Infoblox NIOS

编辑

版本

1.25.0 (查看全部)

兼容的 Kibana 版本

8.13.0 或更高版本

支持的 Serverless 项目类型
这是什么?

安全性
可观测性

订阅级别
这是什么?

基本

支持级别
这是什么?

Elastic

Infoblox NIOS 集成通过 TCP/UDP 或日志文件收集并解析从 Infoblox NIOS 收集的 DNS、DHCP 和审计数据。

设置步骤

编辑
  1. 启用使用 TCP/UDP 输入的集成。
  2. 登录到 NIOS 设备。
  3. 配置 NIOS 设备以使用以下步骤将消息发送到 Syslog 服务器。 有关更多信息,请参阅使用 Syslog 服务器

    1. 从“网格”选项卡中,选择“网格管理器”选项卡 →“成员”选项卡,然后从工具栏导航到“网格属性”→“编辑”→“监控”。
    2. 选择 日志到外部 Syslog 服务器 以将消息发送到指定的 Syslog 服务器。
    3. 单击 添加 图标以定义新的 Syslog 服务器。
    4. 输入正在运行集成的 Elastic Agent 的 IP 地址
    5. 选择 传输 以连接到外部 Syslog 服务器。
    6. 如果您使用安全 TCP 传输,请上传自签名或 CA 签名的 服务器证书
    7. 从下拉列表中选择设备将 Syslog 消息发送到 Syslog 服务器所使用的 接口
    8. 选择 任何,以便设备发送内部和外部 Syslog 消息。
    9. 从下拉列表中,选择 节点 ID,即用于标识 Syslog 消息来源的设备的 主机或节点标识字符串。
    10. 输入正在运行集成的 Elastic Agent 的 端口
    11. 选择 调试 严重性,以便设备将所有 Syslog 消息发送到服务器。
    12. 选择以下 日志记录类别

      • 通用身份验证
      • DHCP 进程
      • DNS 客户端
      • DNSSEC
      • DNS 常规
      • DNS 通知
      • DNS 查询
      • DNS 查询重写
      • DNS 解析器
      • DNS 响应
      • DNS RPZ
      • DNS 更新
      • 非系统身份验证
      • 区域传输入
      • 区域传输出
    13. 启用 将审计日志消息复制到 Syslog 以包括它发送到 Syslog 服务器的审计日志消息。
    14. 选择 Syslog 设备,该设备确定生成日志消息的进程。

兼容性

编辑

此模块已使用以下给定的日志模式针对 Infoblox NIOS 版本 8.6.1 进行了测试。

日志示例

编辑

以下是相应类别的示例日志

审计日志

编辑
<141>Apr 13 22:14:36  ns1.infoblox.localdomain 10.50.1.227 httpd: 2022-04-13 16:44:36.850Z [user\040name]: Login_Denied - - to=AdminConnector ip=10.50.0.1 info=Local apparently_via=GUI
<29>Mar 21 09:53:51 infoblox.localdomain 10.0.0.1 httpd: 2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API
<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Direct auth=Local group=admin-group
<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Direct error=invalid\040login\040or\040password
<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\040first\040login
<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI
<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]]
<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address="192.168.2.0",auto_create_reversezone=False,cidr=24,comment="",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[]
<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False->True
<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=["ALL"],parents=[],force=True,mode="GROUPED"
<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment="",disabled=True,name="Block",type="BLACKLIST"
<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\040Traffic\040capture\040file: Args message="Download Traffic capture file",members=[Member:infoblox.localdomain]
<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address="10.0.0.1",configure_for_dhcp=False,match_option="MAC_ADDRESS",parent=HostRecord:._default.tld.domain.subdomain.hostrecord
<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name="NAC-Policy",value="Host"]],addresses=[address="10.0.0.1"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn="somerecord.subdomain.domain.tld"
<29>Mar 21 16:08:48 10.0.0.1 httpd: 2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0
<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default
<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address="192.168.0.0",configure_for_dhcp=True,mac_address="01:01:01:01:01:01",match_option="MAC_ADDRESS",network=Network:192.168.0.0/24\054network_view\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True
<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]]
<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password="******",restore_password="******"]->[password="******",restore_password="******"],csp_api_config:[password="******"]->[password="******"],csp_settings:[csp_join_token="******"]->[csp_join_token="******"],download_member_conf:[[interface="ANY",is_online=True,member="Member:Grid Master"]]->[[interface="ANY",is_online=True,member=NULL]],email_setting:[password="******"]->[password="******"],http_proxy_server_setting:NULL->[password="******"],snmp_setting:[snmpv3_queries_users=NULL]->[snmpv3_queries_users=[]],syslog_servers:[[address="10.0.0.2"],[address="10.0.0.3"]]->[[address="10.0.0.4"]]

