Highlighted
cgi1 Absent Member.
Absent Member.
952 views

ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi,

I tried to use ArcOSI domain lists, but my MS DNS server is writing domains in the logs this way:(3)www(9)microsoft(3)com(0)

Any idea how to compare this with an domain list AL generated with ArcOSI events.

Regards

Christian

Labels (1)
Tags (3)
0 Likes
1 Solution

Accepted Solutions
fosse Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Christian,

If DNS is resolving properly, the destinationHostName field should contain the FQDN.  I still see the requestUrl field in the funky (3)www(9)microsoft(3)com(0) format though.  You may need to tweak your rules a bit if you need to use a different field to compare to a list.

Eric

0 Likes
12 Replies
Super Contributor.. andrew.ajello@h1 Super Contributor..
Super Contributor..

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

I haven't tried the builtin DNS connector yet so I am unsure if there is a builtin option, but there is a function you can use if you create a parser override. It's called __ConvertMSDNSURL

__ConvertMSDNSURL
Output Form: String
This operation converts a Microsoft DNS URL in the form: (n)nchars(m)mchars(0) to a normal URL: nchars.mchars
Have a look at the Flex Connector guide for reference.
0 Likes
fosse Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Christian,

If DNS is resolving properly, the destinationHostName field should contain the FQDN.  I still see the requestUrl field in the funky (3)www(9)microsoft(3)com(0) format though.  You may need to tweak your rules a bit if you need to use a different field to compare to a list.

Eric

0 Likes
cgi1 Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi,

yes I am doing it right now with the destinationHostName field. It works.

I would like it, if the arcsight connectors would be more consistent in mapping.

You have to modify your rules/content depending on the connector mapping.

Some use destinationHostName, destinationDnsDomain and requestedUrl for the same information in different ways.

Thanks

Christian

0 Likes
Itayl Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hello ,

I have the same problem when I am trying to parse event from a DNS log file.

I am using Microsoft DNS trace log file connector and always get the (n)nchars(m)mchars(0) result in requestUrl field.

Is there a way to convert this pattern to normal FQDN DNS name ?

If not , can you please explain how to use the "parser override" __ConvertMSDNSURL ?

I've looked at the flex connector guide but I didn't understand how and where to use this function ...

Best regards ,

Itay

0 Likes
cgi1 Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi,

the parser ist copying the same information as in requested url into the filed destinationHostname in normal notation.

i.e.

requestedUrl                (3)www(9)microsoft(3)com(0)   

destinationHostname    www.microsoft.com

I did no parseroverride.

Christian

0 Likes
Itayl Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi Christian ,

Thanks for your reply.

Unfortunately The field destinationHostName is empty in my events .

Do you think that it is a bug or do I need to enable some feature in the connector configuration in order to see this information?

My connector version is: 5.0.1

Regards ,

Itay

0 Likes
cgi1 Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi,

I did not enable special settings. I think I have DNS resolution enabled. Maybe this helps.

My version is 5.1.1 and ist a Microsoft DNS.

Christian

0 Likes
Itayl Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi Christian ,

I have Upgraded my Smart Connector to Version 5.1.3.5870 and now I can see the DNS address correctly in destinationHostName field.

Thank you for your help.

Regards ,

Itay

0 Likes
edsale Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

the documentation says to use: __ConvertMSDNSURLOperation()

what actually worked for me is: __convertMSDNSURL() with lowercase "c" after the underscores and no "Operation" at the end, other versions of this function generate "FATAL ERROR"s in the agent.out.wrapper.log file

0 Likes
jack Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi,

I have a similar problem, but my connector's version is 7.0.3.7052.0:

Destination Host Name is empty

Rquestl Url = Request Url Host= e.g. (3)www(6)amazon(3)com(0)

Do you have any idea?

Thanks,

Jacek

0 Likes
Contributor.. darkprince211 Contributor..
Contributor..

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hello,

We have to similir this problem too.  Which file must be configure for using __convertMSDNSURL() parameters and how ?

Regards.

0 Likes
hemant1989 Absent Member.
Absent Member.

Re: ArcOSI -->DNS Log (3)www(9)microsoft(3)com(0)

Jump to solution

Hi Ed Sale,

Can you please explain how did you resolve this issue, even i am facing the same situation where my Destination Host Name field is empty and request URL field contain values eg (3)www(6)amazon(3)com(0).

Any suggestion would be really helpful

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.