Infoblox Trinzic appliances are hardware devices that form the foundation of an organization’s network services and reporting solutions. You can configure this event source to send both DHCP and DNS logs.
Configure DHCP Logs
Before you can configure the InsightIDR event source, you must send Infoblox Trinzic messages to a syslog server from the NIOS appliance.
- From the "Grid" tab, select the Grid Manager > Members tab, and then click Grid Properties > Edit from the Toolbar.
- In the Grid Properties editor, select the Monitoring tab.
- In the "Syslog" section, specify the maximum size for a syslog file. Enter a value between 10 and 300. The default is 300.
- Check on the Log to External Syslog Servers checkbox.
- Click the + button to add a new server.
- In the “Address” field, enter the IP address of the InsightIDR collector.
- In the “Transport” field, select whether you want to send logs with TCP or UDP.
- From the “Interface” dropdown, select which appliance should be the origin of the Infoblox logs.
- From the “Source” dropdown, select which syslog messages you want to receive on the Collector.
- In the “Port” field, enter the port you want to use for the DHCP logs.
- From the “Severity” dropdown, select the severity filter you want in your logs. The filter options are the following:
- emerg - Panic or emergency conditions. The system may be unusable.
- alert - Alerts, such as NTP service failures, that require immediate actions.
- crit - Critical conditions, such as hardware failures.
- err - Error messages, such as client update failures and duplicate leases.
- warning - Warning messages, such as missing keepalive options in a server configuration.
- notice - Informational messages regarding routine system events, such as “starting BIND."
- info - Informational messages, such as DHCPACK messages and discovery status.
- debug - Messages that contain information for debugging purposes, such as changes in the latency.
- Check the Copy Audit Log Messages to Syslog checkbox to include audit log messages it sends to the syslog server.
- Select an option from the Syslog Facility dropdown that determines the processes and daemons from which the log messages are generated.
- Click the Save & Close button to save the configuration and click the Restart button if it appears at the top of the screen.
This configuration will parse Infoblox Trinzic as both DHCP and DNS.
If you ONLY want to send DNS logs, configure this event source as a DNS event source following the instructions below.
However, if you configure Infoblox Trinizic as a DHCP event source with DNS configured, and configure a separate DNS event source, your DNS events will be duplicated.
Configure DNS Logs
Infoblox Trinzic also supports DNS logs. However, you must configure DNS through the Infoblox Data Connector with these instructions: https://docs.infoblox.com/display/BloxOneThreatDefense/Data+Connector
Follow the instructions to:
- Install the Infoblox Data Connector
- Deploy the Infoblox Data Connector
You do not need to follow the instructions for the SIEM Integration.
When deploying the Data Connector, configure the external server as your InsightIDR Collector.
For further details, see their deployment guide for Implementing Infoblox Data Connector 3.0 here: https://docs.infoblox.com/download/attachments/8945695/deployment%20guide%20-%20data%20connector%203.0_Revised.pdf?version=1&modificationDate=1552637732892&api=v2
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the DHCP icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure any Advanced Event Source Settings.
- Configure inactivity timeout threshold in minutes.
- Select a collection method.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.