splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
Missing infoblox:threatprotect events in Splunk
Was the issue replicated by support? Yes
**What is the sc4s version ?**3.19.0
Which operating system (including its version) are you using for hosting SC4S? RHEL
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? Docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? Yes .support case 3472406
**Is the issue related to the environment of the customer or Software related issue?**Software Related
Is it related to Data loss, please explain ? Yes data loss ( events cannot be seen in Splunk) Protocol? Hardware specs? Infoblox Appliance is sending syslog events over 514 port vis udp protocol
**Last chance index/Fallback index?**sc4s
Is the issue related to local customization? No
**Do we have all the default indexes created?**No
Describe the bug
Following below reference from SC4S page to onboard Infoblox data we are unable to see infoblox:threatprotect events in Splunk whereas other events like dns/dhcp/audit can be seen with custom index (infoblox) defined in splunk_metadata file. sc4s_support.tar.gz
SC4S Doc: https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/InfoBlox/
To Reproduce Following documentation https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/InfoBlox/ we have added the following
splunk_metadata.csv
infoblox_nios_dns,index,infoblox infoblox_nios_dns,sourcetype,infoblox:dns infoblox_nios_dhcp,index,infoblox infoblox_nios_dhcp,sourcetype,infoblox:dhcp infoblox_nios_threat,index,infoblox infoblox_nios_threat,sourcetype,infoblox:threatprotect infoblox_nios_audit,index,infoblox infoblox_nios_audit,sourcetype,infoblox:audit infoblox_nios_fallback,index,infoblox infoblox_nios_fallback,sourcetype,infoblox:port
app-vps-infoblox_nios.conf
#/opt/sc4s/local/config/app-parsers/app-vps-infoblox_nios.conf #File name provided is a suggestion it must be globally unique
application app-vps-test-infoblox_nios[sc4s-vps] { filter { host("-blox-" type(glob) flags(ignore-case)) or host("085a-ips-p*" type(glob) flags(ignore-case)) }; parser { p_set_netsource_fields( vendor('infoblox') product('nios') ); }; };
host.csv 10.126.2.12,HOST,048e-blox-int-ns1-lan.lmig.com
Result:
dns/dhcp/audit events are getting mapped correctly but no events for threatprotect.
Next Steps
Logged case #3472406 with Splunk, per recommendation we have replaced "infoblox_nios_threat,sourcetype,infoblox:threatprotect" with "Infoblox_NIOS Threat,index,infoblox" in splunk_metadata file
Observations
- threatprotect events can be seen in Splunk Dev with index and sourcetype defined in metatdata file.
- Incorrect host assignment: host name is expected as "048e-blox-int-ns1-lan.lmig.com" as defined in host.csv file but host value is "adp"
- Missing "adp" keyword in events as seen in Splunk.
Raw event <26>May 3 08:53:25 10.126.2.12 threat-protect-log[37832]: adp: CEF:0|Infoblox|NIOS Threat|8.6.3-51135-1241097029df|110100900|EARLY DROP UDP query multiple questions or non query operation code|8|src=10.208.32.5 spt=44875 dst=10.126.2.16 dpt=53 act="DROP" cat="DNS Protocol Anomalies" nat=0 nfpt=0 nlpt=0 fqdn=NA hit_count=1
_ Events in Splunk_
threat-protect-log[37832]: CEF:0|Infoblox|NIOS Threat|8.6.3-51135-1241097029df|130506000|DNS HTTPS record TCP|4|src=10.123.3.119 spt=56021 dst=10.126.2.16 dpt=53 act="DROP" cat="DNS Message Types" nat=0 nfpt=0 nlpt=0 fqdn=substrate.office.com hit_count=1
Uploading sc4s_support.tar.gz…
