Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

How-to Articles

april 22.jpg

Configure Splunk and have CDC to send CSP DNS data to Splunk

This guide describes on how to configure Splunk and have CDC send DNS information from the CSP portal to Cloud Data Connector.

 

Note: This guide is intended to test CDC in a local lab environment for testing purposes. The free Splunk version also has a limit on how much data it can index. You may want to get a license from Splunk if you plan to index more data.

If you are looking to configure it in production, reach out to your local Infoblox Systems engineer/Accounts team to deploy a production ready deployment as per your requirements.

 

Lab Requirements:

 

  • 1x Ubuntu 16.04.x with Docker which CDC running.
  • 1x Ubuntu 16.04.x with Docker running Splunk.

 

Below are the details of the VMs used in this tutorial:

 

VM

Hostname

Description

System Details

IP

VM1

 cdc.infoblox.com

Runs CDC

 4 vCPU, 8GB, 64GB Disk

10.0.48.87 

VM2

splunk.infobloxlab.com

Runs Splunk Server

4 vCPU,16GB,120GB Disk

10.0.48.124

 

 

You can refer to the "How to Articles" in the Infoblox community website where you can find instruction on how to to install CDC and Splunk if you have not already done so.

 

This guide assumes that you have Splunk running in one VM and CDC running in another.

 

To configure Splunk to work with CDC you can do the following:

 

-Login to your Splunk UI.

 

1.jpg

 

-Click on “Got It” in the page.

 

2.jpg

 

-Click on “Settings”>” Forwarding and receiving”.

 

3.png

 

4.png

 

-Check if port 9997 is enabled.

 

5.jpg

 

Note: If there is no entry, then click on “New Receiving Port” and add port 9997 and make sure that it is enabled.

Now, we need to create an index in Splunk. To do so, click on Settings>Indexes.

 

6.png

 

-Click on “New Index”.

 

7.png

 

-Add your index name. In this lab, I have set the “Index Name” as “cdclab”.

 

8.png

 

-You should be able to see the newly added index in the “Indexes” section.

 

9.jpg

 

-Click on “Settings”> ”Source types

 

10.png

 

-Click on “New Source Type”.

 

11.png

 

-Add the name as “ib:rpz:captures”

 

12.png

 

-This should be visible under “Source Types”.

13.png

 

Traffic Flow Configuration:

 

-Now that we have the Splunk server configured, we can do the configuration to make data flow into the Cloud Data Connector (CDC) from CSP and make CDC send to the external Splunk Server (destination).

 

Navigate to CSP Portal => Cloud Data Connector => Splunk Server.

 

First, let’s create a Splunk destination.

 

Adding a Splunk Destination:

 

-Navigate to Manage>Data Connector>Destination Configuration and click on “Create”.

14.png

 

-Enter a name for your Splunk Destination. For now, keep this “State” as “Disabled”. This will be enabled after configuring the Traffic flow which is discussed later in guide.

-In this lab setup, the CDC VM/instance and the external Splunk server are in the same subnet. Hence, I have used the private IP “10.0.48.87” of the Splunk server. Use the port as “9997”. [Refer above sections of this guide.]

-The Indexer Name is “cdclab” which was configured in Splunk earlier. [Refer to above sections of this guide]

-As this is local lab for testing, I have used “Insecure Mode”.

 

16.jpg

 

Now, we have configured a destination. Next, we will create a traffic flow.

 

Traffic Flow Configuration:

 

Here, we are configuring the flow configuration in such a way that CSP will send logs to CDC and CDC will send the received logs to the Splunk server (which is the destination which was configured above).

  • Add a Name and Description for the traffic flow and keep the state as “Disabled” for now.
  • Under “CDC Enabled Host”, make sure that the On-Prem host running CDC is selected.
  • Select the “Source” as “BloxOne Cloud Source” and “Destination” as “CDC-to-Splunk”.
  • The Log Type as the types of logs that needs to be send from CSP to the CDC application.

17.png

 

Summary so far: We configured a destination which is Splunk and configured a traffic flow for data.

 

Enabling Destination and traffic flow:

Now we need to enable the destination and the traffic flow.

-Navigate to Manage>Data Connector>Destination Configuration, edit Destination “CDC-to-Splunk”.

-Change “State” to “Enabled.

 

18.png

 

-Now, to enable to traffic flow perform the following:

-Navigate to Manage>Data Connector>Traffic Flow Configuration, edit Destination “CSP-to-CDC”.

-Change “State” to “Enabled.

 

19.png

 

Once the traffic flow is enabled, you should be able to see the “State” as “Active”.

 

20.png

 

Now, you can access the Splunk UI and search for the index “cdclab”.

index=”cdclab”

 

Below is a screenshot of the Splunk UI which is receiving data from CSP to Splunk via CDC.

 

 

21.png

 

 

The above data should give you more insight on the type of DNS traffic in your environment.

 

We hope this guide help give you an insight of the capabilites of CDC. Also, "Splunk" is only one of the many supported destinations.You can find the list of supported destinations and traffic flows in the below link:

 

https://docs.infoblox.com/display/BloxOneThreatDefense/Configuring+Traffic+Flows

 

You can reach out to your local Infoblox Sales representative/Accounts team who would be happy to help you in doing a demo for you in your environment.

 

Sources/References:

https://docs.infoblox.com/display/BloxOneDDI/Bare-Metal+Docker+Deployment

https://github.com/splunk/docker-splunk

https://docs.splunk.com/Documentation/Splunk/latest/Installation/SystemRequirements

Showing results for 
Search instead for 
Did you mean: