Document toolboxDocument toolbox

Viewing Audit Logs

Owned by Shirly Tsang
Last updated: Sept 06, 2024 by Gary Leicht
6 min read

When you make changes to your Infoblox configuration through the Infoblox Portal or the API, the configuration changes are logged. Infoblox Portal displays audit logs, so you can view administrative activities performed by specific user accounts.

The following are some of the logged information:

  • The username of the person updating or modifying the configuration

  • The IP address from which the configuration changes originated

  • The object name or configuration option being changed, such as named lists, bypass lists, DNS forwarding proxy, or internal domains

  • Enabling and disabling of apps on a NIOS-X server

To view the audit logs, do the following:

  1. From Infoblox Portal, click Monitor > Logs > Audit Logs. 

  2. On the Audit Logs page, click Display Recent to display the most recent 100 system events.
    or
    Click

    The filter icon

    to activate the filtering feature, and then click

    The add icon

    to configure your filter.
    From the Basic Columns menu, choose the filtering criterion you want to add. For example, if you choose Timestamp, select an applicable timeline within which you want to filter the results, using the calendar provided. NOTE: Infoblox recommends that you apply a time range of no more than 30 days for best performance and response. To add more filtering criteria, click

    again to add another criterion. When you are done, click

    to filter the events.
    You can also click

    to remove the filter you just created. If you want to use the same criteria for future filtering, you can save the filter by clicking

    and entering a name for the filter. You can then click

    to find the saved filter in the future without setting the filtering criteria again.

The Audit Logs page provides a card view and a table view for displaying information. You can toggle between the card and table view by clicking the icon on the upper right corner of the navigation bar.

  • Card view

  • Table view

By default, the card view displays the following information for each configuration you have created:

  • Timestamp: The UTC timestamp when the user performed the specific task.

  • User: The name of the user account that performed the task.

  • Source IP: The IP address of the source destination that initiated the task.

  • Resource Type: The resource with which the performed task was associated. For example, if a user performed a specific task to a NIOS-X server, this field displays the name of the server.

  • Action: The specific action that was performed by the user. For example, if a user updated a the configuration of the NIOS-X server, this field displays Update; and if a user deleted tags on a NIOS-X server, this fields displays Delete.

  • Event Summary: Displays information about the action that has been taken for the event.

To view more information for a specific event, click View Metadata to expand the panel to view the following:

  • Session Type: The type of authentication for the event session. For example, this can be bearer (which is session-based) or token (which is token-based).

  • Subject Role: The role of the user account that generated this event.

  • Session ID: The audit session ID associated with this login session.

  • App Identifier: The application source associated with this audit session.

  • Full Request URI: The full URI of the API request sent for this event.

  • API Request ID: The API request ID for this audit event.

  • Resource ID: The unique ID of the resource that owns the audit log.

  • HTTP Verb: The HTTP request method used for the action. The most commonly used operations are POST, GET, PUT, PATCH, and DELETE.

  • HTTP Response Code: The HTTP status code that indicates whether the HTTP request associated with this event has been successfully completed. For example, code 200 indicates the request is successful.

  • Event Summary (details pane): Displays detailed information about all create, update, and delete (CUD) operations. The following CUD objects are supported:

    • External Networks

    • Endpoints

    • Mobile Endpoints

    • Endpoint Groups

    • Internal Domains

    • Security Policies

    • Custom Lists

    • Category Filters

    • Application Filters

    • Bypass Codes

    • DNS Forwarding Proxy

    • Authentication Profiles

    • On-Prem DNS Firewall Configuration

Image: Sample Event Summary Details Pane

When you toggle to the table view, the Audit Logs page can display some or all of the following fields. By clicking the hamburger menu next to the fields, you have the flexibility to select or deselect the fields (including associated tags) as well as their order to be displayed in the table view.

  • TIMESTAMP: The UTC timestamp when the user performed the specific task.

  • USER: The name of the user account that performed the task.

  • SOURCE IP: The IP address of the source destination that initiated the task.

  • RESOURCE TYPE: The resource with which the performed task was associated. For example, if a user performed a specific task to a NIOS-X server, this field displays the name of the NIOS-X server.

  • ACTION: The specific action that was performed by the user. For example, if a user updated a the configuration of the NIOS-X server, this field displays Update; and if a user deleted tags on a NIOS-X server, this fields displays Delete.

  • EVENT SUMMARY: Displays information about the action that has been taken for the event.

  • SUBJECT ROLE: The role of the user account that generated this event.

  • SESSION ID: The audit session ID associated with this login session.

  • APP IDENTIFIER: The application source associated with this audit session.

  • SESSION TYPE: The type of authentication for the event session. For example, this can be bearer (which is session-based) or token (which is token-based).

  • FULL REQUEST URI: The full URI of the API request sent for this event.

  • API REQUEST ID: The API request ID for this audit event.

  • RESOURCE ID: The unique ID of the resource that owns the audit log.

  • HTTP VERB: The HTTP request method used for the action. The most commonly used operations are POST, GET, PUT, PATCH, and DELETE.

  • HTTP RESPONSE CODE: The HTTP status code that indicates whether the HTTP request associated with this event has been successfully completed. For example, code 200 indicates the request is successful.

Downloading Audit Logs in CSV Format

To download audit logs in CSV format, do the following:

  • On the Audit Logs page, click Download. The download file is in this format: audit-log-the timestamp in UTC format.csv, such as audit-log-10-10-2022, 10-30-59 PM UTC.csv.

You can also do the following on the Audit Logs page:

  • Click the Sort by menu to choose the column by which you want to sort the events, and then use the up/down arrows to sort the events in ascending or descending order.

  • Enter the value that you want to search in the Search text box. Infoblox Portal displays the list of security events that match the keyword in the text box.

Pulling a Support Bundle from Infoblox Portal

You can also do the following on the Audit Logs page:

  • Uploading of log reports is not available for audit logs.

  • Uploading logs is not available for inactive endpoints.