Versions Compared

Version Old Version 1 New Version Current
Changes made by

Panna .

Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When the audit log reaches its maximum size, which is 100 MB, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Files are compressed during the rotation process, adding a .gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the tenth log file (file.9.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept. To list the audit log files and their sizes, log in to the Infoblox CLI and run the show logfiles command.
To enable audit log rolling:

  1. On the Grid tab, select the Grid Manager tab -> Members tab, and then click Grid Properties -> Edit in the Toolbar.

  2. In the Grid Properties editor, on the Security tab, select Enable Audit Log Rolling.

Specifying the Audit Log Type

Select Detailed (default), or Brief, or WAPI Detailed audit log type as follows:

  1. On the Grid tab, select the Grid Manager tab -> Members tab, and then click Grid Properties -> Edit in the Toolbar.
    On the System tab, select the System Manager tab, and then click System Properties -> Edit in the Toolbar.

  2. In the Grid Properties Editor, on the General tab, or in the System Properties Editor, on the System tab, select one of the following:

    • Detailed: This is the default type. When you select this, Grid Manager displays detailed information on all administrative changes such as the timestamp of the change, administrator name, changed object name, and the new values of all properties in the logged message.

    • Brief: Provides information on administrative changes such as the changed object name and action in the log message. The logged message does not show timestamp or admin name.

    • WAPI Detailed: Select this option to view detailed RESTful API session information logs for successful WAPI calls such as PUT, POST, and DELETE. You can view the following session log information for each successful WAPI call:

      • URI: URI contains certain part of the incoming WAPI request. Example: version of WAPI and the associated object.

      • InData: InData contains input data fields of the incoming WAPI request. Example: Data field of the incoming WAPI request.

      • Response Time: Response time is calculated as the time difference between a WAPI request received and the response sent. 

        This option helps you to troubleshoot and monitor performance issues that impact specific WAPI calls and track WAPI usage. When you select this option, you can view additional columns such as URI, InData and Response Time in the Audit log.

        The following example shows an audit log entry for a POST WAPI call:
        [2018-05-29 09:20:12.026Z] [admin]: Created(POST) v2.9/zone_auth {"fqdn":"foo.com"} 2.233 AuthZone foo.com DnsView=default: Set fqdn="foo.com"
        In the example above:

      • POST indicates the WAPI call

      • v2.9/zone_auth is the URI

      • {"fqdn":"foo.com"} represents InData

      • 2.233 is the response time.

Note

Note

There might be a slight impact on the device performance as the session log information, such as URI, InData, and response time, are captured for all the successful WAPI calls. The audit log file size increases as the log entries increase, which may impact the storage capacity. Infoblox recommends that you select the Copy Audit Log Messages to Syslog checkbox in the Grid Properties Editor to move audit log information to the syslog and to an external server for longer retention. For more information about specifying syslog servers, see Using a Syslog Server. All Cloud WAPI, via Cloud Network Automation (CNA) or Cloud Platform (CP) appliances, related events are logged to syslog instead of the audit log. For more information, see Cloud Network Automation.

...

Viewing the Audit Log

To view an audit log:

  1. On the Administration tab, select the Logs tab -> Audit Log tab.

  2. Optionally, use the filters to narrow down the audit log messages you want to view. Click Show Filters to enable the filters. Configure the filter criteria, and then click Apply.
    Based on your filter criteria (if any), Grid Manager displays the following in the Audit Log viewer:

    • Timestamp: The date, time, and time zone the task was performed. The time zone is the time zone configured on the member.

    • Admin: The admin user who performed the task.
      Note that the admin user displayed as $admin group name$ represents an internal user. You can create an admin filter with “matches expression” equals ^[^$] to filter out internal users.

    • Action: The action performed. This can be CALLED, CREATED, DELETED, LOGIN_ALLOWED, LOGIN_DENIED, MESSAGE, MODIFIED, POST, PUT, and DELETE.

    • Object Type: The object type of the object involved in this task. This field is not displayed by default. You can select this for display.

    • Object Name: The name of the object involved in this task.

    • Execution Status: The execution status of the task. Possible values are Executed, Normal, Pending Approval and Scheduled.

    • URI: A certain part of the incoming WAPI request.

    • InData: Input data fields of the incoming WAPI request.

    • Response Time: The processing time of the incoming WAPI request.

    • Message: Detailed information about the performed task.

You can also perform the following in the log viewer:

...

You can download the audit log file to a specified directory if you want to analyze it later. To download an audit log file:

  1. On the Administration tab, select the Logs tab -> Audit Log tab, and then click the Download icon.

  2. Navigate to a directory where you want to save the file, optionally change the file name (the default name is auditLog.tar.gz), and then click OK. If you want to download multiple audit log files to the same location, rename each downloaded file before downloading the next.

