Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Best Practices

179487671-660x454.jpg

Accessing Audit Log Information from the Reporting Server via Splunk API

In NIOS 8.3, you can use the Splunk API to retrieve reporting data from the Infoblox reporting server.  From any scripting language like Perl or Python, a user can access DDI data gathered from Infoblox members on the reporting server.

 

Let us consider a typical use case for network operations of an enterprise or a service provider network. You need to audit the work that a user had done on the Infoblox Grid.  You could go to the Audit Log and do either a direct search on the UI or download the entire audit log as a CSV file and then search within the CSV file. Also, you could view the Audit Log Events report.

 

tlee splunk 1.png

This method works perfectly well if you do this on an occasional basis. What if you needed to do this frequently?  It can become very time consuming, and we need to find an efficient solution.

 

Fortunately, with Splunk API, you can automate the task.

 

As of NIOS 8.3, you can make REST API calls to the Infoblox Reporting Server to access audit log information as well as DDI information.  The audit log information can then be ingested into the auditing applications for processing.

 

Prerequisites

  1. You must know Splunk, Splunk API, and Postman.
  2. For example, we will use Postman (www.getpostman.com) to prototype the API calls. Access the sample JSON code and environment variables and import it into Postman.
  3. After importing the JSON code and environment variables, modify the RS environment variable with the IP address of your reporting server. Ensure the port number is 9185. Click Update.

tlee splunk 2.png

 

Log in as a user with administrative privileges into the Infoblox GUI. Create a user and user group with readonly credentials. Ensure the permissions are set similar to the screenshot below.

 

tlee splunk 3.png

 

Logout as the administrator and log in as the readonly user and go to the reporting section.

 

tlee splunk 4.png

 

Example

 

 

For this example, we will use Postman for demonstrating the API calls.

 

To jumpstart the search on audit log information, we are going to get search code from the Audit Log Events report on the Infoblox Reporting Server. Ensure the App in the left-hand corner of the screen is set to Infoblox Reporting and Analytics. Navigate to Reporting à Audit Log Events. 

 

tlee splunk 5.png

 

Click on Open in Search to get search code. Highlight and copy the search code to a clipboard.

tlee splunk 6.png

 

On Postman, use the ‘get token’ request to get a token/session ID from the reporting server. Change the username and password to the read-only username created in the prerequisites. Click Save and then Send. You should see a session key like the example below.

 

tlee splunk 7.png

 

Paste the search code in the Save Search request after the ‘search sourcetype =’ string and then save it. Click on the Send button.

 

tlee splunk 8.png

 

This search is sent to the reporting server to create a search/report called auditlog_search. 

 

tlee splunk 9.png

 

After creating this search, you will need to edit permissions to make it accessible to other users because this search was created by the user read-only.

 

tlee splunk 10.png

 

Lastly, you will need to set the time window for your search.

 

tlee splunk 11.png

 

On Postman, now that we have created search called auditlog_search on the Infoblox Reporting Server, use the Saved Search Synchronous request.  A variable will be used to pass the username that will be searched.  The variable is called args.admin.

 

tlee splunk 12.png

 

On the Infoblox Reporting server, here is the Splunk search string with the variable encased in $. ADMIN is a variable in this search code. This was added into the search code.

 

tlee splunk 13.png

 

Now we can run the API call from Postman and get the following output.

 

tlee splunk 14.png

 

This data above shows the readonly username performing various functions.  If you were trying to troubleshoot an issue, you could determine if this user may have been the cause of the misconfiguration. If you wish to view another user, then change the args.admin variable to another user.

 

Conclusion

 

This document demonstrates how you can use the REST API interface to access information from the Infoblox Reporting Server.  The REST API calls can be incorporated into the PERL scripts, Python scripts or other applications to obtain the information on a frequent basis.

 

Reference

 

Showing results for 
Search instead for 
Did you mean: