Log File Format
- Gary Leicht
Infoblox Platform logs are delivered in parquet format. You can use the Apache parquet tools that Infoblox provides (click here to access the tools) to convert the parquet files to JSON format if necessary. For more information, see Converting Parquet to JSON.
Infoblox Platform supports three log file types: DNS queries and responses, RPZ hits, and IPAM metadata.
When synchronizing data with your S3 bucket the first time, Infoblox Platform automatically creates a directory structure in the following format for each day.
For DNS Response data, the following directory structure is required:
Amazon S3 > <bucketname> / dns_enriched / year=xxxx / month=xx / day=xx
Example:
Amazon S3 > testbucket / dns_enriched/ year=2022 / month=10 / day=31
Do not delete or modify the directory structure that Infoblox Platform creates. Otherwise, you might lose log data when Infoblox Platform synchronizes subsequent data with your S3 bucket.
Each folder in the directory structure contains all the log files that you have selected for export. For example, if you have selected DNS Response Logs and RPZ logs, you will see all the dns_ and rpz_ files in the same folder for a specific date.
The following sections describe the file format and data schema for each log type.
Response Logs
File format: part-00000-0228fa58-6334-464c-8502-37f04dd40528.c000.snappy.parquet
Schema:
Resource Record
| Field Name | Type | Description |
| name | STRING | FQDN |
| ttl | INT64 | Time-to-live |
| type | INT32 | RR type |
| clas | INT32 | RR class |
| data | STRING | RR data |
DNS
| Field Name | Type | Description |
| opcode | INT32 | opcode for NOTIFY, STATUS, QUERY, UPDATE This is the DNS opcode as defined in RFC 5395. Possible values are |
| timestamp | INT64 | timestamp in second part |
| qname | STRING | DNS query name in FQDN |
| qtype | INT32 | DNS query type |
| qclass | INT32 | DNS query class |
| source | STRING | data source or DNS server ID |
| qip | STRING | Requester IP |
| qport | INT32 | Requester Port |
| rip | STRING | Responder IP |
| rport | INT32 | Responder Port |
| protocol | INT32 | DNS protocol for TCP or UDP |
| delay | FLOAT64 | Delay in response |
| rcode | INT32 | Return code |
| type | INT32 | Message type by ISC: 0: UDP_INVALID 1: UDP_QUERY_RESPONSE 2: UDP_UNANSWERED_QUERY 3: UDP_UNSOLICITED_RESPONSE 4: TCP 5: ICMP 6: UDP_QUERY_ONLY 7: UDP_RESPONSE_ONLY |
| qqr | BOOL | Query flag QR |
| qaa | BOOL | Query flag AA |
| qtc | BOOL | Query flag TC |
| qrd | BOOL | Query flag RD |
| qra | BOOL | Query flag RA |
| qad | BOOL | Query flag AD |
| qcd | BOOL | Query flag CD |
| qdo | BOOL | Query flag DO |
| rqr | BOOL | Response flag QR |
| raa | BOOL | Response flag AA |
| rtc | BOOL | Response flag TC |
| rrd | BOOL | Response flag RD |
| rra | BOOL | Response flag RA |
| rad | BOOL | Response flag AD |
| rcd | BOOL | Response flag CD |
| rdo | BOOL | Response flag DO |
| qqr1 | ARRAY[ResourceRecord] | query resource record list 1 |
| qqr2 | ARRAY[ResourceRecord] | query resource record list 2 |
| qqr3 | ARRAY[ResourceRecord] | query resource record list 3 |
| rrr1 | ARRAY[ResourceRecord] | response resource record list 1 |
| rrr2 | ARRAY[ResourceRecord] | response resource record list 2 |
| rrr3 | ARRAY[ResourceRecord] | response resource record list 3 |
| view | STRING | DNS view |
| anonymized | BOOL | Anonymized flag |
| nanosec | INT32 | Timestamp in nano second part |
| pid | STRING | Policy identifier |
| cid | STRING | Client identifier |
| tid | STRING | Transaction identifier |
| extra | [('sld', 'some-sample-domain.com'), ('pname', 'sample'), ('domain_applications', 'sample domain application'), ('client_region', 'Region'), ('client_country', 'Country'), ('qname_norm', 'Gname '), ('client_continent', 'Continent'), ('event_date', '2023-07-04 00:26:50.858'), ('response_region', 'Region'), ('application', '[{"category":"Endpoint Protection","id":"54c42618-9790-45cf-b67g-2d97135a1442","name":"Name","vendor":"Name"}]'), ('egress_ip', '66.27.233.242'), ('device_name', '63.15.332.324'), ('record_type', '1'), ('all_tags', 'APP_Name_Technology - Other'), ('domain_categories', 'Technology - Other'), ('storage_id', '2401908'), ('response_country', 'Response country'), ('pdisplay_name', 'Display name'), ('network', 'Network name'), ('response', '17.164.123.313'), ('response_continent', 'sample'), ('device_ip', '66.27.233.242'), ('query_type', 'A')] | This existing map field contains all the enriched fields from the pipeline. |
| ancount | INT | Answers count |
| nscount | INT | Nameservers count |
| arcount | INT | Additional records count |
| username | STRING | Username for authenticated users |
| region | STRING | ATC's region |
| cmac | STRING | Client MAC address |
| version | STRING | Schema version |
Sample DNS response log:
java -jar parquet-tools-1.8.2-SNAPSHOT.jar cat -j dns_00000001525858200000_017.parquet
{“opcode”:0,”timestamp”:1525857674,”qname”:”eicar.co.”,”qtype”:1,”qclass”:1,”source”:
“3b9eea03015cee5cca1bcb22b02c837c”,”qip”:”54.152.30.60″,”qport”:47″3b9eea03015cee5cca1bcb22b02c837c”,”qip”:”54.152.30.60″,”qport”:47697,”rip”:”
“,”rport”:-1,”protocol”:17,”delay”:1.0,”rcode”:3,”type”:1,”qqr”:false,”qaa”:false,”qtc”:false,”qrd”:false,”qra”:false,
“qad”:false,”qcd”:false,”qdo”:false,”rqr”:true,”raa”:false,”rtc”:false,”rrd”:true,”rra”:false,”rad”:true,”rcd”:false,
“rdo”:false,”rrr1″:{},”rrr2″:{},”rrr3″:{},”view”:””,”anonymized”:false,”nanosec”:220087857,”pid”:”120873″,
“cid”:”:c4f0717dbd1150904aab042e1843a91f”,”tid”:””}
RPZ Logs
For RPZ data, the following directory structure is required:
Amazon S3 > <bucketname> /archivers/ rpz_enriched / year=xxxx / month=xx / day=xx /hour=xx
Example:
Amazon S3 > testbucket/rpz_enriched /year=2024/month=3/day=3/hour=15/
File format: part-00000-0228fa58-6334-464c-8502-37f04dd40528.c000.snappy.parquet
RPZ
| Field Name | Type | Description |
| opcode | INT32 | opcode for NOTIFY, STATUS, QUERY, UPDATE This is the opcode for the corresponding DNS traffic, such as |
| timestamp | INT64 | timestamp in second part |
| nanosecond | INT32 | Timestamp in nano second part |
| tcode | INT32 | RPZ Trigger code (adapted from ZyTrax) 0: QNAME Trigger on query name 1: CLIENT-IP Trigger on DNS client IP 2: IP Trigger on query response IP 3: NSDNAME Trigger on NS name during delegation 4: NS-IP Trigger on NS IP during delegation |
| tname | STRING | FQDN for RPZ trigger (feedname.rpz_entry or rpz_entry.feedname) |
| acode | INT32 | RPZ Action code (adapted from ZyTrax) 0: Local-Data Response data defined by RR and target name 1: NODATA Return name exists but with no answer data 2: PASSTHRU Do nothing – normally defines an exception in a range 3: NXDOMAIN Return name does not exist 4: TCP-Only Force use of TCP (REDIRECT for policy engine) 5: REFUSED Support for JANUS 6: DROP Causes client timeout |
| arrtype | INT32 | RPZ Action RR type |
| arrdata | STRING | RPZ Action RR data |
| qname | STRING | DNS query name in FQDN |
| qtype | INT32 | DNS query type |
| qclass | INT32 | DNS query class |
| source | STRING | data source or DNS server ID |
| qip | STRING | requester IP |
| qport | INT32 | Requester Port |
| rip | STRING | Responder IP |
| rport | INT32 | Responder Port |
| view | STRING | DNS view (Infoblox feed or others. Optionally prefix with network view qualifier) |
| pvendor | STRING | Product vendor |
| pname | STRING | Product name |
| pversion | STRING | Product version |
| loglevel | INT32 | Syslog severity level indicator |
| disabled | BOOL | Is RPZ rule disabled |
| tid | STRING | Transaction Identifier of DNS response |
| pid | STRING | Policy Identifier (optional) |
| cid | STRING | Client Identifier (optional) |
| anonymized | BOOL | Anonymized flag |
| cmac | STRING | Client MAC address (optional) |
| csite | STRING | Client Site ID (optional) |
| qcat | STRING | Content category (optional) |
| tinfo | STRING | Trigger information: threat property, threat level, threat confidence (optional) |
