After you set up a dedicated reporting appliance in your Grid, you must configure the Grid reporting properties so you can communicate with the reporting appliance and retrieve report data through the Grid Master. In addition, you must select the correct report categories in order for the reporting server to generate the correct data in corresponding reports, as described in Configuring Grid Reporting Properties.
By default, only superusers can configure the Grid reporting properties. When you enable the Grid reporting service, all members transmit data to the reporting server. You can disable data transmission from specific members to the reporting server. Before using the reporting service, you must configure the remote server to export the search results, as described in Reporting (Index) Storage Space. Once you configure the reporting server and enable the reporting service on Grid members, you can view and manage reports through the Reporting tab of Grid Manager.

Note: When you reset the appliance using the CLI command reset all or reset the database using the CLI command reset database, the reporting configurations are not preserved. If you reset the appliance, you must configure Grid reporting properties and remote server settings to use the reporting service.

Complete the following to set up your reporting solution:

Configure general reporting properties, including the selection of report categories, as described in Configuring Grid Reporting Properties.
Specify the network port for reporting, as described in Setting the Network Port for Reporting.
Specify email properties, as described in Configuring Email Notification Settings.
Configure logo image for PDF delivery, as described in Configuring Logo Image in PDF Reports.

The properties you define in the Grid Reporting Properties editor apply to all the reporting members, unless you override them at specific member level. To override at the member level, see Modifying Member Reporting Properties.

Configuring Grid Reporting Properties

After you configure the reporting server, you must enable the data indexing and select at least one reporting category to ensure that the reporting service functions properly.

Note: You must select the correct report categories in order for the reporting server to generate the correct data in corresponding reports.

Complete the following to configure the Grid reporting properties:

From the Administration tab -> Reporting tab, click Grid Reporting Properties from the Toolbar.
or
From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
In the Grid Reporting Properties editor, select the General -> Basic tab
Complete the following:
- Reporting Server: Grid Manager displays the name of the reporting server.
- Enable Data Indexing: Data transmission is disabled by default. You must select this check box to ensure that all Grid members transmit data to the reporting appliance. Enabling data transmissions for all members can affect the overall data consumption on the reporting server. For information about the daily maximum data consumption per day for your reporting appliance, see Table 40.5.
- Report Category: Select the reports you want the reporting server to generate. The reporting server automatically configures data sources and configurations required to generate the reports you select here. The required data is stored in the reporting server database. By default, no report categories are selected. For a list of report categories, see Predefined Dashboards. You must select at least one reporting category for the reporting service to start working.

- - Index%: Displays the actual storage space allocated for a reporting index. You can modify this value between 0 and 100. When you enable an index category and leave it at 0%, the appliance displays an error message. Make sure that the total percentage of the index storage space for all report categories equals 100% or less than 100%. The appliance displays a warning message when the total percentage of the index storage space is less than 100%.
  - Used%: Displays the index storage space used by a reporting index.
  - IndexName: Displays the reporting index name, which are displayed on the Reporting Index Usage Statistics report.

4. Save the configuration and click Restart if it appears at the top of the screen.

Reporting (Index) Storage Space

One key configuration aspect of the reporting appliance is index space. By default, some percentage of index space is allocated on the reporting server for each report category listed in Table 40.3. For information about how to configure index space, see Configuring Grid Reporting Properties. Each report category uses up to a certain percentage of the usable reporting hard disk space for index storage. For example, of the total 237 GB usable hard disk space of an IB-VM-800 appliance, the reporting category, Device uses 47.47%. For the list of default index space configured for each report category, see Table 40.5. You can modify the index percentage value between 0 and
100. When you modify this value, make sure that the total percentage for the index storage space for all categories equals exactly 100%. You can set the index percentage to a value less than 100% to reserve certain percentage for future use. If the total percentage of the index space usage exceeds 100%, the appliance displays an error message. Note that the reporting appliance removes the oldest data when you reduce the index space percentage for a category to a value that is lower than the used percentage by the existing data. For information about the maximum index size and number of days the reporting data is retained, see Table 40.8. Also, ensure that its host name has only alphanumeric characters, underscores, dots, and dashes.

Note: For usable reporting hard disk space for each appliance model, see Table 40.2.

