submit a support request and referenced this post.