Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Infoblox DNS Audit Dashboard XML
Options
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2022 06:54 AM
1150     1
Dashboard created to glean insight into Infoblox audit logs. It uses tokens to take input from the user for the time range and user to search on.
Instructions borrowed from Dave_Signori.
The dashboard is easy to install and run:
- Click Reporting -> Dashboards -> Create New Dashboard
- Enter a temporary value for Title like "Audit Dashboard" (this will be overwritten in a subsequent step) -> click Create Dashboard
- Click Source or Edit Source (depending on the NIOS version you are running)
- Copy the entire contents of the XML below and completely replace the XML source of the newly created Dashboard
- Optionally change the value of the <label> and <description> tags at the top of the XML. By default the Dashboard will be called "InfoBlox Audit".
- Click Save
XML to Copy
<form> <label>InfoBlox Audit</label> <description>Infoblox Audit Dashboard for user logins and environment changes</description> <fieldset submitButton="false"> <input type="time" token="tokTime" searchWhenChanged="true"> <label>Select Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="User"> <label>User</label> <fieldForLabel>User</fieldForLabel> <fieldForValue>ADMIN</fieldForValue> <search> <query>index=ib_audit | table ADMIN |dedup ADMIN</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> </input> </fieldset> <row> <panel> <title>Search user activity excluding default account "ddimod"</title> <table> <search> <query>index=ib_audit ADMIN!=ddimod | stats values(ip) as IP values(_raw) as RAW_LOG by ADMIN ACTION MESSAGE | sort ADMIN | rename ADMIN as USER</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="ADMIN"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="ACTION"> <colorPalette type="map">{"Login_Denied":#DC4E41,"Login_Allowed":#53A051}</colorPalette> </format> <format type="color" field="USER"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> <row> <panel> <title>Search activity for default t account "ddimod"</title> <table> <search> <query>index=ib_audit ADMIN=ddimod | stats values(_raw) as RAW_LOG by ADMIN ACTION MESSAGE | rename ADMIN as USER</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="ADMIN"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="ACTION"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="USER"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </form>
Labels: