Infoblox Platform logs are delivered in parquet format. You can use the Apache parquet tools that Infoblox provides (click here to access the tools) to convert the parquet files to JSON format if necessary. For more information, see Converting Parquet to JSON.
...
Amazon S3 > <bucketname> /archivers/ rpz_enriched / year=xxxx / month=xx / day=xx /hour=xx
Example:
Amazon S3 > testbucket/rpz_enriched /year=2024/month=3/day=3/hour=15/
File format: part-00000-0228fa58-6334-464c-8502-37f04dd40528.c000.snappy.parquet
RPZ
| Field Name | Type | Description |
| opcode | INT32 | opcode for NOTIFY, STATUS, QUERY, UPDATE This is the opcode for the corresponding DNS traffic, such as |
| timestamp | INT64 | timestamp in second part |
| nanosecond | INT32 | Timestamp in nano second part |
| tcode | INT32 | RPZ Trigger code (adapted from ZyTrax) 0: QNAME Trigger on query name 1: CLIENT-IP Trigger on DNS client IP 2: IP Trigger on query response IP 3: NSDNAME Trigger on NS name during delegation 4: NS-IP Trigger on NS IP during delegation |
| tname | STRING | FQDN for RPZ trigger (feedname.rpz_entry or rpz_entry.feedname) |
| acode | INT32 | RPZ Action code (adapted from ZyTrax) 0: Local-Data Response data defined by RR and target name 1: NODATA Return name exists but with no answer data 2: PASSTHRU Do nothing – normally defines an exception in a range 3: NXDOMAIN Return name does not exist 4: TCP-Only Force use of TCP (REDIRECT for policy engine) 5: REFUSED Support for JANUS 6: DROP Causes client timeout |
| arrtype | INT32 | RPZ Action RR type |
| arrdata | STRING | RPZ Action RR data |
| qname | STRING | DNS query name in FQDN |
| qtype | INT32 | DNS query type |
| qclass | INT32 | DNS query class |
| source | STRING | data source or DNS server ID |
| qip | STRING | requester IP |
| qport | INT32 | Requester Port |
| rip | STRING | Responder IP |
| rport | INT32 | Responder Port |
| view | STRING | DNS view (Infoblox feed or others. Optionally prefix with network view qualifier) |
| pvendor | STRING | Product vendor |
| pname | STRING | Product name |
| pversion | STRING | Product version |
| loglevel | INT32 | Syslog severity level indicator |
| disabled | BOOL | Is RPZ rule disabled |
| tid | STRING | Transaction Identifier of DNS response |
| pid | STRING | Policy Identifier (optional) |
| cid | STRING | Client Identifier (optional) |
| anonymized | BOOL | Anonymized flag |
| cmac | STRING | Client MAC address (optional) |
| csite | STRING | Client Site ID (optional) |
| qcat | STRING | Content category (optional) |
| tinfo | STRING | Trigger information: threat property, threat level, threat confidence (optional) |
| username | STRING | Username for authenticated users |
| region | STRING | ATC's region |
| extra | NULL | [('user_name', 'somename'), ('threat_class', 'CAT'), ('sld', 'exampledomain.com'), ('pname', 'remote_client'), ('domain_applications', 'Uncategorized'), ('feed_name', 'CAT_Business Software'), ('client_region', 'exampleregion'), ('endpointgroups', 'Examplecountry_SEZ_STPI'), ('client_country', 'example_country'), ('qname_norm', 'peers.exampledomain.com'), ('property', 'Business Software'), ('private_ip', '174.135.1.13'), ('category', 'Business Software'), ('client_continent', 'Asia'), ('event_date', '2024-07-28 10:00:00.799'), ('threat_indicator', 'peers.exampledomain.com'), ('mac_address', '3e:1f:62:53:81:d2'), ('response_region', 'example_response_region'), ('record_type', '3'), ('device_name', 'LIN65003287.sub.exampledomain.com'), ('policy_name', 'India_SEZ'), ('egress_ip', '52.214.211.36'), ('domain_categories', 'Business Software,Technology - Other'), ('all_tags', 'APP_Uncategorized,CAT_Business Software,CAT_Technology - Other,LIST_658691,LIST_672857'), ('response_country', 'ExampleCountry'), ('storage_id', '302391'), ('pdisplay_name', 'Remote Client (ATeP)'), ('network', 'BloxOne Endpoint'), ('feed_type', 'FQDN'), ('policy_action', 'Redirect'), ('os_version', 'Windows 11 Pro'), ('device_ip', '53.115.256.28'), ('response_continent', 'Asia'), ('response', '213.156.45.111), ('query_type', 'A')] |
| version | STRING | Schema version |
| key | STRING | example: com.123xyz@123abc |
| sld | STRING | Second level domain (example: googl.com) |
...