Huge DNS traffic from ArcSight
We are having an issue where Firewall cpu utilization is going high.
On logs analysis we have found that huge traffic from ArcSight related devices (ESM, Logger and Connector servers) are sending DNS request (UDP 53) to Domain controller.
Any idea what could be the possible cause.
Thanks in advance.
This issue should actually be at the forefront of any ArcSight architecture discussion. We have had major issues over the past week with DNS and ArcSight. I find there is a lack in proper documentation on how to tune for DNS.
It would be great to know from HPE when I do X on Y, Z should be the result.
Thanks for suggesting the possible cause and solution to the issue, I learned a lot from your replies.
As the cpu utilization was high firewall team blocked the port 53.
Based on your suggestions, I deleted the hosts.txt file from each connector, located at connector_home\current\agent folder.
And apart from this also disabled "enable name resolution" from each connector.
Then they allowed the port 53 one by one for the connector servers and traffic was reduced.
Thanks for your support once again.