All Apps and Add-ons

Has anybody gotten the Splunk for DNS app to work with Infoblox?

muebel
SplunkTrust
SplunkTrust
0 Karma

TonyLeeVT
Builder

Splunk recently developed a TA for infoblox.

The TA is here: https://splunkbase.splunk.com/app/2934/#/overview
(The TA includes some panels for DNS and one for DHCP.)

Documentation is here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/About

mikelangberg
Engager

Infoblox has not created an integration between our products and Splunk for DNS, and we're not aware of any else having done this. Best regards. -- Mike Langberg, Infoblox

nychawk
Communicator

Hi Mike, thank you for the reply; I agree on the forwwarding of DNS data possibly being a bit much for an appliance.

Assuming I just want to keep my data, in this case just DHCP data, on my Splunk indexer, wouldn't that work? Far less traffic than DNS + DHCP.

Wouldn't it be possible to forward just the DHCP logs to another syslog server? How would something like this look on thee Infoblox gridmaster?

Thanks again.

0 Karma

ppablo
Retired

Hi @nychawk

Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your answer to a comment, so just something to keep in mind from here on out. Thanks and happy Splunking!

mikelangberg
Engager

Infoblox does support SYSLOG. However, since this is a fairly heavy weight protocol, it does not scale well for logging of every single DNS query, which could mean multiple hundreds of thousands messages per second.

Therefore, Infoblox came up with a new mechanism that scales better by using a highly optimized data collection mechanism in the Infoblox Reporting Forwarder. The forwarder sends that data to an Infoblox appliance, acting in an indexer role, that knows how to interpret the data and run predetermined reports.

The reporting solution can interact with the rest of the Infoblox Grid and access information found in DHCP to display in the DNS Firewall report, or access information found through network discovery in the Infoblox Network Insight appliance. You can also run searches on reporting data and export the results in CSV. And the reporting solution allows forwarding of DNS query/response data to an external destination using FTP/SCP, for example, to correlate the DNS query (or response) with other data for analytics.

Hope that helps.

-- Mike Langberg, Infoblox

0 Karma

nychawk
Communicator

Mike;

Doesn't Infoblox just forward logs to a syslog/rlog server running on the gridmaster?

If this is indeed true, then how difficult would it be to simply resend to a splunk instance?
If this is doable, and I believe it is, then wouldn't it be in Infooblox's best interest to support a Splunk app?

Finally, does your statement hold true for DHCP data as well?

Thank you in advance.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...