Collect Infoblox logs

Supported in:

Google secops SIEM

This document describes how you can collect Infoblox logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the INFOBLOX_DNS ingestion label.

Configure Infoblox

Sign in to the Infoblox web UI.
In the Infoblox web UI, select System > System properties editor > Monitoring.
Select the Log to external syslog servers checkbox.
In the External syslog servers section, click the plus (+) sign to add a new syslog server for the Google Security Operations forwarder.
In the Address field, enter the Google Security Operations forwarder server IP address.
In the Transport list, select either TCP or UDP.
In the Port field, enter the port number.
In the Node ID list, select LAN to include the Infoblox IP in the syslog header.
From the Available list, select the following and move them to the Selected list:
- DNS queries
- DNS responses
- DHCP process

The Infoblox server forwards the query and response logs using syslog to the Google Security Operations forwarder.

Configure Google Security Operations forwarder and syslog to ingest Infoblox logs

Select SIEM Settings > Forwarders.
Click Add new forwarder.
Enter a unique name in the Forwarder name field.
Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
In the Collector name field, enter a unique name for the collector.
Select Infoblox as the Log type.
Select Syslog as the Collector type.
Configure the following input parameters:
- Protocol: specify the connection protocol the collector will use to listen for syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser extracts Infoblox DNS logs in either SYSLOG or CEF format, normalizing them into UDM. It handles various log formats using grok patterns, extracts key fields like source or destination IP, DNS query details, and security information, and maps them to the appropriate UDM fields.

