Splunk recently developed a TA for infoblox.
The TA is here: https://splunkbase.splunk.com/app/2934/#/overview
(The TA includes some panels for DNS and one for DHCP.)
Documentation is here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/About
Hi Mike, thank you for the reply; I agree on the forwwarding of DNS data possibly being a bit much for an appliance.
Assuming I just want to keep my data, in this case just DHCP data, on my Splunk indexer, wouldn't that work? Far less traffic than DNS + DHCP.
Wouldn't it be possible to forward just the DHCP logs to another syslog server? How would something like this look on thee Infoblox gridmaster?
Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your answer to a comment, so just something to keep in mind from here on out. Thanks and happy Splunking!
Infoblox does support SYSLOG. However, since this is a fairly heavy weight protocol, it does not scale well for logging of every single DNS query, which could mean multiple hundreds of thousands messages per second.
Therefore, Infoblox came up with a new mechanism that scales better by using a highly optimized data collection mechanism in the Infoblox Reporting Forwarder. The forwarder sends that data to an Infoblox appliance, acting in an indexer role, that knows how to interpret the data and run predetermined reports.
The reporting solution can interact with the rest of the Infoblox Grid and access information found in DHCP to display in the DNS Firewall report, or access information found through network discovery in the Infoblox Network Insight appliance. You can also run searches on reporting data and export the results in CSV. And the reporting solution allows forwarding of DNS query/response data to an external destination using FTP/SCP, for example, to correlate the DNS query (or response) with other data for analytics.
Hope that helps.
-- Mike Langberg, Infoblox
Doesn't Infoblox just forward logs to a syslog/rlog server running on the gridmaster?
If this is indeed true, then how difficult would it be to simply resend to a splunk instance?
If this is doable, and I believe it is, then wouldn't it be in Infooblox's best interest to support a Splunk app?
Finally, does your statement hold true for DHCP data as well?
Thank you in advance.