Re: Splunk_TA_infoblox ver 1.1.0 default props for...

ACingo17 · ‎11-19-2019

Had infoblox syslog onboarded via syslog-ng which prepended date hostname to syslog event
On the searchhead cluster have the correct Splunk_TA_infoblox ver 1.1.0 and the props.conf/transforms.conf has a number of fields that should extract on search but nothing extracts dns_request dns_request_src dns_request_record_type

example: props.conf

[infoblox:dns]
#Reports
REPORT-dns_extract   = dns_request, dns_request_src, dns_request_record_type
REPORT-dns_extract_2 = dns_response,dns_incepted,dns_records_extract, dns_response_src,dns_response_dest, dns_response_record_type
REPORT-dns_rpz_extract = dns_rpz_cef_0
REPORT-dns_fields_1  = infoblox_dns_extract_field_0, infoblox_dns_extract_field_1, infoblox_dns_extract_field_2, infoblox_dns_extract_field_3, infoblox_dns_extract_field_4, infoblox_dns_extract_field_5,infoblox_dns_extract_field_6, infoblox_dns_extract_field_8, infoblox_dns_extract_field_9, infoblox_dns_extract_field_10
REPORT-dns_fields_2  = infoblox_dns_extract_field_11, infoblox_dns_extract_field_12, infoblox_dns_extract_field_13, infoblox_dns_extract_field_14, infoblox_dns_extract_field_15, infoblox_dns_extract_field_16, infoblox_dns_extract_field_17
REPORT-dns_rpz_fields_1 = infoblox_dns_rpz_qname_fields

example transforms.conf

[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

[dns_response]
REGEX = \S+\s+(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\snamed\[(?\d+)\]\:\s(?:infoblox-responses:\s)?(?\S+)\s(?\S+)\sclient\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+)?[\D]*\s(?\w+):\squery:\s(?\S+)\s(?\w+)\s(?\w+)\s(?response):\s(?\w+)\s(?\S+)\s?(?[\S+\s+]*)?

[dns_records_extract]
REGEX = (?\S+)\s(?\d+)\s(?\S+)\s(?\S+)\s(?\S+)
SOURCE_KEY = dns_record
MV_ADD = true

[dns_incepted]
REGEX = (?[^;]+)
SOURCE_KEY = dns_response_RR_in_TEXT
MV_ADD = true

[dns_request_src]
REGEX = (?.+)
SOURCE_KEY = dns_request_name_serverIP

[dns_response_src]
REGEX = (?.+)
SOURCE_KEY = dns_response_client_ip

[dns_response_dest]
REGEX = (?.+)
SOURCE_KEY = server_ip

[dns_request_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_request_type_name

[dns_response_record_type]
REGEX = (?.+)
SOURCE_KEY = dns_response_type_name

example of event
Nov 19 16:18:20 INFOBLOXHOST named[18123]: 19-Nov-2019 16:18:20.992 client X.X.X.X#58840: view 2: UDP: query: client.cldomain.net IN A response: NOERROR + client.cldomain.net. 60 IN A Y.Y.Y.Y

Does anyone have any experience with this TA and do I need to do custom extractions instead of using the TA ?

nethead · ‎07-01-2020

I assume you are ingesting the syslog-ng delivered logs via a UF on the system? In your monitor stanza in inputs.conf you will want to set the sourcetype to:

sourcetype=infoblox:file

(https://docs.splunk.com/Documentation/AddOns/released/Infoblox/Configureinputs)

This should correct your parsing issue.

thanks,

-pat.

sloshburch · ‎11-22-2019

I cleaned up the formatting to make this more readable.
Have you opened a support case? They are likely more able to walk you through debugging with a screen sharing session.
To clarify, you mentioned you provided example props and transforms...but those appear to be not examples, but the actual props and transforms that ship with the add on. Can you validate this assertion?

Lastly, in the example event you provided, what portions of that string should be the fields you are missing? This information will help Splunk experts who are not Infoblox/syslog experts, support your Splunk parsing challenge.

ACingo17 · ‎11-24-2019

thanks, yes the examples are from the current props and transforms directly from the Splunk Infoblox TA
that is why I find it odd that searchtime extractions don't extract.

I've read the docs multiple times and the TA is working correctly through the indexer tier and just serchtime extractions don't work.

Since this is a TA supported by Splunk I'm going to go the route of support case and realtime screen share troubleshooting

for example -- dns_response , shouldn't this look for the word response and then return what is found after the word ?

sloshburch · ‎12-02-2019

I peeked at your support case and it appears to be moving along. It looks like the [dns_request] and [dns_response] REGEX is a bit too specific about the full string and therefore not matching all items.

For posterity of the post, let us know how this gets resolved.

Good luck!

PavithraSarvin · ‎05-24-2024

Is there a solution in place for this issue? Iam facing same issue.

DanielPi · ‎05-24-2024

Hi @PavithraSarvin,

I’m a Community Moderator in the Splunk Community.

This question was posted 5 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you!

Splunk_TA_infoblox ver 1.1.0 default props for sourcetype infoblox:dns doesn't extract expected fields on search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?