- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best thing you can do is transform the sourcetype to subtypes. I have the logs coming in as sourcetype=ipam and then split up by the log type. I have also created a dashboard to show if a record has been changed, created, or deleted and by who. This is displayed in our NOC so if there is an issue they can bring up this page to help troubleshoot.
Here is what I have recently created that will help get you started.
Props.conf
[ipam]
TRANSFORMS-sourcetype = ipam_named, ipam_dhcpd, ipam_python, ipam_sshd, ipam_scheduled_ftp_backups, ipam_check_scheduled_backups, ipam_monitor, ipam_httpd, ipam_validate_dhcpd
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 20
pulldown_type = true
[ipam_httpd]
EXTRACT-DeletedRecord = (?i)Deleted\s+\S+\s+(?P<DeletedRecord>[^ ]+)
EXTRACT-DeletedType = (?i) Deleted (?P<DeletedType>[^ ]+)
EXTRACT-User = (?i)\[(?P<User>\S+)(?=\])
EXTRACT-CreatedType = (?i)Created\s+(?P<CreatedType>[^\s]+)
EXTRACT-CreatedRecord = (?i)Created\s+\S+\s+(?P<CreatedRecord>[^\s]+)
EXTRACT-ModifiedType = (?i)Modified\s+(?P<ModifiedType>[^\s]+)
EXTRACT-ModifiedRecord = (?i)Modified\s+\S+\s+(?P<ModifiedRecord>[^\s]+)
Transforms.conf
[ipam_named]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+named\[)
FORMAT = sourcetype::ipam_named
[ipam_dhcpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+dhcpd\[)
FORMAT = sourcetype::ipam_dhcpd
[ipam_python]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+python:)
FORMAT = sourcetype::ipam_python
[ipam_sshd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+sshd\[)
FORMAT = sourcetype::ipam_sshd
[ipam_scheduled_ftp_backups]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+scheduled_ftp_backups\[)
FORMAT = sourcetype::ipam_scheduled_ftp_backups
[ipam_check_scheduled_backups]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+check_scheduled_backups\[)
FORMAT = sourcetype::ipam_check_scheduled_backups
[ipam_monitor]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+monitor\[)
FORMAT = sourcetype::ipam_monitor
[ipam_httpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+httpd:)
FORMAT = sourcetype::ipam_httpd
[ipam_validate_dhcpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+validate_dhcpd\[)
FORMAT = sourcetype::ipam_validate_dhcpd
savedsearches.conf
[IPAM - Deleted Records Table]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
auto_summarize.timespan = 1m
dispatch.earliest_time = -24h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = sourcetype=ipam_httpd DeletedType="*" DeletedRecord="*" | stats list(DeletedRecord) as DeletedRecord list(DeletedType) as DeletedType list(DnsView) as "Dns View" by User
I'm working on setting up an alert so when a user tries to log in that is not on the defined admin list, a ticket will be generated.
Hope this helps,
Kyle
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There appears to be an official TA from Splunk now:
TA: https://splunkbase.splunk.com/app/2934/#/overview
Documentation: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/About
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This addon is very old and support Infoblox NIOS 6.10 which is not in use anymore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could take the app for posix dhcpd http://apps.splunk.com/app/392/ and modify the regex slightly. Infoblox is just regular dhcpd and named plus a webgui so it works almost out of the box just the loglines are a little bit different. The app is a good starting point. Also consider adding kphillipson's enhancements.
The difference is that the log entries for dhcpd etc are of the form "dhcpd[12345]:" so you could use something like
"
[set-dhcpd-sourcetype]
REGEX=\sdhcpd[.+]:\s
DEST_KEY=MetaData:Sourcetype
FORMAT=sourcetype::dhcpd
"
and use the app.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best thing you can do is transform the sourcetype to subtypes. I have the logs coming in as sourcetype=ipam and then split up by the log type. I have also created a dashboard to show if a record has been changed, created, or deleted and by who. This is displayed in our NOC so if there is an issue they can bring up this page to help troubleshoot.
Here is what I have recently created that will help get you started.
