Overview ↵
About the Splunk Add-on for Infoblox¶
| Version | 2.2.0 |
| Vendor Products | Infoblox NIOS 8.4.4, 8.5.2, 8.6.2 |
| Add-on has a web UI | No. This add-on does not contain any views. |
Release notes¶
For a summary of new features, fixed issues, and known issues, and for more information on release history, see Release notes for the Splunk Add-on for Infoblox.
Compatibility¶
The Splunk Add-on for Infoblox allows a Splunk software administrator to collect DNS, DHCP, Threat Protection, and Audit logs in syslog format from Infoblox NIOS. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.
For detailed information about compatibility with other software, CIM versions, and platforms, see Release notes for the Splunk Add-on for Infoblox.
Source types and lookups¶
For more information about the source types for Splunk Add-on for Infoblox, see Source types.
Download the add-on¶
Download the Splunk Add-on for Infoblox from Splunkbase.
Install and configure the add-on¶
For information about installing and configuring the Splunk Add-on for Infoblox, see Installation and configuration overview for the Splunk Add-on for Infoblox.
Hardware and software requirements¶
For more information, see Hardware and software requirements.
Additional resources¶
See the Splunk Community page for questions related to this add-on.
See Troubleshooting guidelines specific for this add-on.
Hardware and software requirements for the Splunk Add-on for Infoblox¶
Infoblox setup requirements¶
You must have access to the Grid Manager web interface so that you can configure your NIOS appliances and management stations to send data to the Splunk platform over syslog.
Splunk platform requirements¶
Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.
- For Splunk Enterprise system requirements: see System Requirements in the Splunk Enterprise Installation Manual.
- If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.
Release notes for the Splunk Add-on for Infoblox¶
Version 2.2.0 of the Splunk Add-on for Infoblox was released on October 6, 2022.
Compatibility¶
Version 2.2.0 of the Splunk Add-on for Infoblox is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.x |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | NIOS 8.4.x, 8.5.2, 8.6.2 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.2.0 of the Splunk Add-on for Infoblox contains the following new features:
- Support for Infoblox NIOS v8.6.2
- CIM compatibility with version 5.0.1
-
New Infoblox object types for Audit events that are now mapped to
Change:Network_Changes DM, such as:- ResponsePolicyAaaaRecord
- ResponsePolicyARecord
- DelegatedZone
- AtpRule
- ResponsePolicyIPAddress
- SharedARecord
- SharedRecordGroup
- SRGZone
- CnameRecord
- AaaaRecord
- DhcpRange
- PtrRecord
- NetworkTemplate
- FixedAddressTemplate
- DhcpRangeTemplate
- FixedAddress
- ReservedRange
- IPv6OptionFilter
-
Added these object types for DNS events that are mapped to Network Resolution (DNS) DM:
- infoblox_dns_query_denied
- infoblox_dns_query_failed
- infoblox_dns_query_error
Field changes¶
The following sections contain information on fields and data models that have been added, modified, or removed in this release.