| username | STRING | Username for authenticated users |
| region | STRING | ATC's region |
| extra | NULL | [('user_name', 'anallapa'), ('threat_class', 'CAT'), ('sld', 'hivestreaming.com'), ('pname', 'remote_client'), ('domain_applications', 'Uncategorized'), ('feed_name', 'CAT_Business Software'), ('client_region', 'Telangana'), ('endpointgroups', 'India _SEZ_STPI'), ('client_country', 'India'), ('qname_norm', 'peers.hivestreaming.com'), ('property', 'Business Software'), ('private_ip', '192.168.1.15'), ('category', 'Business Software'), ('client_continent', 'Asia'), ('event_date', '2024-01-09 10:00:00.799'), ('threat_indicator', 'peers.hivestreaming.com'), ('mac_address', '4c:1d:96:61:81:b8'), ('response_region', 'Maharashtra'), ('record_type', '3'), ('device_name', 'LIN65001082.corp.capgemini.com'), ('policy_name', 'India_SEZ'), ('egress_ip', '49.205.243.42'), ('domain_categories', 'Business Software,Technology - Other'), ('all_tags', 'APP_Uncategorized,CAT_Business Software,CAT_Technology - Other,LIST_658691,LIST_672857'), ('response_country', 'India'), ('storage_id', '302391'), ('pdisplay_name', 'Remote Client (ATeP)'), ('network', 'BloxOne Endpoint'), ('feed_type', 'FQDN'), ('policy_action', 'Redirect'), ('os_version', 'Windows 11 Pro'), ('device_ip', '49.205.243.42'), ('response_continent', 'Asia'), ('response', '203.191.35.125'), ('query_type', 'A')] |
| version | STRING | Schema version |
| key | STRING | example: com.123xyz@123abc |
| sld | STRING | Second level domain (example: googl.com) |
Sample RPZ log:
java -jar parquet-tools-1.10.1-SNAPSHOT.jar cat -j rpz_0000000000000000061_030.parquet
{“opcode”:-1,”timestamp”:1521522768,”nanosec”:0,”tcode”:0,”tname”:”eicar.co.base.rpz.infoblox.local”,”acode”:3,”arrtype”:-1,”arrdata”:””,”qname”:”eicar.co”,”qtype”:1,”qclass”:-1,”source”:””,”qip”:”10.120.20.247″,”qport”:39826,”rip”:”10.35.205.4″,”rport”:-1,”view”:”_default”,”pvendor”:”Infoblox”,”pname”:”NIOS”,”pversion”:”8.2.0-357775″,”loglevel”:7,”disabled”:false,”tid”:””,”pid”:””,”cid”:””,”anonymized”:false,”cmac”:””,”csite”:””,”qcat”:””,”tinfo”:””}
IPAM Metadata Logs
File format: ipmeta__Update_1521240816_0000000000_01965.parquet
Schema:
Session Record
| Field Name | Type | Description |
| name | STRING | |
| actfrom | INT64 | |
| actto | INT64 |
IP Meta
| Field Name | Type | Description |
| opcode | INT32 | opcode for NOTIFY, STATUS, QUERY, UPDATE The opcode values are INSERT (0), DELETE (1), and UPDATE (2). |
| source | STRING | Data source (identical to DNS schema attribute with same name) |
| timestamp | INT64 | timestamp in second part |
| nanosecond | INT32 | Timestamp in nano second part |
| cip | STRING | Client IPv4 or IPv6 address |
| hostnames | ARRAY[STRING] | Client machine names or hostnames |
| usernames | ARRAY[SessionRecord] | Client usernames associated with IP (from AD) |
| mac | STRING | Client MAC address or hardware ID |
| view | STRING | Network view name containing DHCP lease |
| fingerprint | STRING | Description of Fingerprint from DHCP lease |
| os | STRING | OS discovered |
| firstts | INT64 | Timestamp of first discovery |
| lastts | INT64 | Timestamp of last discovery |
| extrattrs | MAP[ARRAY[STRING]] | IPAM Extensible Attributes |
| anonymized | BOOL | Anonymized flag |
| member | NULL | A map of member fields for range and ipv6 range type: map values: string |
| discovered_data | NULL | Network discovery device information type: map values: string |
| extra | NULL | A map of extra fields (May include new additional fields) type: map values: string |
Sample IPAM Metadata log:
java -jar parquet-tools-1.10.1-SNAPSHOT.jar cat -j ipmeta_Update_1521240816_0000000000_01965.parquet
{“opcode”:2,”source”:”10.35.205.4″,”timestamp”:1521535044,”nanosec”:0,”cip”:”10.35.205.4″,”hostnames”:{},”usernames”:{“array”:[{“name”:”frtest”,”actfrom”:1521238758,”actto”:1521534479}]},”mac”:””,”view”:”default”,”fingerprint”:””,”os”:””,”firstts”:-1,”lastts”:-1,”extattrs”:{},”anonymized”:false}