BloxOne Infoblox Platform security logs track security events generated by supported application sources. Monitoring security events can help you better understand applications. Use these logs to monitor security events and gain deeper insight into the security and safety of your network infrastructure.
To view the security logs, do the following:
...
In the
...
Infoblox Portal, click
...
Monitor > Logs > Security Logs.
On the Security Logs page, click Display Recent to display the most recent 100 security events.
or
Click
...
to activate the filtering feature, and then click
...
to configure your filter.
From the Basic Columns menu, choose the filtering criterion you want to add. For example, if you choose Timestamp, select an applicable timeline within which you want to filter the results, using the calendar provided. To add more filtering criteria, click
...
again to add another criterion. When you are done, click
...
to filter the events.
You can also click
...
to remove the filter you just created. If you want to use the same criteria for future filtering, you can save the filter by clicking
...
and entering a name for the filter. You can then click
...
to find the saved filter in the future without setting the filtering criteria again.
The Security Logs page provides a card view and a table view for displaying information. You can toggle between the card and table view by clicking the icon on the upper right corner of the navigation bar.
...
Card view
Table view
By default, the card view displays the following information for each
...
configuration you have created:
Timestamp: The UTC timestamp
...
for the time the
...
event was logged.
User: The user account that triggered the
...
event.
App: The
...
Infoblox Platform application source that generated the
...
event. The following sources are
...
supported
...
:
identity: Identity and Access Management Service.
ngnix: The NGNIX or Apache web server.
Security Event Type: The
...
security event type.
...
The following are supported types and their
...
descriptions
...
:
Security Event Type | App Source | Description |
---|---|---|
nginx.access | nginx | The equivalent of an HTTP access log from NGNIX or Apache. |
The log includes the user |
who is authenticated and claims in the request. | ||
nginx.data_export | nginx | A request for exporting data. |
nginx.legal_reason | nginx | A request from a country prohibited |
by the US trade rules (HTTP 451). | ||
nginx.unauthorized | nginx | A request that is made by using an API key and that resulted in an unauthorized response (HTTP 403). |
iam.login_succeeded | identity | Successful login. |
iam.login_failed | identity | Failed login. When a user |
or a user account can be identified, the information is added to the event. | ||
iam.logout_succeeded | identity | Successful logout. |
iam.logout_failed | identity | Failed logout. When a user |
or a user account can be identified, the information is added to the event. | ||
iam.apikey_disabled | identity | A request made by using a disabled API key. |
iam.apikey_expired | identity | A request made by using an expired API key. |
iam.denied_groups_claim | identity |
An indication that the signed-in |
user has a restricted JSON web token group claim. | |
iam.empty_groups_claim | identity |
An indication that the signed-in |
user has an empty JSON web token group claim. |
To view more information for a specific event, click View Metadata to expand the panel
...
that shows the following:
Domain: The name of the domain name from which the security event was generated.
Message: Displays the The nature of the event. For example, successful login is displayed for a successful login via an identity or sso-identify app source. For a nignix app source, detailed information is displayed, such as the source IP, the API request type, and the HTTP status for the event is displayed.
Exporting Security Logs in CSV Format
To download or export a security log in CSV format, do the following:When you toggle to the table view, the Security Logs page can display some or all of the following fields. By clicking the hamburger menu next to the fields, you have the flexibility to select or deselect the fields (including associated tags) as well as their order to be displayed in the table view.
TIMESTAMP: The UTC timestamp for the time the event was logged
USER: The user account that triggered the event
APP: The Infoblox Platform application source that generated the event. The following sources are supported:
identity: Identity and Access Management Service.
ngnix: The NGNIX or Apache web server.
SECURITY EVENT TYPE: The security event type. Refer to the event table on this page.
DOMAIN: The name of the domain from which the security event was generated
JWT: The JSON web token used to securely transmit the request.
REMOTE ADDRESS: The IP address used in the JSON web token.
REQUEST: The API request for the security event.
STATUS: The status of the API request for the security event.
USER EMAIL: The email address of the user account that triggered the event.
Downloading Security Logs in CSV Format
On the Security Logs page, click Download.
...
This will download
...
a file formatted as security-log-the timestamp in UTC format.csv, such as security-log-10-10-2022, 10-30-59 PM UTC.csv
.
You can also do the following on the Security Logs page:
Sort events in ascending or descending order: Click the Sort by menu to , choose the column by which you want to sort the events, and then use the up /and down arrows to sort .
View the events in ascending or descending order.Enter the value security events that match a specific keyword: In the Search text box, enter a keyword that you want to search in the Search text boxon. The Cloud Services Infoblox Portal displays will show the list of security events that match the keyword in the text box.