Monitoring through Syslog

To receive threat protection events in the syslog, you must enable the Security option in the DNS logging category of the Grid DNS Properties editor. For information about configuring the logging category, see Setting DNS Logging Categories. Once the Security option is enabled, hardware-based appliances log each threat protection related event in the syslog in CEF (Common Even Format). You can get detailed information about the events by reviewing the syslog periodically. For information about how to configure the syslog server, see Using a Syslog Server.
When a DNS attack is detected against an enabled rule, the appliance generates a log message. Note that only threat protection messages in CEF are displayed in the syslog. The log messages for rate limiting alert events also include the FQDNs extracted from DNS queries whose standard query and question count is greater than zero so you can quickly identify the offending clients. Note that the FQDN field displays “NA” for invalid DNS queries. This feature is enabled by default. You can disable this only in Maintenance Mode using the CLI command set smartnic-debug-adp-log-fqdn off.

Example:

When the appliance detects ICMP ping attacks that exceed the pint size against an existing auto rule that has the following configuration:

Log Severity = Critical
Rule ID = 120600925
Rule Name = Potential DDoS related domain
Rule Action = Drop
Rule Category = Potential DDoS related Domains

It generates the following threat detection event log message:

2016-03-30T12:30:17-07:00 daemon ol-18-114.tme.infoblox.com
threat-protect-log[15396]: err adp: CEF:0|Infoblox|NIOS
Threat|7.3.2-316478|120600925|Potential DDoS related domain:
uuu9.com|7|src=10.10.50.62 spt=60154 dst=25.11.11.114 dpt=53 act="DROP"
cat="Potential DDoS related Domains" nat=0 nfpt=0 nlpt=0 fqdn=lol.uuu9.com

The number of log messages generated is based upon your Event per Second per Rule setting. For example, if the setting is 5, the appliance generates five log messages of the same event per second when the attack continues within the time duration. Each log message contains the following information:

• The timestamp when the event happened in yyyy-mm-ddThh:mm:ss+00:00 format.
• Infoblox|NIOS Threat|x.x.x: Indicates the Infoblox product, and x.x.x represents the NIOS version.
• The number following the NIOS version is the rule ID. In this example, it is 120600925.
• Following the rule ID is the rule name specified in the rule.
• The number following the rule ID is the log severity. The following numbers indicate the severity levels:
  • 8 = Critical
  • 7 = Major
  • 6 = Warning
  • 4 = Informational
• src: Source IP address.
• spt: Source port.
• dst: Destination IP address.
• dpt: Destination port.
• act: The rule action, which can be ALERT, DROP, or PASS, depending on the rule configuration.
• cat: The rule category to which the rule belongs. In this example, the rule category is "Potential DDoS related Domains." For information about rule categories, see System and Auto Rule Categories.

To view DNS threat protection related log messages:

1. From the Administration tab, select the Logs tab -> Syslog tab.
2. From the drop-down list at the upper right corner, select the Grid member on which you want to view the syslog.
3. From the Quick Filter drop-down list, select Threat Rule Update Events or Threat Detection Event Logs to view rule update events or threat detection events respectively. To narrow down the system messages you want to view, click Show Filter and then select the filters you want to use. For information about how to use filters, see Using Filters.