Configure an Infoblox NIOS instance to send logs to Arctic Wolf

You can configure your Infoblox® NIOS instance to send the necessary logs to a syslog server for Arctic Wolf®.

Requirements

• An activated Arctic Wolf Sensor

• Access to Infoblox grid manager with administrator permissions

Before you begin

• This is an optional configuration. Discuss this log forwarding option with your Concierge Security® Team (CST).

Steps

1. Configure security monitoring for your Infoblox NIOS instance.
2. Enable DNS logging categories.
3. Provide your Infoblox NIOS information to Arctic Wolf.

Step 1: Configure security monitoring for your Infoblox NIOS instance

1. Sign in to the Infoblox grid manager with administrator permissions.

2. On the Grid tab, click Grid Manager > Members > Grid Properties > Edit.

3. On the Monitoring tab, complete these steps:

   1. Click the Log to External Syslog Servers checkbox.

   2. Click .

      A new row is added to the table.

   3. In the table, configure these settings:

      • Address — Enter the management IP address for the Arctic Wolf Sensor.
      • Transport — Select TCP.
      • Interface — Select Any.
      • Source — Select Any.
      • Port — Verify that the value is 514.
      • Severity — Select Debug.
      • Logging Category — Select Send All.

   4. Click Add.

   5. Click Copy Audit Log Messages to Syslog to monitor the administrative activities on the server.

   Tip: For Syslog Facility, select the facility that determines which log messages are generated.

4. Click Save & Close.

   Your Infoblox NIOS service is now configured to send syslog messages to your Arctic Wolf Sensor.

Step 2: Enable DNS logging categories

1. On the Data Management tab, click the DNS tab.

2. Click Grid DNS Properties.

3. In the navigation menu, click Logging.

4. On the Basic tab, in the Logging Category section, select all categories except for query rewrite, DTC load balancing, and DTC health monitors.

   Note: Make sure your system has sufficient CPU capacity before you enable DNS query logging. See System Capacity Prediction Trend for more information.

5. When prompted, click Yes if your system has sufficient CPU capacity to enable syslog for both DNS queries and responses.

6. Click Save & Close.

Step 3: Provide your Infoblox NIOS information to Arctic Wolf

1. Sign in to the Arctic Wolf Unified Portal.

2. Click the Tickets tab, and then do one of these actions:

   • New customers — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
   • Existing customers — Click Open a New Ticket.

3. On the Open a New Ticket page, configure these settings:

   • What is this ticket related to? — Select General request.
   • Subject — Enter Syslog changes.
   • Related ticket (optional) — Keep empty.
   • Message — Enter this information for your Concierge Security® Team (CST):
     • Confirmation that you completed the steps in this configuration guide.
     • The IP address or hostname you used during the configuration.
     • Questions or comments that you have.

4. Click Send Message.

   Your CST will review the details and make sure that Arctic Wolf is successfully processing the logs.

See also

• Using a Syslog Server