Ingest Logs

Source

Configure the log source settings:

1. Click Source.

2. Enter the Log Source’s Name.

3. Select the Device Addresses.

4. Select the Device Groups.

5. Select a Time Zone. The timezone of the device must be the same as its log source.

6. Configure the Risk Values for Confidentiality, Integrity and Availability. They are used to calculate the risk levels of the alerts generated from the device.

Connector

Configure the connection to Infoblox:

1. Click Connector.

2. In Proxy Server, select one of the following:

   • None, for the device to work as a Syslog Collector.

   • Use as Proxy, to use the device as a proxy. (You won’t see Processing Policy because the logs coming from a proxy device do not need to be normalized and stored.)

   • Uses Proxy, for the device to use a proxy device to collect the logs. Use the dropdown to select a Proxy IP address of a proxy device and enter the device’s HostName. The hostname is case-sensitive. Parser and Charset disappear after you select Uses Proxy because the parser and charset values added for the proxy device are used for all devices using that proxy.

3. Select SyslogParser as Parser.

4. Select the Charset.

Routing

Repos are locations where incoming logs are stored, and routing criteria determine the conditions under which these logs are sent to repos.

To create a repo:

1. Click Routing and + Create Repo.

2. Enter a Repo name.

3. In Path, enter the location to store incoming logs.

4. In Retention (Days), enter the number of days logs are kept in a repository before they are automatically deleted.

5. In Availability, select the Remote logpoint and Retention (Days).

6. Click Create Repo.

7. In Repo, select the created repo to store logs.

To create Routing Criteria:

1. Click + Add row.

2. Enter a Key and Value. The routing criteria is only applied to those logs which have this key-value pair.

3. Select an Operation for logs that have this key-value pair:

   • Store raw message to store both the incoming and the normalized logs in the selected repo.

   • Discard raw message to discard the incoming logs and store the normalized ones.

   • Discard entire event to discard both the incoming and the normalized logs.

4. In Repository, select a repo to store logs.

Normalization

Select normalizers for the incoming logs. Normalizers transform incoming logs into a standardized format for consistent and efficient analysis.

1. Click Normalization.

2. Either:

   • Select a previously created normalization policy from the dropdown, or

   • Select a Normalizer from the list and click the swap icon.

Enrichment

Select an enrichment policy for the incoming logs. Enrichment policies add additional information to a log, such as user information, device type or geolocation, before analyzing it.

1. Click Enrichment.

2. Select an Enrichment Policy.

3. Click Create Log Source to save the configurations of Source, Connector, Routing, Normalization, and Enrichment.

Adding a Normalization Policy

Normalization policies normalize and standardize logs for efficient storage, analysis, and retrieval.

1. Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

2. Click Add.

3. Enter a Policy Name.

4. In Compiled Normalizer, select InfoBloxNormalizer.

5. In Normalization Packages, select LP_InfoBlox, LP_InfoBlox Generic, and LP_InfoBlox Lite.

6. Click Submit.

Adding a Processing Policy

Processing policy dictates how logs are handled, processed, and stored.

1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

2. Click Add.

3. Enter a Policy Name.

4. Select the previously created Normalization Policy.

5. Select the Enrichment Policy and Routing Policy.

6. Click Submit.

Adding an Infoblox Device

1. Go to Settings >> Configuration from the navigation bar and click Devices.

2. Click Add.

3. Enter a device Name.

4. Enter the IP address(es) of InfoBlox devices.

5. Select the Device Groups.

6. Select a Log Collection Policy.

7. Select a collector or a forwarder from the Distributed Collector drop-down.

   • It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.

8. Select a Time Zone. It must be the same as InfoBlox.

9. Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.

10. Click Submit.

Configuring the Syslog Collector for InfoBlox

1. Go to Settings >> Configuration from the navigation bar and click Devices.

2. Click the Add icon from Actions of the previously added device.

3. Click Syslog Collector.

4. Select Syslog Parser as Parser.

5. Select the previously created Processing Policy.

6. Select the Charset.

Proxy Configuration (if needed):

• None, for the device to work as a Syslog Collector.

• Use as Proxy, to use the device as a proxy. You won’t see Processing Policy because the logs coming from a proxy device do not need to be normalized and stored.

• Uses Proxy, for the device to use a proxy device to collect the logs. Use the dropdown to select a Proxy IP address of a proxy device and enter the device’s HostName. The hostname of a proxy device is case-sensitive. Parser and Charset disappear after you select Uses Proxy because the parser and charset values added for the proxy device are used for all devices using that proxy.

1. Click Submit.