03-23-2017 07:35 AM
I have DNS client query reports that show no results right now and there is some mention of a Data Collection VM in the Admin Guide but I can't find any reference as to what that is or how to configure it.
Does anyone else have any information on this?
Solved! Go to Solution.
03-23-2017 08:47 AM
The Data Connector VM is a separate VM used to gather DNS qeuery logs and send the logs to various locations. When used with Infoblox Reporting and Analytics there is no licensing charge. The reason that this is a separate VM is to minimize the load of handling query logging on the protocol serving members as it has features to enable you to filter queries in various ways in order to minimize indexing of queries you don't necesarily want to keep. You should be able to get the Data Connector from the Infoblox Support Portal. There is also a deployment guide for it here:
03-30-2017 06:55 AM
Is there more info on the data collector and its options? How much data parsing does it do before it sends the query logs on to the reporting member? I am already collecting the query logs via the SCP option grid wide. I'm getting over 20 gig a day of compressed logs, and over 100 gig uncompressed. So I assume that only a very limited subset of that data will get forward on to the reporting member \ counted against my reporting data license.
Are there any options besides splunk to forward the query log data on from the data collector to infrastructure outside the grid? Ie, SCP them on, other database plug ins, etc?
Will the data collector piece be available as a "service install" onto a basic linux build? We have already built a "data collector" infrastructure over the last several years because this has been lacking. Rebuilding it to just gain the query log forwarding to the reporting member seems a daunting task especially with the apparent limited options for continuing to get at the query log data once this solution is in place.
08-10-2017 02:18 PM
Query logs can be sent via SCP to any target even without the Data Connector. I belive this has been in place since the early 6.x releases. The Data Connector Splunk feature just leverages a native Splunk forwarder for efficiency.
That being said, the data connector can also filter domains that you aren't interested in to reduce indexing. One thing our customer commonly do is use the Alexa top 1000 list (or some derrivative of it) to not log known reliable domains. This significantly reduces the indexing volume.
I'll reach out to your personally to get you more detail on new Data Connector features.
08-10-2017 02:36 PM
Any updates on more options for the data collection VM for query logging?
On the roadmap we have other SIEM software including ArcSight QRadar LogRhythm as forwarding destinations.
We also have features like selective collecting (only collecting queries from some particular grid member for example) and egress filtering (filtering out alexa 100 domains to save you Splunk/Reporting server licenses). Some of the projects are being scoped at this moment.
09-28-2017 05:05 AM
Enable Data Collection on a Single Virtual Machine
You must enable data collection at least five minutes before running an Activity Monitoring report.
- Log in to the vSphere Web Client.
- Click vCenter and then click VMs and Templates.
- Select the virtual machine from the left inventory panel.
- Click the Manage tab and then click the Settings tab.
- Click NSX Activity Monitoring from the left panel.
- Click Edit.
- In the Edit NSX Activity Monitoring Data Collection Settings dialog box, click Yes.