This topic contains information about supported fields in DNS query/response log messages for NIOS, BloxOne Threat Defense, and BloxOne Universal DDI. It also contains corresponding field elements in CEF and LEEF formats via the syslog protocol and Splunk CIM via Splunk forwarder.
...
Internal field | Product | CEF | LEEF | Splunk CIM | Description | |
---|---|---|---|---|---|---|
Timestamp | NIOS, B1TD, B1DDI | Timestamp* | Timestamp* | Timestamp* | UTC timezone | |
<name server ip> rip | NIOS | dst | dst | dest | IP address of the DNS server | |
<client IP> qip | NIOS, B1TD, B1DDI | src | src | src | IP address of the client | |
<port> qport | NIOS | spt | srcPort | src_port | Source port | |
<dns view>, view | NIOS | InfobloxDNSView | InfobloxDNSView | dns_view | DNS View | |
<qname> | NIOS, B1TD, B1DDI | destinationDnsDomain | url | query | Requested domain name | |
<class name> qclass | NIOS, B1TD, B1DDI | InfobloxDNSQClass | InfobloxDNSQClass | record_type | Request class | |
<type name> qtype | NIOS, B1TD, B1DDI | InfobloxDNSQType | InfobloxDNSQType | query_type | Request record type | |
<flags> qqr, qaa, qtc, qrd, qra, qad, qcd, qdo, | NIOS, B1TD, B1DDI | InfobloxDNSQFlags | InfobloxDNSQFlags | dns_request_flags | DNS request options | |
<flags> rqr, raa, rtc, rrd, rra, rad, rcd, rdo | NIOS, B1TD, B1DDI | InfobloxDNSQFlags | InfobloxDNSQFlags | dns_response_flags | DNS response options | |
protocol | NIOS, B1TD, B1DDI | proto | proto | transport | TCP or UDP | |
- | NIOS, B1TD, B1DDI | app | app | DNS | ||
- | NIOS, B1TD, B1DDI | query_count | Query count | |||
<rcode> | NIOS, B1TD, B1DDI | InfobloxDNSRCode | InfobloxDNSRCode | reply_code, reply_code_id | Response code | |
[<RR in text format>] rrr1, rrr2, rrr3 | NIOS, B1TD, B1DDI | msg | msg | answer dns_record | Returned resource records | |
ttl | RR's TTL | |||||
arcount | B1TD, B1DDI | InfobloxArCount | InfobloxArCount | additional_answer_count | Response. Additional RR count | |
ancount | B1TD, B1DDI | InfobloxAnCount | InfobloxAnCount | answer_count | Response. RR count | |
nscount | B1TD, B1DDI | InfobloxNsCount | InfobloxNsCount | authority_answer_count | Response. Authoritative RR count | |
rport | B1TD, B1DDI | dest_port | DNS Server's port | |||
NIOS, B1TD, B1DDI | message_type | DNS Query or DNS Response | ||||
tid | B1TD, B1DDI | transaction_id | Transaction id | |||
- | NIOS, B1TD, B1DDI | vendor_product | For CIM: Infoblox NIOS Infoblox BloxOne TD Infoblox BloxOne Universal DDI | |||
opcode | B1TD, B1DDI | opcode | Operational code | |||
source | B1TD, B1DDI | source_id | Source ID | |||
type | B1TD, B1DDI | dns_packet_type | DNS packet type | |||
pid | policy_id | Policy ID | ||||
cid | client_id | Client ID | ||||
anonymized | anonymized | Anonymized | ||||
DNS Query/Response: Additional Metadata | ||||||
region | B1TD | InfobloxB1Region | InfobloxB1Region | ib_b1_region | B1 PoP Region | |
pname | B1TD | InfobloxB1ConnectionType | InfobloxB1ConnectionType | ib_b1_connection_type | Connection type: remote_client, DFP, direct (NAT/Network) | |
display_name | B1TD | InfobloxB1OPHName | InfobloxB1OPHName | oph_name | On-prem host NIOS-X Server name | |
ip_address | B1TD | InfobloxB1OPHIPAddress | InfobloxB1OPHIPAddress | oph_ip_address | On-prem host NIOS-X Server IP | |
network | B1TD | InfobloxB1Network | InfobloxB1Network | src_network | Network name (Network, DFP, Client) | |
user_name | B1TD | suser | usrName | user_name | User name | |
device_name | B1TD | dvchost | identHostNamedvcNIOS-X Server | identNIOS-X Server name | src_device_name | User's device name |
mac_address or cmac | B1TD | smac | srcMAC | src_mac | User's device MAC | |
device_ip | B1TD | dvc | src_ip | User's device IP | ||
os_version | B1TD | InfobloxB1SrcOSVersion | InfobloxB1SrcOSVersion | src_os_version | User's device OS | |
dhcp_fingerprint | B1TD | InfobloxB1DHCPFingerprint | InfobloxB1DHCPFingerprint | src_dhcp_fingerprint | User's device DHCP Fingerprint | |
all_tags | B1TD | InfobloxB1DNSTags | InfobloxB1DNSTags | ib_dns_tags | DNS request categorization tags |
...