Fields added and removed¶
| Sourcetype | object_type | action | Fields added | Fields removed |
|---|---|---|---|---|
infoblox:audit |
AtpProfile, ARecord, DnsView, ResponsePolicyZone, Network, AuthZone, ResponsePolicyCnameRecord, NsGroup, AdminGroup | created | infoblox_action | |
infoblox:audit |
ARecord, DnsView, ResponsePolicyZone, Network, AuthZone, ResponsePolicyCnameRecord, NsGroup | deleted | infoblox_action | |
infoblox:audit |
ARecord, DnsView, ResponsePolicyZone, Network, MemberAtp, AuthZone, ResponsePolicyCnameRecord, AdminGroupstarted | modified | infoblox_action | |
infoblox:audit |
AaaaRecord | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
AccessRight | created | infoblox_action, user_name | |
infoblox:audit |
AccessRight | deleted | infoblox_action, user_name | |
infoblox:audit |
AccessRight | modified | infoblox_action, user_name | |
infoblox:audit |
AdminMember | created | src_user_type, infoblox_action, src_user_name | |
infoblox:audit |
AdminMember | deleted | src_user_type, infoblox_action, src_user_name | |
infoblox:audit |
AtpRule | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
CnameRecord | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
DashboardConfiguration | created | infoblox_action, user_name | |
infoblox:audit |
DelegatedZone | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
DelegatedZone | deleted | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
DhcpRange | created | infoblox_action, user_name | |
infoblox:audit |
DhcpRange | modified | infoblox_action, user_name | |
infoblox:audit |
DhcpRangeTemplate | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
ReservedRange, FixedAddress, ResponsePolicyIPAddress | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
IPv6OptionFilter, FixedAddressTemplate | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
Grid | modified | infoblox_action, user_name | |
infoblox:audit |
GridAtp | modified | infoblox_action, user_name | |
infoblox:audit |
GridDhcp | modified | infoblox_action, user_name | |
infoblox:audit |
GridDns | modified | infoblox_action, user_name | |
infoblox:audit |
Member | modified | infoblox_action, user_name | |
infoblox:audit |
MemberDns | modified | infoblox_action, user_name | |
infoblox:audit |
MyPersonalSmartFolder | created | infoblox_action, user_name | |
infoblox:audit |
NetworkTemplate | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
NetworkView | modified | infoblox_action, user_name | |
infoblox:audit |
system | restarted | infoblox_action | |
infoblox:audit |
PtrRecord | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
PtrRecord | modified | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
ReservedRange | modified | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
ResponsePolicyARecord | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
SharedRecordGroup, SRGZone | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
SharedARecord | created | infoblox_action, user_name, status, command, change_type | |
infoblox:audit |
WebuiGroupByConfig | created | infoblox_action, user_name | |
infoblox:audit |
account | unlocked | src_user_type, infoblox_action | |
infoblox:audit |
admingroup | logoff | infoblox_action, user_name, src_user | |
infoblox:audit |
MemberDhcp | modified | infoblox_action, user_name | |
infoblox:audit |
MemberDhcp | started | infoblox_action, user_name | |
infoblox:audit |
testgroup | logoff | infoblox_action, user_name, src_user |
Fields modified¶
| Sourcetype | object_type | action | CIM Field | Sample value before | Sample value after |
|---|---|---|---|---|---|
infoblox:audit |
DhcpRangeTemplate | created | object_category | DhcpRangeTemplate | dhcp |
infoblox:audit |
ResponsePolicyARecord | created | object_category | ResponsePolicyARecord | dns |
| Sourcetype | CIM Field | Sample value before | Sample value after |
|---|---|---|---|
infoblox:dns |
message_type | query, response | Query, Response |
CIM changes¶
| Sourcetype | object_type | action | Previous CIM model | New CIM model |
|---|---|---|---|---|
infoblox:audit |
ResponsePolicyAaaaRecord | Created | Change:Network_Changes | |
infoblox:audit |
ResponsePolicyARecord | Created | Change:Network_Changes | |
infoblox:audit |
DelegatedZone | Created | Change:Network_Changes | |
infoblox:audit |
DelegatedZone | Deleted | Change:Network_Changes | |
infoblox:audit |
AtpRule | Created | Change:Network_Changes | |
infoblox:audit |
DhcpRange | Modified | Change:Network_Changes | |
infoblox:audit |
ResponsePolicyIPAddress | Created | Change:Network_Changes | |
infoblox:audit |
SharedARecord | Created | Change:Network_Changes | |
infoblox:audit |
SharedRecordGroup | Created | Change:Network_Changes | |
infoblox:audit |
SRGZone | Created | Change:Network_Changes | |
infoblox:audit |
CnameRecord | Created | Change:Network_Changes | |
infoblox:audit |
AaaaRecord | Created | Change:Network_Changes | |
infoblox:audit |
PtrRecord | Created | Change:Network_Changes | |
infoblox:audit |
PtrRecord | Modified | Change:Network_Changes | |
infoblox:audit |
NetworkTemplate | Created | Change:Network_Changes | |
infoblox:audit |
FixedAddressTemplate | Created | Change:Network_Changes | |
infoblox:audit |
DhcpRangeTemplate | Created | Change:Network_Changes | |
infoblox:audit |
FixedAddress | Created | Change:Network_Changes | |
infoblox:audit |
ReservedRange | Created | Change:Network_Changes | |
infoblox:audit |
IPv6OptionFilter | Created | Change:Network_Changes |
Fixed issues¶
Version 2.2.0 of the Splunk Add-on for Infoblox fixes the following issues:
Known issues¶
Version 2.2.0 of the Splunk Add-on for Infoblox fixes the following issues. If no issues appear on this page, no issues have yet been reported:
Release history for the Splunk Add-on for Infoblox¶
The latest version of the Splunk Add-on for Infoblox is version 2.2.0. See Release notes for the Splunk Add-on for Infoblox for the release notes of this latest version.
