A customized logstash container that pulls security domain matches from Infoblox ATC API at a regular intervals, then parses and splits the events, before sending them to a syslog server
- An Infoblox ATC account and API key
- A destination syslog server
- Docker
- A Docker host system (see below)
This setup has been tested on Ubuntu 16.04.1 LTS server + docker version 18.03.0-ce
- start docker
- pull the logstash container image
- pull the config files
- edit the config, add your API key
- build and deploy
If you don't have a running instance of docker, you can follow their instructions here https://www.docker.com/community-edition, or you can install an Ubuntu image from scratch following the instructions at the end of this document
docker pull docker.elastic.co/logstash/logstash:6.2.3
git clone https://github.com/aca2328/Infoblox_atc_to_stash.git
From the local repository folder, edit logstash.conf and at line 5, replace 00000000000 with the token value you grab from your UserAccount on csp.infoblox.com
(to get the token, Log in to the Cloud Services Portal, At the upper right-hand corner, click your user name and select User Preferences, On the User Preferences page, click Show under API key)
build the working image
sudo docker build -f dockerfile_stash -t logstash
run the container
sudo docker run --rm -it logstash
if everything is ok you may want to comment the stdout directive in logstash.conf and run the image in detach mode (-d)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
apt-cache policy docker-ce
sudo apt-get install -y docker-ce
sudo systemctl status docker
sudo docker version