UDM mapping table

Log Field	UDM Mapping	Logic
`agent.hostname`	`principal.hostname`	For CEF formatted logs, if `agent.hostname` exists, it's mapped to `principal.hostname`.
`client_ip`	`principal.ip`	For CEF formatted logs, if `client_ip` exists, it's mapped to `principal.ip`.
`client_port`	`principal.port`	For CEF formatted logs, if `client_port` exists, it's mapped to `principal.port`.
`data`	`answers.data`	Extracted from the `data` field of the `answers` section in the raw log. Multiple occurrences are mapped as separate `answers` objects.
`description`	`metadata.description`	Mapped directly from the raw log's `description` field or extracted using grok patterns from other fields like `message` and `msg2`.
`dest_ip1`	`target.ip`	Extracted from the raw log and mapped to `target.ip`.
`destinationDnsDomain`	`dns_question.name`	For CEF formatted logs, if `destinationDnsDomain` exists, it's mapped to `dns_question.name`.
`dns_class`	`dns_question.class`	Mapped using the `dns_query_class_mapping.include` lookup table.
`dns_domain`	`dns_question.name`	Extracted from the raw log's `message` field using grok patterns and mapped to `dns_question.name`.
`dns_name`	`dns_question.name`	Extracted from the `dns_domain` field using grok patterns and mapped to `dns_question.name`.
`dns_records`	`answers.data`	For CEF formatted logs, if `dns_records` exists, it's mapped to `answers.data`. Multiple occurrences are mapped as separate `answers` objects.
`dst_ip`	`target.ip` or `target.hostname`	Extracted from the raw log's `message` field using grok patterns. If it's a valid IP address, it's mapped to `target.ip`; otherwise, it's mapped to `target.hostname`.
`dst_ip1`	`target.ip` or `target.hostname`	Extracted from the raw log's `message` or `msg2` field using grok patterns. If it's a valid IP address, it's mapped to `target.ip`; otherwise, it's mapped to `target.hostname`. Only mapped if different from `dst_ip`.
`evt_type`	`metadata.product_event_type`	Mapped directly from the raw log's `evt_type` field, which is extracted from the `message` field using grok patterns.
`InfobloxB1OPHIPAddress`	`principal.ip`	For CEF formatted logs, if `InfobloxB1OPHIPAddress` exists, it's mapped to `principal.ip`.
`InfobloxB1Region`	`principal.location.country_or_region`	For CEF formatted logs, if `InfobloxB1Region` exists, it's mapped to `principal.location.country_or_region`.
`InfobloxDNSQType`	`dns_question.type`	For CEF formatted logs, if `InfobloxDNSQType` exists, it's mapped to `dns_question.type`.
`intermediary`	`intermediary.ip` or `intermediary.hostname`	Extracted from the raw log's `message` field using grok patterns. If it's a valid IP address, it's mapped to `intermediary.ip`; otherwise, it's mapped to `intermediary.hostname`.
`msg2`	`metadata.description`, `dns.response_code`, `dns_question.name`, `target.ip`, `target.hostname`, `answers.name`, `answers.ttl`, `answers.data`, `answers.class`, `answers.type`, `security_result.severity`	Extracted from the raw log's `message` field using grok patterns. Used for extracting various fields but not directly mapped to UDM.
`name1`	`answers.name`	Extracted from the raw log's `msg2` field using grok patterns and mapped to `answers.name`.
`name2`	`answers.name`	Extracted from the raw log's `msg2` field using grok patterns and mapped to `answers.name`.
`protocol`	`network.ip_protocol`	Mapped directly from the raw log's `protocol` field if it matches known protocols.
`qclass`	`dns_question.class`	Intermediate field used for mapping `dns_class` to UDM.
`qclass1`	`answers.class`	Intermediate field used for mapping `dns_class1` to UDM.
`qclass2`	`answers.class`	Intermediate field used for mapping `dns_class2` to UDM.
`query_type`	`dns_question.type`	Mapped using the `dns_record_type.include` lookup table.
`query_type1`	`answers.type`	Mapped using the `dns_record_type.include` lookup table.
`query_type2`	`answers.type`	Mapped using the `dns_record_type.include` lookup table.
`recursion_flag`	`network.dns.recursion_desired`	If the `recursion_flag` contains a "+", it's mapped to `network.dns.recursion_desired` as true.
`record_type`	`dns_question.type`	Intermediate field used for mapping `query_type` to UDM.
`record_type1`	`answers.type`	Intermediate field used for mapping `query_type1` to UDM.
`record_type2`	`answers.type`	Intermediate field used for mapping `query_type2` to UDM.
`res_code`	`network.dns.response_code`	Mapped using the `dns_response_code.include` lookup table.
`response_code`	`network.dns.response_code`	For CEF formatted logs, if `response_code` exists, it's mapped to `network.dns.response_code` using the `dns_response_code.include` lookup table.
`security_action`	`security_result.action`	Derived from the `status` field. If `status` is "denied", `security_action` is set to "BLOCK"; otherwise, it's set to "ALLOW".
`severity`	`security_result.severity`	For CEF formatted logs, if `severity` exists and is "informational", it's mapped to `security_result.severity` as "INFORMATIONAL".
`src_host`	`principal.hostname`	Extracted from the raw log's `description` or `message` field using grok patterns and mapped to `principal.hostname`.
`src_ip`	`principal.ip` or `principal.hostname`	Extracted from the raw log's `message` field using grok patterns. If it's a valid IP address, it's mapped to `principal.ip`; otherwise, it's mapped to `principal.hostname`.
`src_port`	`principal.port`	Extracted from the raw log's `message` field using grok patterns and mapped to `principal.port`.
`ttl1`	`answers.ttl`	Extracted from the raw log's `msg2` field using grok patterns and mapped to `answers.ttl`.
`ttl2`	`answers.ttl`	Extracted from the raw log's `msg2` field using grok patterns and mapped to `answers.ttl`.
`metadata.event_type`	`metadata.event_type`	Derived from various fields and parser logic. Defaults to `GENERIC_EVENT` if no other event type is identified. Possible values include `NETWORK_DNS`, `NETWORK_CONNECTION`, and `STATUS_UPDATE`.
`metadata.log_type`	`metadata.log_type`	Set to "INFOBLOX_DNS" by the parser.
`metadata.product_name`	`metadata.product_name`	Set to "Infoblox DNS" by the parser.
`metadata.vendor_name`	`metadata.vendor_name`	Set to "INFOBLOX" by the parser.
`metadata.product_version`	`metadata.product_version`	Extracted from CEF messages.
`metadata.event_timestamp`	`metadata.event_timestamp`	Copied from the `timestamp` field.
`network.application_protocol`	`network.application_protocol`	Set to "DNS" if the `event_type` is not "GENERIC_EVENT" or "STATUS_UPDATE".

Need more help? Get answers from Community members and Google SecOps professionals.