Version 2.1.0¶
Version 2.1.0 of the Splunk Add-on for Infoblox was released on November 10, 2021.
Compatibility¶
Version 2.0.1 of the Splunk Add-on for Infoblox is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 8.1.x, 8.2.x |
| CIM | 4.20.2 |
| Platforms | Platform independent |
| Vendor Products | NIOS 8.4.x, 8.5.2 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, see the Splunk Enterprise Release Notes.
New features¶
Version 2.1.0 of the Splunk Add-on for Infoblox contains the following new features:
- Added support for Infoblox NIOS v8.5.2 CIM mapping and Enhancements
- Add-on now extracts the ‘dns_view’ field for DNS response logs under the ‘infoblox:dns’ sourcetype
- Audit logs when a user account is unlocked in Infoblox are now mapped to Change.Account_Management data model
- Log events when network entities like DnsView, AtpProfile, NSGroup, ARecord, ResponsePolicyZone are created or modified, are now mapped to Change:Network_Changes DM
- Extracted new CIM field ‘user_name’ for events mapped to Change data model
- Added support of CIM 4.20.2
- Removed support for Splunk 7.x and 8.0.
Fixed issues¶
Version 2.1.0 of the Splunk Add-on for Infoblox fixes the following issues:
Known issues¶
Version 2.1.0 of the Splunk Add-on for Infoblox has the following known issues. If no issues appear on this page, no issues have yet been reported:
Version 2.0.1¶
Version 2.0.1 of the Splunk Add-on for Infoblox was released on April 19, 2021.
Compatibility¶
Version 2.0.1 of the Splunk Add-on for Infoblox is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 7.2.x, 7.3.x, 8.0.x, 8.1.x |
| CIM | 4.17 |
| Platforms | Platform independent |
| Vendor Products | NIOS 8.4.x |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, see the Splunk Enterprise Release Notes.
New features¶
Version 2.0.1 of the Splunk Add-on for Infoblox contains the following new features:
- Added
dhcpCIM tag for theDHCPACKandDHCPRELEASEevents
Fixed issues¶
Version 2.0.1 of the Splunk Add-on for Infoblox fixes the following issues:
Known issues¶
Version 2.0.1 of the Splunk Add-on for Infoblox has the following known issues. If no issues appear on this page, no issues have yet been reported:
Version 2.0.0¶
Version 2.0.0 of the Splunk Add-on for Infoblox was released on October 20, 2020.
Compatibility¶
Version 2.0.0 of the Splunk Add-on for Infoblox is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.17 |
| Platforms | Platform independent |
| Vendor Products | NIOS 8.4.x |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, see the Splunk Enterprise Release Notes.
New features¶
Version 2.0.0 of the Splunk Add-on for Infoblox contains the following new features:
- Support for Infoblox NIOS v8.4.4.
- Support for Splunk Connect for Syslog.
- Audit logs support for Infoblox NIOS version 8.4.4
- The following Common Information Model (CIM) compatibility enhancements:
- Improved event type definition to map events to the CIM data models.
- Removed the
dest_categoryandsrc_categoryfield extraction from the DHCP events since these fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. - Replaced
src,src_ip,src_macandsrc_nt_hostfields withdest,dest_ip,dest_mac, anddest_nt_hostfields respectively for the DHCP events.src*fields are not applicable to DHCP events. -
Updated action field extraction for the following DHCP events:
DHCP Event Action value Description DHCPACK added The DHCPACK event notifies that the client is added to the network. DHCPRELEASE blocked A client to server message. Indicates that the client gives up use of the network address and cancels the remaining time on the lease. DHCPNAK blocked A server to client negative acknowledgment. Indicates that the client’s understanding of the network address is incorrect (for example, if the client has moved to a new subnet), or a client’s lease has expired.