DNS 日志

编辑
<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED -
<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3;
<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED
<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3;
<30>Mar  9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288
<30>Mar  9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1)
<30>Mar 11 23:51:31 infoblox.localdomain named[27014]: rpz: rpz1.com: reload start
<30>Mar 11 23:51:31 infoblox.localdomain named[29914]: client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A
<30>Mar 11 23:51:31 infoblox.localdomain named[19204]: client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2
<30>Mar 11 23:51:31 infoblox.localdomain named[28468]: CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg="rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com" CAT=RPZ
<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date
<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com'
<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success
<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec)
<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3)
<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended
<30>Mar 11 23:51:31 infoblox.localdomain named[30325]: resolver priming query complete
<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com'
<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/NSEC: bad cache hit (test.com/DNSKEY)
<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY)
<30>Apr 14 16:17:20 10.0.0.1 named[2588]: infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.0.1#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED -
<30>Apr 14 16:16:05 10.0.0.1 named[2588]: queries: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10)
<30>Apr 14 16:16:05 10.0.0.1 named[2588]: query-errors: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288

DHCP 日志

编辑
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 infoblox.localdomain 10.0.0.1 dhcpd[7024]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 10.0.0.1 dhcpd[2750]: DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab
<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800
<30>Mar 31 15:30:05 10.0.0.1 dhcpd[15752]: DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06
<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW)
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW)
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[25637]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4.
<30>Apr  6 10:13:31 infoblox.localdomain dhcpd[22730]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[30827]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative).
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c
<30>Mar 31 15:30:06 10.0.0.1 dhcpd[15752]: DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 192.168.0.2 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW)
<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW)
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[17530]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800
<30>Mar 27 08:32:59 10.0.0.1 dhcpd[15752]: DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23
<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW)
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0
<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740
<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0
<30>Mar 18 11:44:52 10.0.0.1 dhcpd[32243]: DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 192.168.0.2 TransID 00000000: not found
<30>Mar 7 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\n
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2
<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored
<30>Jul 12 15:07:57 67.43.156.0 dhcpd[8061]: DHCPOFFER on 67.43.156.0 to 9a:df:6e:f6:1f:23 via eth2 relay 67.43.156.0 lease-duration 40977 offered-duration 43200 uid 01:9a:df:6e:f6:1f:23
<30>Jul 12 15:10:48 67.43.156.0 dhcpd[13468]: DHCPACK on 67.43.156.0 to 9a:df:6e:f6:1f:23 via eth2 relay 67.43.156.0 lease-duration 7257600 (RENEW)
<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Encapsulated Solicit message from 2a02:cf40:: port 547 from client DUID 01:9a:df:6e:f6:1f:23:01:9a:df:6e:f6:1f:23, transaction ID 0x698AD400
<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Advertise NA: address 2a02:cf40:: to client with duid 01:9a:df:6e:f6:1f:23:01:9a:df:6e:f6:1f:23 iaid = -1620146908 valid for 43200 seconds
<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Relay-forward message from 2a02:cf40:: port 547, link address 2a02:cf40::1, peer address 2a02:cf40::2
<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Encapsulating Advertise message to send to 2a02:cf40:: port 547
<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Sending Relay-reply message to 2a02:cf40:: port 547
<30>Sep 28 09:25:49 infoblox.localdomain 10.0.0.1 dhcpd[25691]: DHCPACK on 192.168.0.4 to 00:50:56:83:96:03 via eth2 relay 192.168.0.4 lease-duration 3600 uid 01:9a:df:6e:f6:1f:23
<30>Sep 30 11:27:26 anudhcp.anu.edu.au 10.0.0.1 dhcpd[11411]: RELEASE on 192.168.0.4 to ce:93:30:8e:db:ac
<30>Sep 30 11:30:55 anudhcp.anu.edu.au 10.0.0.1 dhcpd[11411]: DHCPACK to 192.168.0.4 (9c:ad:97:7a:fd:33) via eth2
<30>Sep 30 11:33:03 anudhcp.anu.edu.au 10.0.0.1 dhcpd[11411]: DHCPACK on 192.168.0.4 to 4a:34:bf:d2:78:24 (my-iPhone) via eth2 relay 67.43.156.0 lease-duration 900 offered-duration 3600 (RENEW) uid 01:4a:34:bf:d2:78:24
<30>Sep 30 11:33:03 anudhcp.anu.edu.au 10.0.0.1 dhcpd[11411]: DHCPACK on 192.168.0.4 to 4a:34:bf:d2:78:24 via eth2 relay 67.43.156.0 lease-duration 900 offered-duration 3600 (RENEW) uid 01:4a:34:bf:d2:78:24
<30>Sep 30 11:33:03 anudhcp.anu.edu.au 10.0.0.1 dhcpd[11411]: DHCPACK on 192.168.0.4 to 4a:34:bf:d2:78:24 (my-iPhone) via eth2 relay 67.43.156.0 lease-duration 900 offered-duration 3600 (RENEW)

