Commodore Commodore
Commodore
6612 views

Huge DNS traffic from ArcSight

Dears,

We are having an issue where Firewall cpu utilization is going high.

On logs analysis we have found that huge traffic from ArcSight related devices (ESM, Logger and Connector servers) are sending DNS request (UDP 53) to Domain controller.

Any idea what could be the possible cause.

Thanks in advance.

Regards,

Irfan

Labels (3)
0 Likes
15 Replies

This issue should actually be at the forefront of any ArcSight architecture discussion.  We have had major issues over the past week with DNS and ArcSight.  I find there is a lack in proper documentation on how to tune for DNS.

It would be great to know from HPE when I do X on Y, Z should be the result.

0 Likes
Fleet Admiral
Fleet Admiral

If you want you can totally turn off all DNS. But its not recommended.

Cheers

Gayan

Mr
0 Likes
Commodore Commodore
Commodore

Dears,

Thanks for suggesting the possible cause and solution to the issue, I learned a lot from your replies.

As the cpu utilization was high firewall team blocked the port 53.

Based on your suggestions, I deleted the hosts.txt file from each connector, located at  connector_home\current\agent folder.

And apart from this also disabled "enable name resolution" from each connector.

Then they allowed the port 53 one by one for the connector servers and traffic was reduced.

Thanks for your support once again.

Regards,

Irfan

0 Likes
Fleet Admiral
Fleet Admiral

My pleasure.

Mr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.