Search

Page tree

Contents

After you set up a dedicated reporting appliance in your Grid, you must configure the Grid reporting properties so you can communicate with the reporting appliance and retrieve report data through the Grid Master. In addition, you must select the correct report categories in order for the reporting server to generate the correct data in corresponding reports, as described in Configuring Grid Reporting Properties.

By default, only superusers can configure the Grid reporting properties. When you enable the Grid reporting service, all members transmit data to the reporting server. You can disable data transmission from specific members to the reporting server. Before using the reporting service, you must configure the remote server to export the search results, as described in Reporting (Index) Storage Space. Once you configure the reporting server and enable the reporting service on Grid members, you can view and manage reports through the Reporting tab of Grid Manager.

Note

When you reset the appliance using the CLI command reset all or reset the database using the CLI command reset database, the reporting configurations are not preserved. If you reset the appliance, you must configure Grid reporting properties and remote server settings to use the reporting service.

Complete the following to set up your reporting solution:

  1. Configure general reporting properties, including the selection of report categories, as described in Configuring Grid Reporting Properties.
  2. Specify the network port for reporting, as described in Setting the Network Port for Reporting.
  3. Specify email properties, as described in Configuring Email Notification Settings.
  4. Configure the logo image for PDF delivery, as described in Configuring Logo Image in PDF Reports.

The properties you define in the Grid Reporting Properties editor apply to all the reporting members unless you override them at the specific member level. To override at the member level, see Modifying Member Reporting Properties.

Configuring Grid Reporting Properties

After you configure the reporting server, you must enable the data indexing and select at least one reporting category to ensure that the reporting service functions properly.

Note

You must select the correct report categories in order for the reporting server to generate the correct data in corresponding reports.

Complete the following to configure the Grid reporting properties:

  1. From the Administration tab -> Reporting tab, click Grid Reporting Properties from the Toolbar.
    or
    From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab, and then click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the General -> Basic tab.
  3. Complete the following:
    1. Reporting Server: Grid Manager displays the name of the reporting server.
    2. Enable Data Indexing: Data transmission is disabled by default. You must select this check box to ensure that all Grid members transmit data to the reporting appliance. Enabling data transmissions for all members can affect the overall data consumption on the reporting server. For information about the daily maximum data consumption per day for your reporting appliance, see Table 40.5.
    3. Enable Time Based Retention: Select this check box if you want the reporting data to be retained for a number of days you specify. You can specify the number of days in the Retention in days column. When you select this checkbox, NIOS displays a warning message indicating that the reporting data is deleted after the number of days specified in the Retention in days column. This check box is disabled by default.

    4. Report Category: Select the reports you want the reporting server to generate. The reporting server automatically configures data sources and configurations required to generate the reports you select here. The required data is stored in the reporting server database. By default, no report categories are selected. For a list of report categories, see Predefined Dashboards. You must select at least one reporting category for the reporting service to start working.
      1. Index%: Displays the actual storage space allocated for a reporting index. You can modify this value between 0 and 100. When you enable an index category and leave it at 0%, the appliance displays an error message. Make sure that the total percentage of the index storage space for all report categories equals 100% or less than 100%. The appliance displays a warning message when the total percentage of the index storage space is less than 100%.
      2. Used%: Displays the index storage space used by a reporting index.
      3. Retention in days: Enter the number of days up to which you want the reporting data to be retained. The data will be permanently deleted after this number of days. You can enter a value between 7 and 365. The default value is No Retention.
      4. IndexName: Displays the reporting index name, which is displayed on the Reporting Index Usage Statistics report.

        Note

        If you back up the reporting data before the expiry of the retention period, then you can restore the data at a later date.

4. Save the configuration and click Restart if it appears at the top of the screen.

Caching Threat Category Information from the Cloud Services Portal

The threat category information (Threat DB and Threat description) is downloaded from the Cloud Services Portal and stored locally. The threat category information is then sent to the reporting server to augment RPZ hits and reports are generated. Caching threat category information from the Cloud Services Portal helps enhance the performance of threat reports as data is fetched from the cache that is stored locally.

You can configure the Cloud Services Portal credentials and schedule the entire Threat DB download from the Cloud Services Portal. If you have already downloaded the entire Threat DB, then consecutive full downloads take place only after 24 hours. 

Note

For the threat indicator caching feature to work on a Grid, the Grid must have at least one user with can delete permission set up on the Grid.

