Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

Custom report/alert for DHCP lease for a specific subnet(s)

Authority
Posts: 30
9175     0

Hi Team,

I would like your help with a alerting mechanism either in the NIOS/Reporting/API to trigger email notification if a particular subnet(s) receives a lease.

This DHCP subnet(s) are quiet critical for us, we need to know when a lease is obtained on this subnet. If anyone would help with a way to track it live and trigger an alert or email notification or check in any other way(with the help of alert mechanism, reporting or API) that would be great.



Regards,
Gokul

Re: Custom report/alert for DHCP lease for a specific subnet(s)

[ Edited ]
Superuser
Posts: 81
9175     0

Hello Gokul,

 

This use-case can be achieved through Infoblox Reporting & Analytics system, if you’re indexing the syslog data from this specific DHCP server. If yes, please follow the instructions below to craft a new alert :

 

  • Go to Reporting -> Search -> Put in the following SPL to be your search & hit enter :

 

index=ib_syslog DHCPACK 89.89.89* | rex "^(?:[^ \n]* ){7}(?P<LEASEDIP>[^ ]+) to (?P<MACADDRESS>[^ ]+)\s+\((?P<HOSTNAME>\w+)[^\)\n]*\)\s+\w+\s+\w+\d+\s+\w+\s+(?P<RELAYAGENT>[^ ]+)\s+\w+\-\w+\s+(?P<LIFETIME>\d+)" | table LEASEDIP MACADDRESS HOSTNAME RELAYAGENT LIFETIME

 

 

 

  • To filter specific network, you should change the network as highlighted in RED above. For example, if you’re network is 89.89.89.0/24, use the format as highlighted above. It doesn’t matter if you get any result here or not, but make sure that you don’t get any messages other than ‘No results found’ if there aren’t any data returned – this would ensure that there aren’t any syntax errors in your search.

 

  • Now, select the option ‘Save as’ -> ‘Alert’.

 

  • As you click on the above, you’d get a box where you could put in your preferences. Give an appropriate :

 

  • Title’ -> A meaningful name for your alert. I’ll put this to be ‘LEASE UPDATE FOR x.x.x.x/y NETWORK’
  • Description’ -> If required. I’ll give it to be ‘Created by Alman.’.
  • Permissions’ -> private if it is intended only for the creator or ‘Shared in app’ so that every NIOS user that has access to IBRA app can see it.
  • Alert type’ -> ‘Real time’ as you want the alerts to be generated real time.
  • Trigger alert when’ -> Select ‘Per result’.
  • Trigger Actions’ -> Select ‘Send Email’ & you’ll get additional fields to be filled in.
  • To’ -> Put in the email to which the alert has to be sent to. Mine is ‘malman@infoblox.com’.
  • Priority’ -> Select as appropriate. This doesn’t really matter.
  • Subject’ -> Put in a meaningful Subject to the email generated. Let’s say something like ‘INFOBLOX ALERT - LEASE ISSUED’.
  • Message’ -> Put in something like ‘A new IP address has been pulled from the interested network. Client information is down below …..’. As you see, it doesn’t really matter even if you leave it blank.
  • Include’ -> To be ‘Inline Table’ & Save.

 

  • That should generate an alert to the email specified, whenever a client pulls an IP address from the network that you have specified above(In RED). The email would have the Leased IP / MAC / Hostname / Relay agent info & the lease time – This is going to be real time.

 

  • If you’re configuring email alerts in Infoblox Reporting server for the first time, there’s additional work to be done. You need to go to Reporting -> Settings -> Server Settings -> Email Settings -> Complete the ‘Mail Server Settings’ here. If you’d like to customize the emails generated, modify ‘Email Format’ as well.

 

An example of the email generated upon a lease allocation from the network specified above :

 

 

 

manpic.png

 

 

I hope that’ll meet your expectations!

 

Best regards.

Re: Custom report/alert for DHCP lease for a specific subnet(s)

Authority
Posts: 30
9175     0

Alman-

 

I seem to be getting a different message.

