You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which operating system (including its version) are you using for hosting SC4S? RHEL
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? Docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? Yes .support case 3472406
**Is the issue related to the environment of the customer or Software related issue?**Software Related
Is it related to Data loss, please explain ? Yes data loss ( events cannot be seen in Splunk)
Protocol? Hardware specs? Infoblox Appliance is sending syslog events over 514 port vis udp protocol
**Last chance index/Fallback index?**sc4s
Is the issue related to local customization? No
**Do we have all the default indexes created?**No
Describe the bug
Following below reference from SC4S page to onboard Infoblox data we are unable to see infoblox:threatprotect events in Splunk whereas other events like dns/dhcp/audit can be seen with custom index (infoblox) defined in splunk_metadata file. sc4s_support.tar.gz
dns/dhcp/audit events are getting mapped correctly but no events for threatprotect.
Next Steps
Logged case #3472406 with Splunk, per recommendation we have replaced "infoblox_nios_threat,sourcetype,infoblox:threatprotect" with "Infoblox_NIOS Threat,index,infoblox" in splunk_metadata file
Observations
threatprotect events can be seen in Splunk Dev with index and sourcetype defined in metatdata file.
Incorrect host assignment: host name is expected as "048e-blox-int-ns1-lan.lmig.com" as defined in host.csv file but host value is "adp"
Missing "adp" keyword in events as seen in Splunk.
Raw event
<26>May 3 08:53:25 10.126.2.12 threat-protect-log[37832]: adp: CEF:0|Infoblox|NIOS Threat|8.6.3-51135-1241097029df|110100900|EARLY DROP UDP query multiple questions or non query operation code|8|src=10.208.32.5 spt=44875 dst=10.126.2.16 dpt=53 act="DROP" cat="DNS Protocol Anomalies" nat=0 nfpt=0 nlpt=0 fqdn=NA hit_count=1
Was the issue replicated by support? Yes
**What is the sc4s version ?**3.19.0
Which operating system (including its version) are you using for hosting SC4S? RHEL
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? Docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? Yes .support case 3472406
**Is the issue related to the environment of the customer or Software related issue?**Software Related
Is it related to Data loss, please explain ? Yes data loss ( events cannot be seen in Splunk)
Protocol? Hardware specs? Infoblox Appliance is sending syslog events over 514 port vis udp protocol
**Last chance index/Fallback index?**sc4s
Is the issue related to local customization? No
**Do we have all the default indexes created?**No
Describe the bug
Following below reference from SC4S page to onboard Infoblox data we are unable to see infoblox:threatprotect events in Splunk whereas other events like dns/dhcp/audit can be seen with custom index (infoblox) defined in splunk_metadata file.
sc4s_support.tar.gz
SC4S Doc: https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/InfoBlox/
To Reproduce
Following documentation https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/InfoBlox/ we have added the following
splunk_metadata.csv
infoblox_nios_dns,index,infoblox
infoblox_nios_dns,sourcetype,infoblox:dns
infoblox_nios_dhcp,index,infoblox
infoblox_nios_dhcp,sourcetype,infoblox:dhcp
infoblox_nios_threat,index,infoblox
infoblox_nios_threat,sourcetype,infoblox:threatprotect
infoblox_nios_audit,index,infoblox
infoblox_nios_audit,sourcetype,infoblox:audit
infoblox_nios_fallback,index,infoblox
infoblox_nios_fallback,sourcetype,infoblox:port
app-vps-infoblox_nios.conf
#/opt/sc4s/local/config/app-parsers/app-vps-infoblox_nios.conf
#File name provided is a suggestion it must be globally unique
application app-vps-test-infoblox_nios[sc4s-vps] {
filter {
host("-blox-" type(glob) flags(ignore-case))
or host("085a-ips-p*" type(glob) flags(ignore-case))
};
parser {
p_set_netsource_fields(
vendor('infoblox')
product('nios')
);
};
};
host.csv
10.126.2.12,HOST,048e-blox-int-ns1-lan.lmig.com
Result:
dns/dhcp/audit events are getting mapped correctly but no events for threatprotect.
Next Steps
Logged case #3472406 with Splunk, per recommendation we have replaced "infoblox_nios_threat,sourcetype,infoblox:threatprotect" with "Infoblox_NIOS Threat,index,infoblox" in splunk_metadata file
Observations
Raw event
<26>May 3 08:53:25 10.126.2.12 threat-protect-log[37832]: adp: CEF:0|Infoblox|NIOS Threat|8.6.3-51135-1241097029df|110100900|EARLY DROP UDP query multiple questions or non query operation code|8|src=10.208.32.5 spt=44875 dst=10.126.2.16 dpt=53 act="DROP" cat="DNS Protocol Anomalies" nat=0 nfpt=0 nlpt=0 fqdn=NA hit_count=1
_ Events in Splunk_
threat-protect-log[37832]: CEF:0|Infoblox|NIOS Threat|8.6.3-51135-1241097029df|130506000|DNS HTTPS record TCP|4|src=10.123.3.119 spt=56021 dst=10.126.2.16 dpt=53 act="DROP" cat="DNS Message Types" nat=0 nfpt=0 nlpt=0 fqdn=substrate.office.com hit_count=1
Uploading sc4s_support.tar.gz…
infoblox_pcap.zip
The text was updated successfully, but these errors were encountered: