Missing infoblox:threatprotect events in Splunk

[bx00365]

Was the issue replicated by support? Yes

**What is the sc4s version ?**3.19.0

Which operating system (including its version) are you using for hosting SC4S? RHEL

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? Docker

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? Yes .support case 3472406

**Is the issue related to the environment of the customer or Software related issue?**Software Related

Is it related to Data loss, please explain ? Yes data loss ( events cannot be seen in Splunk)
Protocol? Hardware specs? Infoblox Appliance is sending syslog events over 514 port vis udp protocol

**Last chance index/Fallback index?**sc4s

Is the issue related to local customization? No

**Do we have all the default indexes created?**No

Describe the bug

Following below reference from SC4S page to onboard Infoblox data we are unable to see infoblox:threatprotect events in Splunk whereas other events like dns/dhcp/audit can be seen with custom index (infoblox) defined in splunk_metadata file.
sc4s_support.tar.gz

SC4S Doc: https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/InfoBlox/

To Reproduce
Following documentation https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/InfoBlox/ we have added the following

splunk_metadata.csv

infoblox_nios_dns,index,infoblox
infoblox_nios_dns,sourcetype,infoblox:dns
infoblox_nios_dhcp,index,infoblox
infoblox_nios_dhcp,sourcetype,infoblox:dhcp
infoblox_nios_threat,index,infoblox
infoblox_nios_threat,sourcetype,infoblox:threatprotect
infoblox_nios_audit,index,infoblox
infoblox_nios_audit,sourcetype,infoblox:audit
infoblox_nios_fallback,index,infoblox
infoblox_nios_fallback,sourcetype,infoblox:port

app-vps-infoblox_nios.conf

#/opt/sc4s/local/config/app-parsers/app-vps-infoblox_nios.conf
#File name provided is a suggestion it must be globally unique

application app-vps-test-infoblox_nios[sc4s-vps] {
filter {
host("-blox-" type(glob) flags(ignore-case))
or host("085a-ips-p*" type(glob) flags(ignore-case))
};
parser {
p_set_netsource_fields(
vendor('infoblox')
product('nios')
);
};
};

host.csv
10.126.2.12,HOST,048e-blox-int-ns1-lan.lmig.com

Result:

dns/dhcp/audit events are getting mapped correctly but no events for threatprotect.

Next Steps

Logged case #3472406 with Splunk, per recommendation we have replaced "infoblox_nios_threat,sourcetype,infoblox:threatprotect" with "Infoblox_NIOS Threat,index,infoblox" in splunk_metadata file

Observations

1. threatprotect events can be seen in Splunk Dev with index and sourcetype defined in metatdata file.
2. Incorrect host assignment: host name is expected as "048e-blox-int-ns1-lan.lmig.com" as defined in host.csv file but host value is "adp"
3. Missing "adp" keyword in events as seen in Splunk.

Raw event
<26>May 3 08:53:25 10.126.2.12 threat-protect-log[37832]: adp: CEF:0|Infoblox|NIOS Threat|8.6.3-51135-1241097029df|110100900|EARLY DROP UDP query multiple questions or non query operation code|8|src=10.208.32.5 spt=44875 dst=10.126.2.16 dpt=53 act="DROP" cat="DNS Protocol Anomalies" nat=0 nfpt=0 nlpt=0 fqdn=NA hit_count=1

_ Events in Splunk_

threat-protect-log[37832]: CEF:0|Infoblox|NIOS Threat|8.6.3-51135-1241097029df|130506000|DNS HTTPS record TCP|4|src=10.123.3.119 spt=56021 dst=10.126.2.16 dpt=53 act="DROP" cat="DNS Message Types" nat=0 nfpt=0 nlpt=0 fqdn=substrate.office.com hit_count=1

Uploading sc4s_support.tar.gz…

infoblox_pcap.zip