日志

编辑

这是 log 数据集。

示例

log 的示例事件如下所示

{
    "@timestamp": "2011-10-19T12:43:47.375Z",
    "agent": {
        "ephemeral_id": "efe7a458-adf8-47ea-bfc1-ad839cc9aa39",
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.1"
    },
    "data_stream": {
        "dataset": "infoblox_nios.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "snapshot": false,
        "version": "8.10.1"
    },
    "event": {
        "action": "first_login",
        "agent_id_status": "verified",
        "created": "2023-03-22T14:26:54.000+05:00",
        "dataset": "infoblox_nios.log",
        "ingested": "2023-09-26T13:59:18Z",
        "original": "<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\\040first\\040login",
        "timezone": "+0500"
    },
    "host": {
        "ip": [
            "10.0.0.1"
        ]
    },
    "infoblox_nios": {
        "log": {
            "audit": {
                "apparently_via": "GUI first login",
                "auth": "LOCAL",
                "group": "admin-group",
                "ip": "10.0.0.2",
                "to": "AdminConnector"
            },
            "service_name": "httpd",
            "type": "AUDIT"
        }
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.80.7:39304"
        },
        "syslog": {
            "priority": 29
        }
    },
    "message": "2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\\040first\\040login",
    "related": {
        "ip": [
            "10.0.0.2",
            "10.0.0.1"
        ],
        "user": [
            "user"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "infoblox_nios-log"
    ],
    "user": {
        "name": "user"
    }
}
导出的字段
字段 描述 类型