Limitations

Note the following limitations when you use the threat indicator caching feature:

  • Enabling the threat indicator caching feature results in higher usage of network bandwidth and reduction of the reporting indexing capacity.
  • Enabling the threat indicator caching feature impacts the performance of Grid Master as Splunk consumes significant bandwidth to forward the entries to indexers. It takes a few minutes for the entries to get forwarded and indexed completely based on the data size.
  • If you enable the threat indicator caching feature, and then revert or upgrade the Grid to a version that does not support the feature, then the indexed threat DB data will still occupy disk space even though they are not searchable in the upgraded or reverted Grid version.
  • The size of the downloaded threat indicator database file will be huge due to data retention in the following scenarios:
    • When you enable and disable the threat indicator caching feature a few times.
    • When you upgrade NIOS and then revert it to the prior version without disabling the threat indicator feature, and also when you upgrade NIOS again.
  • When the threat indicator caching feature is enabled, threat details in the DNS Top RPZ Hits report does not show historic data. For more information about the DNS Top RPZ Hits report, see DNS Top RPZ Hits.
  • For replication to work properly in cluster mode, Infoblox recommends that an appliance should have 12 cores CPU and 12 GB memory.

Configuring the Threat Indicator Caching Feature

Complete the following to configure the threat indicator caching feature:

  1. From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the Threat Indicator Caching-> Basic tab.
    1. Enable Threat Indicator Caching: Select the check box to enable the feature. Enabling this feature downloads the threat indicator information from the Cloud Services Portal to the Grid Master, and then the threat indicator information is indexed on the reporting members.

      Note

      Selecting this option results in higher indexing license usage, network bandwidth, and storage.

  3. Complete the following:
    1. Splunk Threat Indicator Caching Index Storage: Specifies the disk storage allocation for the threat indicator caching feature. The minimum disk storage limit is 8 GB and the maximum disk space that it can be set to is 42 GB. By default, the disk storage space is set to 12 GB. The disk space that you allocate will reduce the storage limit for all other indexes. Set the required storage space based on the volume of data that you expect to be downloaded from the Cloud Services Portal and based on your indexing capacity. Grid Master downloads the threat indicator data and periodically forwards it to the reporting server for indexing.
      The indexing usage that is observed by Infoblox during the lab testing is, one full synchronization consumes ~600 to ~800 MB of indexing space and each incremental synchronization consumes ~60 MB of indexing space.

      Note

      The indexing space usage varies on a daily basis based on data generated by the Cloud Services Portal. Therefore, do not consider the numbers stated here as standard guidelines.

    2. Incremental Threat Indicator Caching Update Interval (in hours): Enter the interval value in hours to download the incremental updates from the threat indicators of the Cloud Services Portal. For example, if you set the value as 2, after every two hours the incremental threat indicator is downloaded. The incremental threat indicator is downloaded only after the whole threat indicator is downloaded from the Cloud Services Portal.
    3. Last Incremental Threat Indicator Caching download Timestamp: Displays the date and time of the last successful incremental threat database download.
    4. Update Policy: Select Automatic or Manual. You need to select any one of the following options in order to avoid huge data storage usage on Splunk.
      1. Automatic: Select this option if you want to automatically download the whole database after every seven days. By default, the value is set to seven days.
      2. Manual: Select this option to schedule the whole database download manually. For more information on threat context locale cache scheduler, see Scheduling Threat Indicator Caching.
      3. Test Connection: Click Test Connection to test the connectivity between BloxOne Threat Defense and the Cloud Services Portal. Then enter the Cloud Services Portal credentials in BloxOne Cloud Integration. For more information, see Enabling BloxOne Threat Defense Cloud Client.
    5. Last Whole Threat Indicator Caching download Timestamp: Displays the date and time of the last successful whole threat indicator download.
    6. Scheduling: Select to schedule the whole threat indicator download. You can select Scheduling only if the Update Policy is selected as Manual. For more information, see Scheduling Threat Indicator Caching.
    7. Last Threat Indicator Caching Failure Attempt Timestamp: Displays the date and time of the last failed attempt that is made to download the threat indicators after five iterations.

Scheduling Threat Indicator Caching

You can schedule the download of the whole threat database daily, weekly or monthly. However, if you have already downloaded the whole threat DB and the scheduled date and time is near next, in that case the schedule is skipped. Based on the schedule the Incremental ThreatDB is downloaded from the Cloud Services Portal as per the set interval

Complete the following to schedule the threat indicator caching:

  1. From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the Threat Indicator Caching-> Basic tab
  3. Select the Enable Threat Indicator Caching option.
  4. In the Complete ThreatDB Download Interval section, select the Update Policy as Manual.
  5. Click the Scheduling icon.
  6. In the Threat Indicator Caching Scheduler dialog box, select the daily, weekly, or monthly option as follows:

    Note

    The time zone for scheduling will be the same as the zone that is set for the Grid.

