Realm.Security Documentation

Appearance

Infoblox

Realm Security integrates seamlessly with Infoblox NIOS appliances, enabling intelligent routing and analysis of security event logs.

Infoblox Data Connector supports sending log data to configured destinations using the generic syslog protocol in CEF format.

Data Flow:

Sources > Infoblox Data Connector > Syslog Destination 

(NIOS, Infoblox Threat Defense, Universal DDI) > Infoblox Data Connector > (Realm Data Collector)

Setup Infoblox Source in Realm

  • Login to Realm console
  • Add a new Source. Go to Sources > Add > Select Infoblox / Data Connector format
    • Name: Infoblox
    • Description: Infoblox logs
  • If a collector is already setup, Go to Collectors > Select your collector. If not, add a new collector
    • To add a new collector, Go to Collectors > Add > Give it a name and description
  • Add an Infoblox stream to the Collector.
    • Click on Add Stream
    • Select Product Format: Infoblox / Data Connector
    • From Source drop down: Select Infoblox source
    • Framing Trailer: Select LF
    • Click Add Stream button
  • The port number listed for the Infoblox stream is the syslog receiving port on the collector. You will need this when configuring Infoblox Syslog export.

Prerequisites

  • Ensure you have administrative access to your Infoblox NIOS.

  • Realm collector is setup and running. See Realm Collector install guide for setting up a collector.

  • Realm Security syslog collector IP address or FQDN

  • Realm Collector receiving port number. In Realm console, go to Collectors > select collector > Copy port number listed for the Infoblox Stream.

Setup Infoblox Data Connector

Follow these concise steps to configure syslog forwarding from your Infoblox Data Connector to Realm Security Data Fabric.

Deploy Data Connector

Deploy Infoblox Data Connector VM.

Enable Connector service

Navigate to the Infoblox Portal and enable the Data Connector service.

Configure Sources

Configure Sources: specify data sources that the Data Connector will use.

Configure Destination

Configure Destination: Add a destination to send data to Realm Data Collector.

  • You can configure multiple destinations of different types on the same Data Connector, for example, a single Data Connector can be used to create cloud, and syslog destinations.
  • Log in to the Infoblox Portal.
  • Click Configure > Administration > Data Connector.
  • Select the Destination Configuration tab, and click Create.
  • From the Create drop-down list, select: Syslog. Follow instructions to setup a Syslog destination
  • In the Create Syslog Destination Configuration wizard
    • Name: Realm Data Collector
    • Description: Realm data collector via Syslog & CEF
    • State: Enabled - use the slider to enable the destination
    • Format: CEF
    • SYSLOG DETAILS
      • Protocol: TCP
      • FQDN/IP: <IP/FQDN of Realm Data Collector VM>
      • Port: Receiving port for Realm Collector Stream
  • Click Save & Close

Setup Traffic Flow

Create a new Traffic Flow if required. Traffic flow connects Data connector sources to a destination.

  • Go to Configure > Administration > Data Connector
  • In the Traffic Flow Configuration tab, click Create Configuration.
  • In the Create New Data Configuration wizard:
  • Name: Realm Data Collector
  • Description: <describe all the sources that will be forwarded over to Realm Data Collector>
  • State: Enabled - use the slider to enable the traffic flow
  • Click Next
  • Log Source Configuration > Add Log Type
  • Select existing source or click Add to create a new source
  • Source Configuration > Add Log Type
    • Infoblox Cloud Source: Using Infoblox Cloud Source user is able to select Audit Log, Internal Notifications, Service Log, Threat Defense Threat Feeds Hits Log, Threat Defense Query/Response Log, DDI DHCP Lease Log, DDI Query/Response Log.
    • CDC-NIOS source: Using CDC-NIOS source, select IPAM Metadata/DHCP Lease Information, Query/Response Log, or RPZ Logs.
  • Click Next to continue
  • Destination Configuration: Select one of the available destinations or click Add to create a new destination.
  • Click Next to continue
  • Service Instance: Choose a service instance from the drop-down menu.
  • Summary: Review the details of the traffic flow
  • Click Save & Close

Verify Configuration

  • Navigate to Configure >Administration > Data Connector > Traffic Flow Configuration page > Destination Configuration > Select Realm Data Collector > Select individual Traffic flow configuration > Last Health Check & Traffic flow.

  • Confirm with Realm Security Data Fabric that logs are being received and correctly parsed.

Support

For additional details, refer to the official Infoblox Data Connector documentation.

If you encounter any issues or require assistance, contact Realm Security support.

Event meta data

Following additional meta data fields will be included with the events

Field NameValue
_sourceCategoryinfoblox/threat_defense