Note

Note

If your browser has a pop-up blocker enabled, you must turn off the pop-up blocker or configure your browser to allow pop-ups for downloading files.

...

  • Use filters and the Go To function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Create a quick filter to save frequently used filter criteria. 

  • Modify some of the data in the table. Double-click a row of data, and either edit the data in the field or select an item from a drop-down list. Note that some fields are read-only. For more information about this feature, see Modifying Data in Tables.

  • Edit the properties of a member.

    • Click the checkbox beside a member, and then click the Edit icon.

  • Delete a member.

    • Click the checkbox beside a member, and then click the Delete icon.

  • Export or print the list.

...

For a single member, you can also capture traffic on the NIOS appliance through the Infoblox CLI using the set traffic_capture command. However, you cannot use this command to capture traffic for multiple members. NIOS displays the traffic capture status and it allows you to download the captured traffic, irrespective of whether the traffic capture is initiated from the Infoblox CLI or from Grid Manager.
To capture traffic for a single member or multiple Grid members:

  1. From the Grid tab, select the Grid Manager tab -> Members tab, and then click Traffic Capture from the Toolbar.
    OR
    From the Administration tab, select the Logs tab → Syslog tab, and then click Traffic Capture from the Toolbar.

  2. In the Traffic Capture dialog box, complete the following:
    Members

    • Name: Click the Add icon to add either a single or multiple Grid members for which you want to capture traffic. When you click the Add icon, Grid Manager displays the Member Selector dialog box from which you can select one or multiple members. Use SHIFT+click to select multiple contiguous rows or use CTRL+click to select multiple non-contiguous rows. Click OK. The selected members are added to the list of members in the Members table. You cannot add offline members to the list or capture traffic on an offline member.

      Selecting members in the Grid Manager → Members tab does not capture traffic for the selected member. To capture traffic, you must select members from the Member Selector dialog box.

    • Interface: Select the port on which you want to capture traffic. You can view the selected interface while the traffic capture is in progress. Note that if you enabled the LAN2 failover feature, the LAN and LAN2 ports generate the same output and Grid Manager displays the interface as BOND while the traffic capture is in progress. By default, the interface is set to ALL after the traffic capture process stops. For information about the LAN2 failover feature, see as described in About Port Redundancy.

      For vNIOS appliances, some of the options in the drop-down list may vary depending on your vNIOS configuration. For example, if you are using a single network interface instance of a vNIOS for GCP appliance, you will see choices specific to the LAN1 interface only.

      • LAN: Select this to capture all the traffic the LAN port receives and transmits.

      • MGMT: Select this to capture all the traffic the MGMT port receives and transmits.

      • LAN2: Select to capture all the traffic the LAN2 port (if enabled) receives and transmits.

      • ALL: Select this to capture the traffic addressed to all ports. Note that the NIOS appliance only captures traffic that is addressed to it.

      • LANxnnnn: If you have configured VLANs on the LAN1 or LAN2 port, the appliance displays the VLANs in the format LANx nnnn, where x represents the port number and nnnn represents the associated VLAN ID.

    • File Size: Displays the size of the traffic capture log file, in kilobytes, for the respective member.

    • Status: Displays the status of the traffic capture session on the member. The status can be one of the following:

      • STOPPED: Indicates that the traffic capture session has stopped.

      • RUNNING: Indicates that the traffic capture session is in progress.

      • NOT STARTED: Indicates that the traffic capture session has not started.

    • Transfer Status: Displays the status of the traffic capture file transfer. The status can be one of the following:

      • NOT STARTED: Indicates that the file transfer has not started. 

      • STARTED: Indicates that the file transfer has started.

      • COMPLETED: Indicates that the file transfer has been completed.

      • FAILED: Indicates that the file transfer has failed.

  3. Seconds to run: Specify the number of seconds you want the traffic capture tool to run.

  4. Capture Control: Click the Start icon to start the capture. Note that the start action will overwrite the existing traffic capture file. You can click the Stop icon to stop the capture after you start it. 

  5. Transfer To: Select the destination to transfer the traffic capture file. You can select My Computer, TFTP, FTP, or SCP from the drop-down list.

    • My Computer: Transfer the traffic capture file to a local directory on your computer. This is the default.

      Note to avoid consumption of the Grid Master disk space, NIOS restricts downloading the traffic capture files from multiple members to a local directory on your computer.

    • TFTP: Transfer the traffic capture file to a TFTP server.

      • Filename: Enter the directory path and the file name of the traffic capture file. For example, you can enter /home/test/traffic_capture_filename where traffic_capture_filename is the name of the file. 