    1. To schedule a daily download:
      1. Select Daily.
      2. In the Schedule daily section, in the Time field, set the time when the download must start.

        Note

        Ensure that you have sufficient space available as daily data indexing limits may get exhausted.

    2.  To schedule a weekly download:
      1. Select Weekly.
      2. In the Schedule every week on section select the day of the week when the download must happen every week.
      3. In the Time field, set the time when the download must start.
    3. To schedule monthly download:
      1. Select Monthly.
      2. In the Schedule the day of the month section, enter the day of the month when the download must happen. You can set the date from 1st to 28th of a month.
      3. In the Time field, set the time when the download must start.

    4. Click OK.
  7. Click Save & Close.

Reporting (Index) Storage Space

One key configuration aspect of the reporting appliance is index space. By default, some percentage of index space is allocated on the reporting server for each report category listed in Table 40.3. For information about how to configure index space, see Configuring Grid Reporting Properties. Each report category uses up to a certain percentage of the usable reporting hard disk space for index storage. For example, of the total 237 GB usable hard disk space of an IB-VM-800 appliance, the reporting category, Device uses 47.47%. For the list of default index space configured for each report category, see Table 40.5. You can modify the index percentage value between 0 and 100. When you modify this value, make sure that the total percentage for the index storage space for all categories equals exactly 100%. You can set the index percentage to a value of less than 100% to reserve a certain percentage for future use. If the total percentage of the index space usage exceeds 100%, the appliance displays an error message. Note that the reporting appliance removes the oldest data when you reduce the index space percentage for a category to a value that is lower than the used percentage by the existing data. For information about the maximum index size and number of days the reporting data is retained, see Table 40.8. Also, ensure that its host name has only alphanumeric characters, underscores, dots, and dashes.

Note

For usable reporting hard disk space for each appliance model, see Table 40.2.


Table 40.5 Default Index Space Configured for Each Report Category

Report Category

Default Index Space (%) Adjustable by User

Total Reporting disk Space Used for Index Storage (GB)

Audit Log

0%

-

DNS Query
DNS Performance DDNS
DNS Record Scavenging

20%

Usable reporting hard disk space x 20%

DNS Query Capture

0%

-

DHCP Performance

20%

Usable reporting hard disk space x 20%

DHCP Fingerprint DHCP Lease History

39%

Usable reporting hard disk space x 39%

DDI Utilization

5%

Usable reporting hard disk space x 5%

Security Network User

1%

Usable reporting hard disk space x 1%

DNS Traffic Control

0%

Usable reporting hard disk space is broken down between ib_dtc and ib_dtc_summary internally.

Cloud

0%

-

System Utilization

15%

Usable reporting hard disk space x 15%



-

Device

0%

-

Ecosystem Subscription Ecosystem Publication

0%

-

License

0%

-

Note

Usable reporting hard disk excludes the threat indicator index storage space if the Caching Threat Category Information from Cloud Services Portal feature is enabled even once.

Modifying Member Reporting Properties

To modify reporting properties for a reporting member, complete the following:

  1. From the Grid tab -> Grid Manager tab -> Services tab, select the Reporting service and click the Grid_member check box, and then click the Edit icon.
  2. In the Reporting Member Properties editor, select the General tab and click Override.
  3. Under Reporting Settings, complete the following:
    1. Enable data forwarding to the indexer on this member: Select this check box to enable data transmissions to the reporting server. If you do not select this check box, a member will not forward data to the indexer and reporting service is disabled on that member.
    2. Select the data categories to forward: Select the report categories for which you want this member to forward data to the reporting server. Clear the report categories for which you do not want this member to forward data to the reporting server.

Note

The member configured as an indexer displays only the Audit Log category.

4. Save the configuration.

Defining Interface for Reporting Traffic

On a Grid member, you can define the network interface you want the member to use for sending reporting data to the reporting server.

