Realm.Security Documentation

Appearance

Infoblox

Realm Security integrates seamlessly with Infoblox NIOS appliances, enabling intelligent routing and analysis of security event logs.

Infoblox Data Connector supports sending log data to configured destinations using the generic syslog protocol in CEF format.

Data Flow:

text
Sources > Infoblox Data Connector > Syslog Destination

(NIOS, Infoblox Threat Defense, Universal DDI) > Infoblox Data Connector > (Realm Data Collector)

Setup Infoblox Source in Realm

  1. Login to Realm console.
  2. Go to Sources > Add > Infoblox / Data Connector and add a new Source.

    Name: InfobloxDescription: Infoblox logs

  3. If a collector is already set up, go to Collectors and select your collector. If not, go to Collectors > Add and give it a name and description.
  4. Add an Infoblox stream to the Collector. Click Add Stream.

    Product Format: Infoblox / Data ConnectorSource: InfobloxFraming Trailer: LF

  5. Click Add Stream.
  6. The port number listed for the Infoblox stream is the syslog receiving port on the collector. You will need this when configuring Infoblox Syslog export.

Prerequisites

  • Ensure you have administrative access to your Infoblox NIOS.
  • Realm collector is set up and running. See Realm Collector install guide for setting up a collector.
  • Realm Security syslog collector IP address or FQDN.
  • Realm Collector receiving port number. In the Realm console, go to Collectors > select collector and copy the port number listed for the Infoblox Stream.

Setup Infoblox Data Connector

Follow these steps to configure syslog forwarding from your Infoblox Data Connector to Realm Security Data Fabric.

Deploy Data Connector

Deploy the Infoblox Data Connector VM.

Enable Connector Service

Navigate to the Infoblox Portal and enable the Data Connector service.

Configure Sources

Configure Sources: specify the data sources that the Data Connector will use.

Configure Destination

Configure a Destination to send data to the Realm Data Collector.

You can configure multiple destinations of different types on the same Data Connector — for example, a single Data Connector can be used to create cloud and syslog destinations.

  1. Log in to the Infoblox Portal.
  2. Click Configure > Administration > Data Connector.
  3. Select the Destination Configuration tab and click Create.
  4. From the Create drop-down list, select Syslog. Follow the instructions to set up a Syslog destination.
  5. In the Create Syslog Destination Configuration wizard, enter:

    Name: Realm Data CollectorDescription: Realm data collector via Syslog & CEFState: Enabled (use the slider to enable the destination) Format: CEFProtocol: TCPFQDN/IP: IP or FQDN of the Realm Data Collector VM Port: Receiving port for the Realm Collector Stream

  6. Click Save & Close.

Setup Traffic Flow

Create a new Traffic Flow if required. Traffic flows connect Data Connector sources to a destination.

  1. Go to Configure > Administration > Data Connector.
  2. In the Traffic Flow Configuration tab, click Create Configuration.
  3. In the Create New Data Configuration wizard, enter:

    Name: Realm Data CollectorDescription: Describe all the sources that will be forwarded to the Realm Data Collector State: Enabled (use the slider to enable the traffic flow)

  4. Click Next.
  5. Under Log Source Configuration, click Add Log Type.
    • Select an existing source or click Add to create a new source.
    • Infoblox Cloud Source: Select from Audit Log, Internal Notifications, Service Log, Threat Defense Threat Feeds Hits Log, Threat Defense Query/Response Log, DDI DHCP Lease Log, or DDI Query/Response Log.
    • CDC-NIOS source: Select from IPAM Metadata/DHCP Lease Information, Query/Response Log, or RPZ Logs.
  6. Click Next.
  7. Destination Configuration: Select one of the available destinations or click Add to create a new destination.
  8. Click Next.
  9. Service Instance: Choose a service instance from the drop-down menu.
  10. Summary: Review the details of the traffic flow.
  11. Click Save & Close.

Verify Configuration

Navigate to Configure > Administration > Data Connector > Traffic Flow Configuration > Destination Configuration, select Realm Data Collector, then select the individual Traffic Flow configuration to review Last Health Check & Traffic Flow status.

Confirm with Realm Security Data Fabric that logs are being received and correctly parsed.

Support

For additional details, refer to the official Infoblox Data Connector documentation.

If you encounter any issues or require assistance, contact Realm Security support.

Event Metadata

The following additional metadata fields will be included with the events.

Field NameValue
_sourceCategoryinfoblox/threat_defense