Fixed issues¶
Version 2.0.0 of the Splunk Add-on for Infoblox fixes the following issues:
Known issues¶
Version 2.0.0 of the Splunk Add-on for Infoblox has the following known issues. If no issues appear on this page, no issues have yet been reported:
Version 1.1.0¶
Version 1.1.0 of the Splunk Add-on for Infoblox was released on November 2, 2018.
Compatibility¶
Version 1.1.0 of the Splunk Add-on for Infoblox is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2, 8.0 |
| CIM | 4.11 |
| Platforms | Platform independent |
| Vendor Products | NIOS 6.10, NIOS 8.x |
New features¶
- Support for the NIOS 8.x log format
- The new sourcetype
infoblox:threatprotectsupports the threat-protect event log of NIOS-8.x - Existing sourcetype
infoblox:dnsnow supports RPZ QNAME messages
Fixed issues¶
Version 1.1.0 of the Splunk Add-on for Infoblox fixes the following issues:
Known issues¶
Version 1.1.0 of the Splunk Add-on for Infoblox has the following known issues. If no issues appear on this page, no issues have yet been reported:
Version 1.0.2¶
| Component | Description |
|---|---|
| Splunk platform versions | 6.3 or later |
| CIM | 4.3 or later |
| Platforms | Platform independent |
| Vendor Products | Infloblox NIOS 6.10 |
Fixed issues¶
Version 1.0.2 of the Splunk Add-on for Infoblox fixes the following issues.
Known issues¶
Version 1.0.2 of the Splunk Add-on for Infoblox contains no known issues.
Version 1.0.1¶
Version 1.0.1 of the Splunk Add-on for Infoblox has the same compatibility specifications as version 1.0.2.
Fixed issues¶
Version 1.0.1 of the Splunk Add-on for Infoblox fixes the following issues:
Known issues¶
Version 1.0.1 of the Splunk Add-on for Infoblox contains no known issues.
Version 1.0.0¶
Version 1.0.0 of the Splunk Add-on for Infoblox has the same compatibility specifications as version 1.0.1.
New features¶
Version 1.0.0 of the Splunk Add-on for Infoblox had the following new features.
- Create a new add-on for Infoblox NIOS.
Known issues¶
Version 1.0.0 of the Splunk Add-on for Infoblox contains no known issues.
Third-party software attribution¶
All versions of the Splunk Add-on for Infoblox does not incorporate any third-party software or libraries.
Installation overview for the Splunk Add-on for Infoblox¶
Complete the following steps to install and configure this add-on on your supported platform.
Ended: Overview
Installation ↵
Install the Splunk Add-on for Infoblox¶
Use the tables on this page to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough section at the bottom of the page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Distributed installation of this add-on¶
This table provides a quick reference for installing this add-on to a distributed deployment of Splunk Enterprise.
| Splunk instance type | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | Install this add-on to all search heads where Infoblox knowledge management is required. |
| Indexers | Yes | Conditional | Not required if you use heavy forwarders to monitor Infoblox syslog output. Required if you use universal forwarders to monitor Infoblox syslog output. |
| Heavy Forwarders | Yes | See comments | This add-on supports forwarders of any type for data collection. |
| Universal Forwarders | Yes |
Distributed deployment compatibility¶
This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Comments |
|---|---|---|
| Search Head Clusters | Yes | You can install this add-on on a search head cluster for all search-time functionality, but only configure inputs on a forwarder to avoid duplicate data collection. |
| Indexer Clusters | Yes | None |
| Deployment Server | Yes | Supported for deploying the configured add-on. |
Installation walkthrough¶
See Installing add-ons in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
Upgrade the Splunk Add-on for Infoblox¶
To upgrade to the latest version of the Splunk Add-on for Infoblox, see the Install the Splunk Add-on for Infoblox topic in this manual. No additional steps are needed.
Ended: Installation
Configuration ↵
Configure Infoblox to send data to the Splunk Add-on for Infoblox¶
To enable the Splunk Add-on for Infoblox to collect data from Infoblox NIOS, use the Grid Manager web interface to configure your NIOS appliances and management stations to produce syslog output and push it to the data collection node of your Splunk platform installation. You can configure Infoblox to send data to Splunk over TCP or UDP or you can export the syslog data into a dump file and configure the add-on to monitor the dump file. Syslog mode is the best practice to collect logs data from your Infoblox deployment.