@timestamp

事件时间戳。

date

cloud.image.id

云实例的映像 ID。

keyword

data_stream.dataset

数据流数据集。

constant_keyword

data_stream.namespace

数据流命名空间。

constant_keyword

data_stream.type

数据流类型。

constant_keyword

host.containerized

如果主机是容器。

boolean

host.os.build

操作系统构建信息。

keyword

host.os.codename

操作系统代码名称(如果有)。

keyword

infoblox_nios.log.audit.apparently_via

keyword

infoblox_nios.log.audit.auth

keyword

infoblox_nios.log.audit.error

text

infoblox_nios.log.audit.group

keyword

infoblox_nios.log.audit.info

text

infoblox_nios.log.audit.ip

ip

infoblox_nios.log.audit.message

text

infoblox_nios.log.audit.object.name

keyword

infoblox_nios.log.audit.object.value

keyword

infoblox_nios.log.audit.to

keyword

infoblox_nios.log.audit.trigger_event

keyword

infoblox_nios.log.dhcp.client_hostname

keyword

infoblox_nios.log.dhcp.decline.message

keyword

infoblox_nios.log.dhcp.discover.message

keyword

infoblox_nios.log.dhcp.duid

keyword

infoblox_nios.log.dhcp.forward_name

keyword

infoblox_nios.log.dhcp.iaid

keyword

infoblox_nios.log.dhcp.inform.message

keyword

infoblox_nios.log.dhcp.interface.ip

ip

infoblox_nios.log.dhcp.ip

ip

infoblox_nios.log.dhcp.lease.duration

long

infoblox_nios.log.dhcp.lease.message

keyword

infoblox_nios.log.dhcp.lease_query.message

keyword

infoblox_nios.log.dhcp.link_address

keyword

infoblox_nios.log.dhcp.message

text

infoblox_nios.log.dhcp.network

keyword

infoblox_nios.log.dhcp.offered.duration

long

infoblox_nios.log.dhcp.peer_address

keyword

infoblox_nios.log.dhcp.relay.interface.ip

ip

infoblox_nios.log.dhcp.relay.interface.name

keyword

infoblox_nios.log.dhcp.release.info

keyword

infoblox_nios.log.dhcp.request.message

keyword

infoblox_nios.log.dhcp.router.ip

ip

infoblox_nios.log.dhcp.trans_id

keyword

infoblox_nios.log.dhcp.uid

keyword

infoblox_nios.log.dhcp.validation_second

long

infoblox_nios.log.dns.after_query

text

infoblox_nios.log.dns.answers_policy

text

infoblox_nios.log.dns.before_query

text

infoblox_nios.log.dns.category

text

infoblox_nios.log.dns.failed_message

text

infoblox_nios.log.dns.header_flags

keyword

infoblox_nios.log.dns.message

text

infoblox_nios.log.dns.rpz.action

keyword

infoblox_nios.log.dns.rpz.domain

keyword

infoblox_nios.log.dns.rpz.domain_rewrite

keyword

infoblox_nios.log.dns.rpz.query_class

keyword

infoblox_nios.log.dns.rpz.query_class_rewrite

keyword

infoblox_nios.log.dns.rpz.rule_type

keyword

infoblox_nios.log.dns.rpz.type

keyword

infoblox_nios.log.dns.version

text

infoblox_nios.log.dns.view_name

text

infoblox_nios.log.service_name

keyword

infoblox_nios.log.type

keyword

infoblox_nios.log.view

keyword

input.type

输入类型

keyword

log.offset

日志偏移量

long

log.source.address

日志源地址

keyword

更新日志

编辑
更新日志
版本 详细信息 Kibana 版本

1.25.0

增强功能 (查看拉取请求)
在主提取管道中不要删除 event.original

8.13.0 或更高版本

1.24.0

增强功能 (查看拉取请求)
将“preserve_original_event”标签添加到 event.kind 设置为“pipeline_error”的文档。

8.13.0 或更高版本

1.23.2

Bug 修复 (查看拉取请求)
在引用提取管道中的变量时,使用三花括号 Mustache 模板。

