Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

Version 1 Current »

You can monitor RPZ hits based on subscriber security policies and parental control policies through the following:

Monitoring through Syslog

To receive information about RPZ hits based on subscriber security policies and parental control policies in the syslog, make sure that you enable the RPZ option in the Logging tab of the Grid DNS Properties editor or Member Properties editor. For information about configuring logging properties, see Setting DNS Logging Categories. Once the RPZ option is enabled, the appliance logs RPZ hits based on subscriber security policies and parental control policies in CEF (Common Event Format) in the syslog. For information about how to configure the syslog server, see Using a Syslog Server.

Following is a sample RPZ hit log message:

CEF:0|Infoblox|NIOS|8.2.0-359884|RPZ-QNAME|PASSTHRU|7|app=DNS dst=10.35.41.18 src=10.32.1.145 spt=52100 view=_default qtype=A msg="rpz QNAME PASSTHRU rewrite child.com [A] via child.com.bit6subscribers" IPSD=N/A Acct-Session-Id=29de847acde415ab User-Name=john NAS-IP-Address=10.36.120.10 MSISDN=9956182386 Subscriber-Secure-Policy=0000507f

Each log message contains the following information:

  • Infoblox|NIOS |x.x.x: Indicates the Infoblox product, and x.x.x represents the NIOS version.
  • The string following the NIOS version is a hard-coded constant. In this example, it is RPZ QNAME.
  • The hard-coded constant is followed by mitigation action. In this example, it is PASSTHRU.
  • The number following the mitigation action is the threat severity level. The following numbers indicate the severity levels:
    • 8 = Critical
    • 7 = Major
    • 6 = Warning
    • 4 = Informational
  • app: DNS
  • dst: Destination IP address.
  • src: Source IP address.
  • spt: Source port.
  • view: DNS view.
  • qtype: Query type.
  • msg: RPZ rule.
  • IPSD: IP space discriminator.
  • Acct-Session-Id: Session ID.
  • User-Name: Username of the subscriber.
  • NAS-IP-Address: NAS IP address.
  • MSISDN: The mobile phone number of the subscriber.
  • Subscriber-Secure-Policy: Subscriber Secure Policy.

To view RPZ violation by subscriber related log messages:

  1. From the Administration tab, select the Logs tab -> Syslog tab.
  2. From the drop-down list at the upper right corner, select the Grid member on which you want to view the syslog.
  3. From the Quick Filter drop-down list, select RPZ Incident Logs to view RPZ violation by subscriber related events. To narrow down the system messages you want to view, click Show Filter and then select the filters you want to use. For information about how to use filters, see Using Filters.


  • No labels