To define network interface on the Grid member for reporting traffic, complete the following:

  1. From the Grid tab -> Grid Manager tab -> Services tab, select the Reporting service and click the Grid_member check box, and then click the Edit icon.
  2.  In the Reporting Member Properties editor, select the General -> Advanced tab, and then complete the following:
    1. Forwarding interface used for reporting traffic: From the drop-down list, select the interface that you want this member to use to send reporting data. Note that you must properly configure the interfaces on the member for them to appear in the drop-down list. After a NIOS upgrade to version 8.1.x or later, if you had selected any from the drop-down list, the LAN1 (or VIP for HA configurations) subnet is used as the static route. Select MGMT if you want to continue using the management port for grid communication. Selecting MGMT enables the MGMT subnet to be used as the static route.

Note

After you start the reporting service on the reporting member, you cannot reset the interface set for the reporting traffic. You may have to configure the reporting member again to modify the interface for the reporting traffic.

3. Save the configuration.

Setting the Network Port for Reporting

All Grid members use port 9997 for reporting service by default. This port is used for data transmissions between the reporting member and other members. Ensure that you configure your firewall rules to allow traffic on this port. You can designate another network port for reporting purposes.

To set the network port for reporting, complete the following:

  1. From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
    Or
    From the Grid tab -> Grid Manager tab -> Services tab, select the Reporting service and click the Grid_member check box, and then click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the General -> Advanced tab and complete the following
    1. Port: Enter the port number you want to use for reporting purposes. The default port is 9997.
  3. Save the configuration.

  4. Specifying the Data Generation Interval for Reports

You can specify the time interval when the appliance generates data for the DNS Statistics per View and DNS Statistics per Zone reports. The default value for the data generation interval for these reports is one day (86400 seconds). You can specify different data generation intervals for the DNS Statistics per View and DNS Statics per Zone reports.

To specify the data generation interval for DNS Statistics per View and DNS Statistics per Zone reports, complete the following:

  1. From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
    or
    From the Grid tab -> Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the Data Generation Schedule tab and complete the following:
    1. Data Generation: Enter the time in HH:MM:SS AM/PM format. You can also click the Clock icon to select a time from the drop-down list.
  3. Save the configuration.

For more information about the reports, see DNS Statistics per DNS View and DNS Statistics per Zone.

Configuring Threat Protection Data

You can use this feature only if the Threat Protection and Threat Protection Update licenses are installed on the Infoblox Advanced Appliance. When you configure this feature, you receive threat protection events in the syslog. The events logged include threat protection rules and the source IPs that triggered the rules. For information about how to monitor these events using the syslog, see Monitoring through Syslog.

For certain threat protection reports, accumulated statistics for each unique IP/rule pair are collected. You can control the volume of data collected per member using the following options:

    • Top IP/Rule Statistics Collection Limit: This option limits the collection of accumulated statistics to the top N unique IP/rule pairs.
    • IP/Rule Statistics Collection Interval (minutes): The interval at which the accumulated statistics for the top N unique IP/rule pairs are collected. The smaller the interval, the finer the granularity of the accumulated statistics in terms of time, but the data volume will be higher.

Based on your configuration, the reporting appliance displays data in the following threat protection reports:


Note

When threat details are missing for a non-local RPZ feed zone entries, it is recommended to check if the associated feed zone's TSIG key is configured.

To enable threat protection reports, you must select the Security report category in the Grid Reporting Properties editor. To select the Security check box, go to the Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab -> select the Security check box under Report Category. Ensure that you set the Security Index% to an optimal level so the reporting database has enough storage space to accommodate all reporting data. For information about how to configure the Index%, see Configuring Grid Reporting Properties.

To configure the data collection limit, complete the following:

  1. From the Administration tab, select the Reporting tab and click Grid Reporting Properties from the Toolbar.
    Or
    From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the Threat Protection tab and complete the following:
    1. Top IP/Rule Statistics Collection Limit: Enter the maximum number of the top N unique source IP/rule pairs for data collection. For example, if you specify 20, the appliance collects data for the top 20 unique source IP/rule pairs.
    2. IP/Rule Statistics Collection Interval (minutes): Enter the time interval at which the reporting appliance updates data. For example, if you specify the interval as 60 minutes, the appliance updates data at a 60-minute interval.
  3. Click Save & Close.

Monitoring DNS Client Queries

You can view the presence of clients in the network that are sending large numbers of queries to DNS zones or DNS domains. To monitor the top clients querying DNS zones, perform the following:

  1. From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
    Or
  2. From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
  3. In the Grid Reporting Properties editor, select the Basic tab -> DNS.
  4. Under DNS Top Clients Per Domain, select the Monitor Queries made to the following zones check box. Only authoritative zones are supported, to a limit of 1000 zones for monitoring purposes.
    1. To select zones one at a time, choose individual check boxes. Click the Add icon and select Add Domain or Bulk Add Domains to add new zone information for excluding.
    2. To specify the number of clients to be listed, choose the Top N Limit value. The default value is 10.

