Help Documentation

Managed Detection and Response

Infoblox NIOS Logs

Updated Aug 31, 2023

Configure an Infoblox NIOS instance to send logs to Arctic Wolf

Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.

You can configure your Infoblox® NIOS instance to send the necessary logs to a syslog server for monitoring security information.

Requirements

Steps

  1. Configure security monitoring for your Infoblox NIOS instance.
  2. Enable DNS logging categories.
  3. Provide configuration details to Arctic Wolf.

Step 1: Configure security monitoring for your Infoblox NIOS instance

  1. Access your Infoblox grid manager and sign in with the appropriate credentials.

  2. Select the Grid tab and then click Grid Manager > Members > Grid Properties > Edit to access the Grid Properties editor.

  3. Select the Monitoring tab to begin the syslog configuration.

  4. Complete the following steps to set up the syslog server:

    1. Click Log to External Syslog Servers.
    2. Click Add to define a new syslog server. A new row is added to the table.
    3. Enter the following information in the new row that is added to the table:
      1. Address — Enter the management IP address for the Arctic Wolf sensor.
      2. Transport — Select TCP.
      3. Interface — Select Any.
      4. Source — Select Any.
      5. Port — Verify that the value is 514.
      6. Severity — Select Debug.
      7. Logging Category — Select Send All.
    4. Click Add to confirm and add the syslog configuration.
    5. Click Copy Audit Log Messages to Syslog to monitor the administrative activities on the server.

    Tip: For Syslog Facility, select the facility that determines which log messages are generated.

  5. Save the configuration. Your Infoblox NIOS service is now configured to send syslog messages to your Arctic Wolf Sensor.

Step 2: Enable DNS logging categories

  1. Select DNS from the Data Management tab, and then select Grid DNS Properties.

  2. Select Logging in the navigation pane, and then select Basic in the navigation bar.

  3. Under Logging Category, select all categories except for query rewrite, DTC load balancing, and DTC health monitors.

  4. Ensure that queries and responses are selected.

    Note: Confirm that your system has enough CPU capacity before you enable DNS query logging. See the Infoblox documentation about System Capacity Prediction Trend for more information.

  5. When prompted, select Yes if your system has enough CPU capacity to enable syslog for both DNS queries and responses.

  6. Select Save & Close.

Step 3: Provide configuration details to Arctic Wolf

  1. Visit the Arctic Wolf Portal and select Contact your CST.
  2. Include the following information in the message for your Concierge Security® Team (CST):
    • Confirmation that you have completed the steps in this configuration guide.
    • The IP address assigned to the Infoblox NIOS virtual machine.
    • Any other questions or comments that you have.
  3. Select Send. Your CST will review the details and confirm that we are successfully processing the logs from your Infoblox device.

See also