Configure an Infoblox NIOS instance to send logs to Arctic Wolf

You can configure your Infoblox® NIOS instance to send the necessary logs to a syslog server for Arctic Wolf®.

Note:

This is an optional configuration. Discuss this log forwarding option with your Concierge Security® Team (CST).

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to Infoblox grid manager with administrator permissions

Configure security monitoring for your Infoblox NIOS instance

  1. Sign in to the Infoblox grid manager with administrator permissions.
  2. On the Grid tab, click Grid Manager > Members > Grid Properties > Edit.
  3. On the Monitoring tab, select the Log to External Syslog Servers checkbox.
  4. Click to add a row for a new syslog server to the table.
  5. In the new row, configure these settings for the new syslog server:
    • Address — Enter the management IP address for the Arctic Wolf Sensor.
    • Transport — Select TCP.
    • Interface — Select Any.
    • Source — Select Any.
    • Port — Verify that the value is 514.
    • Severity — Select Info.
    • Logging Category — Select Send All.
  6. Click Add.
  7. Click Copy Audit Log Messages to Syslog to monitor the administrative activities on the server.
  8. For Syslog Facility, select the facility location that determines which log messages are generated.
  9. Click Save & Close.
  10. Optional: If available, click Restart.

Your Infoblox NIOS service is now configured to send syslog messages to your Arctic Wolf Sensor.

Enable DNS logging categories

  1. Sign in to the Infoblox grid manager with administrator permissions.
  2. On the Data Management tab, click DNS > Grid DNS Properties tab.
  3. In the navigation menu, click Logging.
  4. On the Basic tab, in the Logging Category section, select all categories except for query rewrite, DTC load balancing, and DTC health monitors.
    Note: Make sure that your system has sufficient CPU capacity before you enable DNS query logging. For more information, see System Capacity Prediction Trend.
  5. When prompted, click Yes if your system has sufficient CPU capacity to enable syslog for both DNS queries and responses.
  6. Click Save & Close.
  7. Optional: If available, click Restart.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.