For instructions on how to configure syslog or how to download the syslog file to a directory, see the Infoblox NIOS Administrator Guide.
Next, configure your data collection node to receive data from Infoblox NIOS as described in Configure inputs for the Splunk Add-on for Infoblox.
Configure inputs for the Splunk Add-on for Infoblox¶
The Splunk Add-on for Infoblox handles inputs through TCP or UDP. There are two ways to capture this data.
-
Create a TCP/UDP input to capture the data sent on the port you have configured in Infoblox NIOS.
-
If you are using a syslog aggregator, create a monitor input to monitor the file or files generated by the aggregator.
TCP/UDP input¶
In the Splunk platform node handling data collection, configure the TCP/UDP input to match your configurations in Infoblox NIOS and set your source type to infoblox:port. The CIM mapping and dashboard panels are dependent on this source type.
Perform the following steps to collect data data through syslog using a TCP/UDP connection:
- Open Infoblox Grid Manager.
- From the Grid tab, go to the Grid Manager tab , and then Members tab, and then select Grid Properties -> Edit from the Toolbar.
- In the Grid Properties editor, select the Monitoring tab. Here you can configure global syslog servers under the EXTERNAL SYSLOG SERVERS section. You can also configure syslog servers for each Grid Member. For more information,see the Infoblox documentation for Using Syslog Servers at https://docs.infoblox.com/space/NAG8/22252249/Using+a+Syslog+Server.
- Use the protocol and port information of the desired syslog server to configure inputs in splunk.For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP ports in the Getting Data In manual.
Monitor input¶
If you are using a syslog aggregator, on the Splunk platform node handling data collection, set up a monitor input to monitor the file or files that are generated and set your source type to infoblox:file. The CIM mapping and dashboard panels are dependent on this source type.
See Monitor files and directories in the Getting Data In manual for information about setting up a monitor input.
Validate data collection¶
Once you have configured the input, run this search to check that you are ingesting the data that you expect. The add-on converts the infoblox:port and infoblox:file source types to infoblox:dhcp and infoblox:dns according to the content of events.
Search
sourcetype=infoblox*
Ended: Configuration
Troubleshooting ↵
Troubleshoot the Splunk Add-on for Infoblox¶
General troubleshooting¶
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Data ingestion problems¶
Verify that you have configured the input correctly by confirming that:
- you have configured the correct IP address of the Splunk platform node responsible for data collection in your Infoblox NIOS configuration.
- the port that you configured in your Infoblox NIOS configuration matches the port you configured in your syslog input configuration.
- the port that you are using for this input does not conflict with any other inputs.
- If monitored through TCP or UDP, the input is configured to set the source type to
infoblox:portand if monitored through file monitoring, the input is configured to set the source type toinfoblox:file. - you are searching the correct index. By default, this add-on uses the
mainindex.
Ended: Troubleshooting
Reference ↵
Lookups for the Splunk Add-on for Infoblox¶
The Splunk Add-on for Infoblox has 3 lookups. The lookup files map fields from Infoblox systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_infoblox/lookups.
| Filename | Description |
|---|---|
infoblox_dns_query_type.csv |
Maps the_query_type, such as A and SRV, to expected values required by DNS model. |
infoblox_dns_reply_code_id.csv |
Maps reply_code_id to reply_code. |
infoblox_severity_lookup |
Maps severity_id to expected values required by Intrusion Detection and Alert Models. |
Sourcetypes for the Splunk Add-on for Infoblox¶
The Splunk Add-on for Infoblox includes the following source types and event types which map the data to the Splunk Common Information Model (CIM).
| Sourcetype | Description | CIM data models |
|---|---|---|
infoblox:audit |
Infoblox Audit logs | Authentication, Change |
infoblox:dhcp |
Infoblox DHCP logs | Network Sessions |
infoblox:dns |
Infoblox DNS logs | Network Resolution (DNS) |
infoblox:threatprotect |
Infoblox Threat Protection logs | Intrusion Detection |