 

Message.PNG

 

 

Re: Custom report/alert for DHCP lease for a specific subnet(s)

[ Edited ]
Superuser
Posts: 81
9175     0

Hello Depthcharge,

 

I can't see what the error is. Can you share another screenshot or copy/paste all the error which you see/location ? I think something's wrong with the picture posted in your reply. 

 

Best regards.

Re: Custom report/alert for DHCP lease for a specific subnet(s)

Authority
Posts: 30
9175     0
index=ib_syslog DHCPACK 10.200.103* | rex "^(?:[^ \n]* ){7}(?P<LEASEDIP>[^ ]+) to (?P<MACADDRESS>[^ ]+)\s+\((?P<HOSTNAME>\w+)[^\)\n]*\)\s+\w+\s+\w+\d+\s+\w+\s+(?P<RELAYAGENT>[^ ]+)\s+\w+\-\w+\s+(?P<LIFETIME>\d+)" | table LEASEDIP MACADDRESS HOSTNAME RELAYAGENT LIFETIME

 

 

I  used the above syntax and instead of receving "no results found" I was getting an the message "Consider using CIDR support in the Search Operator". So, I created on with CIDR too. Bounced the switchports of a few endpoints. But, did not receive any alerts.

 

 

 

Re: Custom report/alert for DHCP lease for a specific subnet(s)

[ Edited ]
Superuser
Posts: 81
9175     0

Hello There,

 

Can you ensure that the syslog data is being indexed by your reporting server ? So let’s check that first. Please do the following to ensure the same :

 

Execute the following search by selecting a latest set of time from Reporting -> Search :

 

      index=ib_syslog DHCPACK

 

As you execute the above string, you should be able to see the DHCP acknowledgement messages from your server(Verify the entries with the timestamp).

 

If you don’t get any results :

 

Go to Administration -> Reporting -> Grid Reporting properties -> Ensure that ‘syslog’ category is enabled & it has a non-zero number against it. If it isn’t enabled yet & if you’re going to enable it now , you should need to keep in mind about the Reporting license volume that would be consumed by this additional category. For testing purposes, enabling this for sometime is not a big deal.

 

If you're able to see DHCPACK messages :

 

Then the alert shared in my post should work for you.

 

Addressing the original question :

 

If you’re using a CIDR, that’s fine too.. So the SPL may now look like :

 

index=ib_syslog DHCPACK | rex "^(?:[^ \n]* ){7}(?P<LEASEDIP>[^ ]+) to (?P<MACADDRESS>[^ ]+)\s+\((?P<HOSTNAME>\w+)[^\)\n]*\)\s+\w+\s+\w+\d+\s+\w+\s+(?P<RELAYAGENT>[^ ]+)\s+\w+\-\w+\s+(?P<LIFETIME>\d+)" | table LEASEDIP MACADDRESS HOSTNAME RELAYAGENT LIFETIME | where cidrmatch("89.89.89.0/24", LEASEDIP)

 

While CIDR must be replaced with the one of your interest.

 

How to test this ?

 

  • Request for a lease from one of your clients from the network used in CIDR above.
  • If everything was configured correctly, you should have receieved an email alert within few seconds. If not, execute the same string in Reporting -> Search :                                                                                                                    index=ib_syslog DHCPACK 89.89.89.*                --->> Use an appropriate IP to filter accordingly.
  • If you don't see any entries matching your timestamp, then the ib_syslog data is still having some problems to be indexed.

Let me know how it goes ths time.

 

Best regards.

Re: Custom report/alert for DHCP lease for a specific subnet(s)

Authority
Posts: 30
9175     0

Hi Alman,

 

After I configure the alert. I navigate to the Alert tab> Open in Search> Under Statstics I can see the table being built with the requested Columns such as LEASED IP, MAC, Hostname, Relay Agent etc. However, in the Alerts section, it says, there are no fired events for this alert.

 

Regards,

Depthcharge

Showing results for 
Search instead for 
Did you mean: 

Recommended for You