      • IP Address of TFTP Server: Enter the IP address of the TFTP server to which you want to transfer the traffic capture file.

    • FTP: Transfer the traffic capture file to an FTP server.

      • Filename: Enter the directory path and the file name of the traffic capture file. For example, you can enter /home/test/traffic_capture_filename where traffic_capture_filename is the name of the file.

      • IP Address of FTP Server: The IP address of the FTP server.

      • Username: Enter the username of your FTP account.

      • Password: Enter the password of your FTP account.

    • SCP: Transfer the traffic capture file to an SCP server.

      • Filepath: Enter the directory path of the traffic capture file. For example, you can enter /home/test/.

      • IP Address of SCP Server: The IP address of the SCP server.

      • Username: Enter the username of your SCP account.

      • Password: Enter the password of your SCP account.

  6. Uncompressed Capture File Size: Select the members for which you want to download the traffic capture file and then click Download to download the captured traffic. You can download and save the file only after the capture stops, but not when the tool is running. You can rename the file if you want. NIOS updates the size of the report when the capture tool is running.
    Note the NIOS appliance must have free disk space of at least 500MB + size of the traffic capture file (2 GB/1 GB, depending on the appliance model) to download the traffic capture file.

  7. Last updated: The timestamp of the last traffic capture process.

  8. Use terminal window commands (Linux) or a software application (such as StuffIt™ or WinZip™) to extract the contents of the .tar.gz file.

  9. When you see the traffic.cap file in the directory where you extract the .tar.gz file, open it with a third-party network protocol analyzer application.

Limitations of the Traffic Capture Tool

...

Drawio
border1
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramName37.1
zoom1
custContentId7343816
pageId26774040custContentId7343816
lbox1
contentVer1
revision1

...

The appliance monitors only UDP traffic on port 53 for recursive queries, and then reports invalid DNS responses.
DNS alert monitoring is disabled by default. For an HA pair, you must enable DNS alert monitoring on both the active and passive nodes.
To enable DNS network monitoring and DNS alert monitoring:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

set monitor dns on
The appliance displays the following:
Turning on DNS Network Monitoring...

...

To view DNS alert indicator status:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

show monitor dns alert status

...

You can configure thresholds for both invalid ports and invalid TXIDs. The default thresholds for both invalid ports and TXIDs are 50%. When the number of invalid ports or invalid TXIDs exceeds the thresholds, the appliance logs the event and sends SNMP traps and notifications. You can configure the thresholds either as absolute packet counts or as percentages of the total traffic during a one-minute time interval.
To configure DNS alert thresholds:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

set monitor dns alert modify port | txid over threshold_value packets | percent
where
port | txid = Enter port to set the threshold for invalid ports, or enter txid to set the threshold for invalid TXIDs.
threshold_value = Enter the number of packets or percentage for the threshold.
packets | percent = Enter packets if you want to track the total packet count, or enter percentage if you want to track a percentage of the total traffic. For a percentage-based threshold, the appliance does not generate a threshold crossing event if the traffic level is less than 100 packets per minute.

...

You can view the DNS alert thresholds. The appliance displays the current thresholds. If you have not configured new thresholds, the appliance displays the default thresholds, which are 50% for both invalid port and TXID.
To view the DNS alert thresholds:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

show monitor dns alert

The appliance displays the threshold information as shown in the following example:

...

You can mitigate cache poisoning on your DNS server by limiting the traffic or blocking connections from UDP port 53. To enable rate limiting from sources:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

set ip_rate_limit on

The appliance displays the following:

...

You configure rate limiting rules to limit access or block connections from UDP port 53. The rules take effect when you enable rate limiting.
When adding rules, ensure that you do not include an IP address that matches the IP address of either the Grid Master or Grid member. Doing this could affect VPN connectivity. To configure rate limiting rules:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

set ip_rate_limit add source all | ip_address [/mask] limit packets/m [burst burst_packets]

...

You can remove the existing rate limiting rules that limit access or block connections from UDP port 53. To remove all the existing rules:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

    • To remove the rate limiting rule that limits traffic from all sources, enter:
      set ip_rate_limit remove source all
      or

    • To remove all of the rate limiting rules from all sources, enter:

set ip_rate_limit remove all

To remove one of the existing rules for an existing host:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

set ip_rate_limit remove source ip-address[/mask]

...

You can view the existing rate limiting rules that limit access or block connections from UDP port 53. To view rate limiting rules:

  1. Log in to the Infoblox CLI as a superuser account.

  2. Enter the following CLI command:

show ip_rate_limit

The appliance displays the rules, as shown in the following example:

...