Forum Discussion
Infoblox and Parsing Questions
JasonS1990 Attached is a "CSV". It's a regular text file - MIcrosoft wouldn't let me upload a *.txt. That should be all of them. Have you looked at the Content Hub? They have these parsers (n=22) in there. Just make sure you completely remove the NIOS stuff before attempting to install it. Otherwise it'll attempt to create multiple objects with the same name that causes problems.
mredbourne2405 thanks for your help so far! I tried what you mentioned and got the parsers installed but unfortunately they come back empty and infoblox data connector still shows as grey and not connected from the connector page. I have attached some screenshots let me know if this looks right to you. Also which linux disto were you using? The only other thing I can think of is were using AlmaLinux a bit for bit remake of CentOS but may be the culprit.
- A moment of candid honesty (I am NOT a Microsoft Employee, and this is one of my only complaints) - the installer (both for CEF and the generic OMS Agent) are both terrible. The performance on them leaves a lot to be desired. The installer doesn't really account for any other scenarios (Eg: ingesting Meraki logs, NIOS, etc). There's a whole other level of complexity in this that most people aren't even aware of yet.
Case and point: Ask the creators of "rsyslog" how expensive message searching is. Aside from ereregex or breregex, it's one of the most expensive methods to split traffic on. My larger servers use property search (eg: ':fromhost-ip, equals, "1.1.1.1" @/@@<location>'.
In our other managed collectors (legacy through another vendor - IBM - we could push 50k EPS on a single node if necessary and had the compute resources + licensing on hand. That's not possible with the OMS Agent without load balancing. The new product coming (AMA for Linux) from my testing and discussions with Microsoft Engineers is rumoured to be marginally better than my current setup. We'll move over once I have support for RHEL9.
That aside, the config looks good now. In Sentinel run the following commands:
Syslog
| where Computer contains "vnios" or Computer contains "ns1" or Computer contains "ns2"
| summarize count() by Computer
Does that return information? If so, run the Infoblox function:
Infoblox
| take 10 mredbourne2405 Ah ok that makes so much sense. It's odd that the Log Analytics agent installer script didn't do this during installation and the Infoblox NIOS data connector directions don't mention this at all...
Anyway here is a screenshot of the output and the new config. let me know if this looks correct to you.
- For the time being we're on CentOS 7 Linux (rsyslog configuration) with plans to migrate to RHEL 9.1 or a derivative of RHEL 9. However, our systems are not a good baseline to use as they're heavily modified to support large EPS ingestion (~30k EPS across 3 nodes being our heaviest. We have nearly 50 collectors deployed in total).
Run this on the server where your rsyslog/syslog-ng collector and post your output.
Command >> netstat -tunlp | egrep "25226|25224".
What protocol is 25224 and 25226 listening on? 25226 should come back TCP, 25224 should come back UDP (if default). If that's true, you need to modify your rsyslog configuration for the NIOS logs and use the line "if $rawmsg contains "vnios" [...] then @127.0.0.1:25224". @ means UDP, @@ means TCP.
The default configuration for the Syslog (used by NIOS) connector on any appliance is UDP transport (@127.0.0.1:25224). You can use TCP for Syslog as well, but that's requires modifying fluentd configurations and disabling some 'helper' processes on the OMS Agent. (It's also worth noting that such changes will put you out of scope for assistance from most Microsoft technicians for troubleshooting and isn't something I'd recommend doing unless you have deep knowledge of the software.)
As an aside to the rsyslog configuration, you're missing the "& stop" line after your CEF checks. That will hamper your performance.