ESM and Syslog name resolution
I have syslog entries from internal network systems, and the Arcsight System (Collector, Logger, ESM) reports back the Device and Attacker hostname.
I have syslog entries from an external web provider whereby the Device and Attacker hostnames do not come across.
The external DNS entries are entered in the internal DNS, as there is a tunnel that provides the 514 and SSH connectivity between the two.
Do I need to put the external IPs in the hosts file of the collector or ESM?
Is there a setting in Unix that for which the names of these computers is not coming across in syslog?
I made an assumption that the lookup for HOST NAME was done at the ESM level, and it is not.
While investigating a different problem (a syslog reporting to two different collectors) I noted that the same traffic was being resolved by one collector and not by another.
The was a difference between the two collectors regarding the order of DNS lookup. I changed to mirror the working one but still have the problem.
Does anyone know a setting withing a syslog collector that would affect this attribute?
same here. did you have any success? I have a lot of DNS traffic - also ipv6 AAA's on my DNS server concerning a WUC and Fortigate Syslog Connector. Did you turn of DNS resolution on the connector level?