Monitoring IP Block Group Queries

You can view the user defined IP block groups that are querying DNS domains. To monitor the IP Block Groups, perform the following:

  1. From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
    Or
    From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the Basic tab -> DNS.
  3. Under DNS Query trend per IP Block, select the Monitor Queries made from the following groups check box.
    1. Click the Add icon to add a group to the group table. From the drop-down list, click Select Group to select groups in the Group Selector dialog box, or click Bulk Add Groups to add multiple groups.
    2. To select all groups, select the Group check box. Or, select the individual check box to select the group one at a time.
    3. To delete a group, select the group and click the Delete icon.

Configuring DNS RPZ Rule Hits

You can specify a limit to display the number of top clients, who receive re-written responses through the RPZ, in DNS Top RPZ Hits. You can also specify the total number of RPZ entries for each client.

  1. From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
    Or
    From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab and click Edit -> Grid Reporting Properties from the Toolbar.
  2. In the Grid Reporting Properties editor, select the Basic tab -> DNS.
  3. Under DNS RPZ Rule Hit Configuration, complete the following:
    1. Enter a value for Top N Limit to specify the maximum number of top clients that can be listed in the report.
    2. Specify the Total RPZ Entries per Client. This indicates the number of entries for each client in RPZ.

Note

You have to select the Security check box before you define values here. To select the check box, Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab -> select the check box Security under Report Category.

Forwarding Syslog Data to the Reporting Server

You can control the kind of syslog data forwarded to the indexer from the Grid members. You can search for syslog events (search string) in the Reporting tab -> Search tab. The syslog events you see in the Search tab depend on the syslog categories that you specify in both the Grid Reporting and Member Reporting Properties. The Search tab displays syslog events for the selected syslog categories at both the Grid Reporting Properties and Member Reporting Properties. 

To specify syslog data categories, complete the following:

  1. From the Administration tab, select the Reporting tab -> expand the Toolbar and click Grid Reporting Properties.
    Or
    Member: From the Grid tab, select the Grid Manager tab and click the Services tab. In the Services tab, select the Reporting tab -> member check box and then click the Edit icon.
  2. In the Grid Reporting Properties or Reporting Member Properties editor, select the Syslog Data tab and complete the following:
    Click Override in the Reporting Member Properties editor to override the settings configured at the Grid reporting level. To inherit the same properties as the Grid, click Inherit.
    1. Source: From the drop-down list, select which syslog messages the appliance sends to the external syslog server:
      1. Any: The appliance sends both internal and external syslog messages.
      2. Internal: The appliance sends syslog messages that it generates.
      3. External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers.
    2. Severity: Choose a severity filter from the drop-down list. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. The severity levels range from the lowest, debug, to the highest, emerg. For example, if you choose debug, the appliance sends all syslog messages to the server. If you choose err, the appliance sends messages with severity levels err, crit, alert, and emerg.
      1. emerg: Panic or emergency conditions. The system may be unusable.
      2. alert: Alerts, such as NTP service failures, that require immediate actions.
      3. crit: Critical conditions, such as hardware failures.
      4. err: Error messages, such as client update failures and duplicate leases.
      5. warning: Warning messages, such as missing keepalive options in a server configuration.
      6. notice: Informational messages regarding routine system events, such as "starting BIND".
      7. info: Informational messages, such as DHCPACK messages and discovery status.
      8. debug: Messages that contain information for debugging purposes, such as changes in the latency timer settings and AD authentication failures for specific users.
    3. Logging Category: Select one of the following logging categories:
      1. Send all: Select this to log all syslog messages, irrespective of categories to which it belongs. When you select this option, the appliance logs syslog messages for all the events, including all DNS and Infoblox related events. However, the syslog messages are not prefixed when you select this option.
      2. Send selected categories: Select this to configure logging categories from the list of available logging categories. Use the arrows to move logging categories from the Available table to the Selected table and vice versa. The appliance sends syslog messages for the categories that are in the Selected table. When you select this option, you must add at least one logging category. The syslog messages are prefixed with a category name to which it belongs. Also, the RPZ events logged in the syslog messages uses specific prefixes for the selected categories. Note that the syslog messages are prefixed when you set logging categories for at least one external syslog server, even if you set other external syslog servers as Send All.

3. Save the configuration and click Restart if it appears at the top of the screen.


This page has no comments.