Forum Discussion
Infoblox and Parsing Questions
Hello, Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ? I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logg...
For the time being we're on CentOS 7 Linux (rsyslog configuration) with plans to migrate to RHEL 9.1 or a derivative of RHEL 9. However, our systems are not a good baseline to use as they're heavily modified to support large EPS ingestion (~30k EPS across 3 nodes being our heaviest. We have nearly 50 collectors deployed in total).
Run this on the server where your rsyslog/syslog-ng collector and post your output.
Command >> netstat -tunlp | egrep "25226|25224".
What protocol is 25224 and 25226 listening on? 25226 should come back TCP, 25224 should come back UDP (if default). If that's true, you need to modify your rsyslog configuration for the NIOS logs and use the line "if $rawmsg contains "vnios" [...] then @127.0.0.1:25224". @ means UDP, @@ means TCP.
The default configuration for the Syslog (used by NIOS) connector on any appliance is UDP transport (@127.0.0.1:25224). You can use TCP for Syslog as well, but that's requires modifying fluentd configurations and disabling some 'helper' processes on the OMS Agent. (It's also worth noting that such changes will put you out of scope for assistance from most Microsoft technicians for troubleshooting and isn't something I'd recommend doing unless you have deep knowledge of the software.)
As an aside to the rsyslog configuration, you're missing the "& stop" line after your CEF checks. That will hamper your performance.
Run this on the server where your rsyslog/syslog-ng collector and post your output.
Command >> netstat -tunlp | egrep "25226|25224".
What protocol is 25224 and 25226 listening on? 25226 should come back TCP, 25224 should come back UDP (if default). If that's true, you need to modify your rsyslog configuration for the NIOS logs and use the line "if $rawmsg contains "vnios" [...] then @127.0.0.1:25224". @ means UDP, @@ means TCP.
The default configuration for the Syslog (used by NIOS) connector on any appliance is UDP transport (@127.0.0.1:25224). You can use TCP for Syslog as well, but that's requires modifying fluentd configurations and disabling some 'helper' processes on the OMS Agent. (It's also worth noting that such changes will put you out of scope for assistance from most Microsoft technicians for troubleshooting and isn't something I'd recommend doing unless you have deep knowledge of the software.)
As an aside to the rsyslog configuration, you're missing the "& stop" line after your CEF checks. That will hamper your performance.
mredbourne2405 Ah ok that makes so much sense. It's odd that the Log Analytics agent installer script didn't do this during installation and the Infoblox NIOS data connector directions don't mention this at all...
Anyway here is a screenshot of the output and the new config. let me know if this looks correct to you.
- A moment of candid honesty (I am NOT a Microsoft Employee, and this is one of my only complaints) - the installer (both for CEF and the generic OMS Agent) are both terrible. The performance on them leaves a lot to be desired. The installer doesn't really account for any other scenarios (Eg: ingesting Meraki logs, NIOS, etc). There's a whole other level of complexity in this that most people aren't even aware of yet.
Case and point: Ask the creators of "rsyslog" how expensive message searching is. Aside from ereregex or breregex, it's one of the most expensive methods to split traffic on. My larger servers use property search (eg: ':fromhost-ip, equals, "1.1.1.1" @/@@<location>'.
In our other managed collectors (legacy through another vendor - IBM - we could push 50k EPS on a single node if necessary and had the compute resources + licensing on hand. That's not possible with the OMS Agent without load balancing. The new product coming (AMA for Linux) from my testing and discussions with Microsoft Engineers is rumoured to be marginally better than my current setup. We'll move over once I have support for RHEL9.
That aside, the config looks good now. In Sentinel run the following commands:
Syslog
| where Computer contains "vnios" or Computer contains "ns1" or Computer contains "ns2"
| summarize count() by Computer
Does that return information? If so, run the Infoblox function:
Infoblox
| take 10