Forum Discussion
Infoblox and Parsing Questions
Hey Jason,
I have about 2 dozen (or so) Infoblox sub-parsers attached to a primary parser. "Infoblox" is the primary one, and unions the other ones together.
Here's one of the subparsers:
I would also double check your Watchlists defined in Sentinel. There should be a Watchlist called "Sources_by_SourceType". In it you need a SourceType called "InfobloxNIOS" with one or more keys assigned to it.
I set my both to the Hostname and the FQDN of the reporting log sources. (Some information scrubbed...)
Double check that those are set up correctly. If they are, attach a couple error messages from Sentinel so I can review it. We did eventually get NIOS logs working - though without support from Microsoft.
So I did try the watchlist solution before with support, I made the source type "infobloxNIOS" like the data connector seems to want and the source as our infoblox servers. Unfortunately it didn't seem to change anything. The data connector still hasn't changed to green indicating a connection..
as far as errors there is none, that's the odd thing. I am technically getting the data its just not parsing correctly. Can you share that sub parser code though? I have not tried that yet
JasonS1990 Attached is a "CSV". It's a regular text file - MIcrosoft wouldn't let me upload a *.txt. That should be all of them. Have you looked at the Content Hub? They have these parsers (n=22) in there. Just make sure you completely remove the NIOS stuff before attempting to install it. Otherwise it'll attempt to create multiple objects with the same name that causes problems.
mredbourne2405 thanks for your help so far! I tried what you mentioned and got the parsers installed but unfortunately they come back empty and infoblox data connector still shows as grey and not connected from the connector page. I have attached some screenshots let me know if this looks right to you. Also which linux disto were you using? The only other thing I can think of is were using AlmaLinux a bit for bit remake of CentOS but may be the culprit.
- For the time being we're on CentOS 7 Linux (rsyslog configuration) with plans to migrate to RHEL 9.1 or a derivative of RHEL 9. However, our systems are not a good baseline to use as they're heavily modified to support large EPS ingestion (~30k EPS across 3 nodes being our heaviest. We have nearly 50 collectors deployed in total).
Run this on the server where your rsyslog/syslog-ng collector and post your output.
Command >> netstat -tunlp | egrep "25226|25224".
What protocol is 25224 and 25226 listening on? 25226 should come back TCP, 25224 should come back UDP (if default). If that's true, you need to modify your rsyslog configuration for the NIOS logs and use the line "if $rawmsg contains "vnios" [...] then @127.0.0.1:25224". @ means UDP, @@ means TCP.
The default configuration for the Syslog (used by NIOS) connector on any appliance is UDP transport (@127.0.0.1:25224). You can use TCP for Syslog as well, but that's requires modifying fluentd configurations and disabling some 'helper' processes on the OMS Agent. (It's also worth noting that such changes will put you out of scope for assistance from most Microsoft technicians for troubleshooting and isn't something I'd recommend doing unless you have deep knowledge of the software.)
As an aside to the rsyslog configuration, you're missing the "& stop" line after your CEF checks. That will hamper your performance.