Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 1st Class
Cadet 1st Class
469 views

ESM and Syslog name resolution

I have syslog entries from internal network systems, and the Arcsight System (Collector, Logger, ESM) reports back the Device and Attacker hostname.

I have syslog entries from an external web provider whereby the Device and Attacker hostnames do not come across.

The external DNS entries are entered in the internal DNS, as there is a tunnel that provides the 514 and SSH connectivity between the two.

Do I need to put the external IPs in the hosts file of the collector or ESM?

Is there a setting in Unix that for which the names of these computers is not coming across in syslog?

Labels (4)
0 Likes
2 Replies
Cadet 1st Class
Cadet 1st Class

Update:

I made an assumption that the lookup for HOST NAME was done at the ESM level, and it is not.

While investigating a different problem (a syslog reporting to two different collectors) I noted that the same traffic was being resolved by one collector and not by another.

The was a difference between the two collectors regarding the order of DNS lookup.  I changed to mirror the working one  but still have the problem.

Does anyone know a setting withing a syslog collector that would affect this attribute?

0 Likes
Absent Member.
Absent Member.

same here. did you have any success? I have a lot of DNS traffic - also ipv6 AAA's on my DNS server concerning a WUC and Fortigate Syslog Connector. Did you turn of DNS resolution on the connector level?

/Sly

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.