Props.conf
[ipam]
TRANSFORMS-sourcetype = ipam_named, ipam_dhcpd, ipam_python, ipam_sshd, ipam_scheduled_ftp_backups, ipam_check_scheduled_backups, ipam_monitor, ipam_httpd, ipam_validate_dhcpd
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 20
pulldown_type = true
[ipam_httpd]
EXTRACT-DeletedRecord = (?i)Deleted\s+\S+\s+(?P<DeletedRecord>[^ ]+)
EXTRACT-DeletedType = (?i) Deleted (?P<DeletedType>[^ ]+)
EXTRACT-User = (?i)\[(?P<User>\S+)(?=\])
EXTRACT-CreatedType = (?i)Created\s+(?P<CreatedType>[^\s]+)
EXTRACT-CreatedRecord = (?i)Created\s+\S+\s+(?P<CreatedRecord>[^\s]+)
EXTRACT-ModifiedType = (?i)Modified\s+(?P<ModifiedType>[^\s]+)
EXTRACT-ModifiedRecord = (?i)Modified\s+\S+\s+(?P<ModifiedRecord>[^\s]+)
Transforms.conf
[ipam_named]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+named\[)
FORMAT = sourcetype::ipam_named
[ipam_dhcpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+dhcpd\[)
FORMAT = sourcetype::ipam_dhcpd
[ipam_python]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+python:)
FORMAT = sourcetype::ipam_python
[ipam_sshd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+sshd\[)
FORMAT = sourcetype::ipam_sshd
[ipam_scheduled_ftp_backups]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+scheduled_ftp_backups\[)
FORMAT = sourcetype::ipam_scheduled_ftp_backups
[ipam_check_scheduled_backups]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+check_scheduled_backups\[)
FORMAT = sourcetype::ipam_check_scheduled_backups
[ipam_monitor]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+monitor\[)
FORMAT = sourcetype::ipam_monitor
[ipam_httpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+httpd:)
FORMAT = sourcetype::ipam_httpd
[ipam_validate_dhcpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+validate_dhcpd\[)
FORMAT = sourcetype::ipam_validate_dhcpd
savedsearches.conf
[IPAM - Deleted Records Table]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
auto_summarize.timespan = 1m
dispatch.earliest_time = -24h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = sourcetype=ipam_httpd DeletedType="*" DeletedRecord="*" | stats list(DeletedRecord) as DeletedRecord list(DeletedType) as DeletedType list(DnsView) as "Dns View" by User
I'm working on setting up an alert so when a user tries to log in that is not on the defined admin list, a ticket will be generated.
Hope this helps,
Kyle
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kyle,
Did you modify the props.conf and transforms.conf files before you added the Infoblox data, or did you add the Infoblox data first and then modify the props.conf and transforms.conf files to split up by log type?
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for just seeing this. I had this in before I started sending the data to splunk. As the data comes from syslong-ng its is labeled as sourcetype=ipam. It then gets converted to the different sourcetype depending on the daemon (ie: dhcp, dns) I do this on a heavy weight forwarder but you can do this on the indexer.
/Kyle
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did as you recommended, although the only difference between what came shipped and the change recommended above was:
REGEX=sdhcpd[.+]:s
I enabled syslog on my Infoblox to to forward my Splunk server on port 514 (tcp) (I am installing a syslog-ng server on another host later).
My data appears as "sourcetype = syslog", and "process = dhcpd"; nothing else unusual.
I am however only able to see data for "DHCP Events", no results found for DHCP Operations, or anything reporting MAC addresses.
Examples of my logs:
<30>Aug 21 08:03:58 192.168.1.5 dhcpd[1234]: DHCPINFORM from 192.168.1.238 via 192.168.1.1 : unknown subnet for client address 192.168.1.238
<30>Aug 21 08:05:12 192.168.1.5 named[5678]: client 192.168.1.15#16804: received notify for zone '192.in-addr.arpa'
<30>Aug 21 08:05:18 192.168.1.5 dhcpd[1234]: DHCPINFORM from 192.168.1.206 via 192.168.1.1 : unknown subnet for client address 192.168.1.206
I am also getting these error messages:
The lookup table 'dhcpd_cef-lookup' does not exist. It is referenced by configuration 'dhcpd'.
The lookup table 'dhcpd_cef-lookup' does not exist. It is referenced by configuration 'syslog'.
The lookup table 'dhcpd_mac-vendorname' does not exist. It is referenced by configuration 'dhcpd'.
The lookup table 'dhcpd_mac-vendorname' does not exist. It is referenced by configuration 'syslog'.
By the way, any help on getting DNS data from Infoblox also working would be greatly appreciated.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was just about to post the same thing, funny thing to have for a site that depends heavily on regex strings to be precise 🙂
Even when quoted, backslashes are removed.
Just fixed, still good for DHCP leases only.
Will modify app in ~local, and modify to send to port other than 514 in next few days.
I will reports results, thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like the message board removes some of the regex strings. What is removed is the backslash before the s and brackets [ ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe the regex above, that you used, contains a typo.
Should have a \ in front of the s so....
REGEX=\sdhcpd[.+]:\s
In true regex form you would escape the "[]" as well so...
REGEX=\sdhcpd[.+]:\s
I for DNS logs make sure you have those options turned on in the Infoblox GUI. Also send it out a different port say 5144 and have Splunk listen on that port so it sends it to a different index. Also you can also classify the sourcetype as ipam. Then my props/transforms will work. I say this so if you send other syslog type data to splunk you wont get stuff in the wrong index.
Kyle
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know infoblox has an appliance that does their logging that is just a rebranding of Splunk. If you get into the CLI of the appliance you will see a Splunk tar file. I'd be interested in knowing how to simulate this. But as of now we are just doing the syslog feature.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. I've written some field extractions for the Infoblox DNS server.
What exactly are you looking for?