Table 40.5 Default Index Space Configured for Each Report Category

Report Category	Default Index Space (%) Adjustable by User	Total Reporting Disk Space Used for Index Storage (GB)
Audit Log	0%
DNS Query DNS Performance DDNS DNS Record Scavenging	20%	Usable reporting hard disk space x 20%
DNS Query Capture	0%
DHCP Performance	20%	Usable reporting hard disk space x 20%
DHCP Fingerprint DHCP Lease History	39%	Usable reporting hard disk space x 39%
DDI Utilization	5%	Usable reporting hard disk space x 5%
Security Network User	1%	Usable reporting hard disk space x 1%
DNS Traffic Control	0%	Usable reporting hard disk space is broken down between ib_dtc and ib_dtc_summary internally.
Cloud	0%
System Utilization	15%	Usable reporting hard disk space x 15%

Device	0%
Ecosystem Subscription Ecosystem Publication	0%
License	0%

Modifying Member Reporting Properties

To modify reporting properties for a reporting member:

From the Grid tab -> Grid Manager tab -> Services tab, select the Reporting service and click the Grid_member check box, and then click the Edit icon.
In the Reporting Member Properties editor, select the General tab and click Override.
Under Reporting Settings, complete the following:
- Enable data forwarding to the indexer on this member: Select this check box to enable data transmissions to the reporting server. If you do not select this check box, a member will not forward data to the indexer and reporting service is disabled on that member.
- Select the data categories to forward: Select the report categories for which you want this member to forward data to the reporting server. Clear the report categories for which you do not want this member to forward data to the reporting server.

Note: The member configured as an indexer displays only the Audit Log category.

4. Save the configuration.

Defining Interface for Reporting Traffic

On a Grid member, you can define the network interface you want the member to use for sending reporting data to the reporting server.
To define network interface on the Grid member for reporting traffic, complete the following:

From the Grid tab -> Grid Manager tab -> Services tab, select the Reporting service and click the Grid_member check box, and then click the Edit icon.
In the Reporting Member Properties editor, select the General -> Advanced tab, and then complete the following:

- Forwarding interface used for reporting traffic: From the drop-down list, select the interface that you want this member to use to send reporting data. Note that you must properly configure the interfaces on the member for them to appear in the drop-down list.

3. Save the configuration.

Setting the Network Port for Reporting

All Grid members use port 9997 for reporting service by default. This port is used for data transmissions between the reporting member and other members. Ensure that you configure your firewall rules to allow traffic on this port. You can designate another network port for reporting purposes.
To set the network port for reporting:

From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties. or
From the Grid tab -> Grid Manager tab -> Services tab, select the Reporting service and click the Grid_member check box, and then click Edit -> Grid Reporting Properties from the Toolbar.
In the Grid Reporting Properties editor, select the General -> Advanced tab and complete the following:

- Port: Enter the port number you want to use for reporting purposes. The default port is 9997.

4. Save the configuration.

Specifying the Data Generation Interval for Reports

You can specify the time interval when the appliance generates data for the DNS Statistics per View and DNS Statistics per Zone reports. The default value for the data generation interval for these reports is one day (86400 seconds). You can specify different data generation intervals for the DNS Statistics per View and DNS Statics per Zone reports.
To specify the data generation interval for DNS Statistics per View and DNS Statistics per Zone reports:

From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
or
From the Grid tab -> Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
In the Grid Reporting Properties editor, select the Data Generation Schedule tab and complete the following:

Data Generation: Enter the time in HH:MM:SS AM/PM format. You can also click the Clock icon to select a time from the drop-down list.

3. Save the configuration.

For more information about the reports, see DNS Statistics per DNS ViewAbout Dashboards#bookmark3057 and DNS Statistics per Zone.

Configuring Threat Protection Data

You can use this feature only if the Threat Protection and Threat Protection Update licenses are installed on the Infoblox Advanced Appliance. When you configure this feature, you receive threat protection events in the syslog. The events logged include threat protection rules and the source IPs that triggered the rules. For information about how to monitor these events using the syslog, see Monitoring through Syslog.
For certain threat protection reports, accumulated statistics for each unique IP/rule pair are collected. You can control the volume of data collected per member using the following options:

Top IP/Rule Statistics Collection Limit: This option limits the collection of accumulated statistics to the top N unique IP/rule pairs.
IP/RuleStatisticsCollectionInterval(minutes): The interval at which the accumulated statistics for the top N unique IP/rule pairs are collected. The smaller the interval, the finer the granularity of the accumulated statistics in terms of time, but the data volume will be higher.

Based on your configuration, the reporting appliance displays data in the following threat protection reports:

Note: When threat details are missing for a non-local RPZ feed zone entries, it is recommended to check if the associated feed zone's TSIG key is configured.

Note: To enable threat protection reports, you must select the Security report category in the Grid Reporting Properties editor. To select the Security check box, go to the Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab -> select the Security check box under Report Category. Ensure that you set the Security Index% to an optimal level so the reporting database has enough storage space to accommodate all reporting data. For information about how to configure the index %, see Configuring Grid Reporting Properties.

To configure the data collection limit:

From the Administration tab, select the Reporting tab and click Grid Reporting Properties from the Toolbar.
or
From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
In the Grid Reporting Properties editor, select the Threat Protection tab and complete the following:
- Top IP/Rule Statistics Collection Limit: Enter the maximum number of the top N unique source IP/rule pairs for data collection. For example, if you specify 20, the appliance collects data for the top 20 unique source IP/rule pairs.
- IP/Rule Statistics Collection Interval (minutes): Enter the time interval at which the reporting appliance updates data. For example, if you specify the interval as 60 minutes, the appliance updates data at a 60 minute interval.
Click Save & Close.

Monitoring DNS Client Queries

You can view the presence of clients in the network that are sending large numbers of queries to DNS zones or DNS domains. To monitor the top clients querying DNS zones, do the following:

From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
or
From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
In the Grid Reporting Properties editor, select the Basic tab -> DNS.
Under DNS Top Clients Per Domain, select the Monitor Queries made to the following zones check box. Only authoritative zones are supported, to a limit of 1000 zones for monitoring purposes.
- To select zones one at a time, choose individual check boxes. Click the Add icon and select Add Domain or Bulk Add Domains to add new zone information for excluding.
- To specify the number of clients to be listed, choose the Top N Limit value. The default value is 10.

Monitoring IP Block Group Queries

You can view the user defined IP block groups that are querying DNS domains. To monitor the IP Block Groups, do the following:

From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
or
From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
In the Grid Reporting Properties editor, select the Basic tab -> DNS.
Under DNS Query trend per IP Block, select the Monitor Queries made from the following groups check box.
- Click the Add icon to add a group to the group table. From the drop-down list, click Select Group to select groups in the Group Selector dialog box, or click Bulk Add Groups to add multiple groups.
- To select all groups, select the Group check box. Or, select individual check box to select the group one at a time.
- To delete a group, select the group and click the Delete icon.

Configuring DNS RPZ Rule Hits

You can specify a limit to display the number of top clients, who receive re-written responses through the RPZ, in DNS Top RPZ Hits. You can also specify the total number of RPZ entries for each client.

From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
or
From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
In the Grid Reporting Properties editor, select the Basic tab -> DNS.
Under DNS RPZ Rule Hit Configuration, complete the following:
- Enter a value for Top N Limit to specify the maximum number of top clients that can be listed in the report.
- Specify the Total RPZ Entries per Client. This indicates the number of entries for each client in RPZ.

Note: You have to select the Security check box before you define values here. To select the check box, Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab -> select the check box Security under Report Category.

Forwarding Syslog Data to the Reporting Server

You can control the kind of syslog data forwarded to the indexer from the Grid members. You can search for syslog events (search string) in the Reporting tab -> Search tab. The syslog events you see in the Search tab depends on the syslog categories that you specify in both the Grid Reporting and Member Reporting Properties. The Search tab displays syslog events for the selected syslog categories at both the Grid Reporting Properties and Member Reporting Properties.
To specify syslog data categories:

From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
or
Member: From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab -> member check box and then click the Edit icon.
In the Grid Reporting Properties or Reporting Member Properties editor, select the Syslog Data tab and complete the following:
Click Override in the Reporting Member Properties editor to override the settings configured at the Grid reporting level. To inherit the same properties as the Grid, click Inherit.

- Source: From the drop-down list, select which syslog messages the appliance sends to the external syslog server:
  - Any: The appliance sends both internal and external syslog messages.
  - Internal: The appliance sends syslog messages that it generates.
  - External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers.
- Severity: Choose a severity filter from the drop-down list. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. The severity levels range from the lowest, debug, to the highest, emerg. For example, if you choose debug, the appliance sends all syslog messages to the server. If you choose err, the appliance sends messages with severity levels err, crit, alert, and emerg.
  - emerg: Panic or emergency conditions. The system may be unusable.
  - alert: Alerts, such as NTP service failures, that require immediate actions.
  - crit: Critical conditions, such as hardware failures.
  - err: Error messages, such as client update failures and duplicate leases.
  - warning: Warning messages, such as missing keepalive options in a server configuration.
  - notice: Informational messages regarding routine system events, such as "starting BIND".
  - info: Informational messages, such as DHCPACK messages and discovery status.
  - debug: Messages that contain information for debugging purposes, such as changes in the latency timer settings and AD authentication failures for specific users.
- Logging Category: Select one of the following logging categories:
  - Send all: Select this to log all syslog messages, irrespective of categories to which it belongs. When you select this option, the appliance logs syslog messages for all the events, including all DNS and Infoblox related events. However, the syslog messages are not prefixed when you select this option.
  - Send selected categories: Select this to configure logging categories from the list of available logging categories. Use the arrows to move logging categories from the Available table to the Selected table and vice versa. The appliance sends syslog messages for the categories that are in the Selected table. When you select this option, you must add at least one logging category. The syslog messages are prefixed with a category name to which it belongs. Also, the RPZ events logged in the syslog messages uses specific prefixes for the selected categories. Note that the syslog messages are prefixed when you set logging categories for at least one external syslog server, even if you set other external syslog servers as Send All.

3. Save the configuration and click Restart if it appears at the top of the screen.