8.13.0 或更高版本

1.23.1

Bug 修复 (查看拉取请求)
修复 MARK 日志条目的处理。

8.13.0 或更高版本

1.23.0

增强功能 (查看拉取请求)
将 kibana 约束更新为 ^8.13.0。 修改了字段定义以删除 ecs@mappings 组件模板所冗余的 ECS 字段。

8.13.0 或更高版本

1.22.0

增强功能 (查看拉取请求)
处理 REFUSED 日志消息。

8.7.1 或更高版本

1.21.0

增强功能 (查看拉取请求)
将清单格式版本更新为 v3.0.3。

8.7.1 或更高版本

1.20.3

Bug 修复 (查看拉取请求)
从 DNS 日志中删除不正确的 client.domain 映射。

8.7.1 或更高版本

1.20.2

Bug 修复 (查看拉取请求)
清理 null 处理、格式化。

8.7.1 或更高版本

1.20.1

增强功能 (查看拉取请求)
已更改所有者。

8.7.1 或更高版本

1.20.0

增强功能 (查看拉取请求)
处理 RPZ 命中日志消息。

8.7.1 或更高版本

1.19.4

Bug 修复 (查看拉取请求)
处理以 ... 结尾的 DNS 数据,并修复 network.transport 以仅包括 udp/tcp。

8.7.1 或更高版本

1.19.3

Bug 修复 (查看拉取请求)
更新时间戳解析逻辑以避免 @timestamp > event.created

8.7.1 或更高版本

1.19.2

Bug 修复 (查看拉取请求)
修复 exclude_files 模式。

8.7.1 或更高版本

1.19.1

Bug 修复 (查看拉取请求)
修复包含 view 字段的消息的处理。

8.7.1 或更高版本

1.19.0

增强功能 (查看拉取请求)
ECS 版本更新至 8.11.0。

8.7.1 或更高版本

1.18.0

增强功能 (查看拉取请求)
改进 event.original 检查以避免在设置时出现错误。

8.7.1 或更高版本

1.17.0

增强 (查看拉取请求)
添加了对 DNS 问题的解析,并将 DNS 标志作为其自身的字段附加,并为 client.ip 添加了 GeoIP 处理。

8.7.1 或更高版本

1.16.0

增强 (查看拉取请求)
将软件包 format_version 更新为 3.0.0。

8.7.1 或更高版本

1.15.0

Bug 修复 (查看拉取请求)
修复根级别无效的 ECS 字段用法。

8.7.1 或更高版本

1.14.0

增强 (查看拉取请求)
ECS 版本更新至 8.10.0。

8.7.1 或更高版本

1.13.0

增强 (查看拉取请求)
添加 tags.yml 文件,以便使用“安全解决方案”标记集成的仪表板和保存的搜索,并在安全解决方案 UI 中显示。

8.7.1 或更高版本

1.12.0

增强 (查看拉取请求)
将软件包更新至 ECS 8.9.0。

8.7.1 或更高版本

1.11.0

增强 (查看拉取请求)
将软件包规范更新至 2.9.0。

8.7.1 或更高版本

1.10.0

增强 (查看拉取请求)
将可视化转换为 Lens。

8.7.1 或更高版本

1.9.0

增强 (查看拉取请求)
确保为管道错误正确设置 event.kind。

7.17.0 或更高版本
8.0.0 或更高版本

1.8.0

增强 (查看拉取请求)
将软件包更新至 ECS 8.8.0。

7.17.0 或更高版本
8.0.0 或更高版本

1.7.2

Bug 修复 (查看拉取请求)
添加事件创建的时间戳

1.7.1

Bug 修复 (查看拉取请求)
修复 dns.answers 处理。

7.17.0 或更高版本
8.0.0 或更高版本

1.7.0

增强 (查看拉取请求)
将软件包更新至 ECS 8.7.0。

7.17.0 或更高版本
8.0.0 或更高版本

1.6.2

增强 (查看拉取请求)
添加了类别和/或子类别。

7.17.0 或更高版本
8.0.0 或更高版本

1.6.1

Bug 修复 (查看拉取请求)
确保正确解释数字时区。

7.17.0 或更高版本
8.0.0 或更高版本

1.6.0

增强 (查看拉取请求)
将软件包更新至 ECS 8.6.0。

7.17.0 或更高版本
8.0.0 或更高版本

1.5.0

增强 (查看拉取请求)
udp_options 添加到 UDP 输入。

7.17.0 或更高版本
8.0.0 或更高版本

1.4.2

Bug 修复 (查看拉取请求)
删除重复字段。

7.17.0 或更高版本
8.0.0 或更高版本

1.4.1

增强 (查看拉取请求)
为 DHCPACK、RELEASE 和 DHCPRELEASE 类别添加对新型日志模式的支持。

7.17.0 或更高版本
8.0.0 或更高版本

1.4.0

增强 (查看拉取请求)
将软件包更新至 ECS 8.5.0。

7.17.0 或更高版本
8.0.0 或更高版本

1.3.3

Bug 修复 (查看拉取请求)
对 @timestamp 字段的时区处理的小修复

7.17.0 或更高版本
8.0.0 或更高版本

1.3.2

增强 (查看拉取请求)
删除保存的库可视化,并将 on_failure 处理器添加到 date 和 convert 处理器。

7.17.0 或更高版本
8.0.0 或更高版本

1.3.1

Bug 修复 (查看拉取请求)
修复文件输入配置页面选项。

7.17.0 或更高版本
8.0.0 或更高版本

1.3.0

增强 (查看拉取请求)
允许配置时区。

7.17.0 或更高版本
8.0.0 或更高版本

1.2.0

增强 (查看拉取请求)
添加对文件输入的支持。

7.17.0 或更高版本
8.0.0 或更高版本

1.1.0

增强 (查看拉取请求)
添加对解析来自 ISC dhcp 进程的 DHCPOFFER 和 DHCPACK 日志的支持。并添加对解析来自 ISC dhcpv6 进程的 Encapsulated Solicit、Advertise NA、Encapsulating Advertise、Sending Relay-reply 和 Relay-forward 日志的支持。

7.17.0 或更高版本
8.0.0 或更高版本

1.0.0

增强 (查看拉取请求)
正式发布

7.17.0 或更高版本
8.0.0 或更高版本

0.3.0

增强 (查看拉取请求)
将软件包更新至 ECS 8.4.0

增强 (查看拉取请求)
切换到 dns.header_flags 中允许的 ECS 值,原始值现在位于 infoblox_nios.log.dns.header_flags 中

0.2.0

增强 (查看拉取请求)
将软件包更新至 ECS 8.3.0。

0.1.0

增强 (查看拉取请求)
软件包的初始草案。