Highlighted
Established Member.. raymond.doty
Established Member..
479 views

Network Model / Asset Management where you have varying hostname formats?

Hello!

I am a bit new to the asset model of ArcSight and trying to figure out the capability of managing a number of devices that I haven't figure out how to track properly...

The main issue is that our logs come from varying devices and come in different formats.  The specific item of interest is the hostname field...  We will get the same asset in multiple formats...

Example hostnames for below:

FQDN = hostname.domain.contoso.com

Short Hostname = hostname

1) Network logs - sometimes FQDN, always IP Address

2) Windows logs - mostly FQDN, sometimes Short Hostname, sometimes IP Address

3) AV events - always FQDN, never IP address

From what I understand most of our user networks (IP subnets, not ArcSight network) are dynamic, most server networks are static.

We theoretically care 'most' about asset modeling of our server networks (mostly static).

This has created a couple problems I am not sure I see a way around.

1) If the zone the assets are created in is static (so that it can see hostname), we cannot have two assets with the same IP address (imagine short hostname and fqdn) but different hostnames (+network and +partial windows logs, -partial windows logs and -AV logs)

2) If the zone is dynamic, we can create two assets with different hostnames (short and fqdn) - but it theoretically wont be able to see IP addresses being dynamic  (+windows and AV logs, -Network logs where IP only)

Has anyone come to a conclusion/solution to this?  It seems whatever route we go, we may end up needing duplicate assets...

Labels (1)
0 Likes
Reply
4 Replies
Established Member.. raymond.doty
Established Member..

Re: Network Model / Asset Management where you have varying hostname formats?

Well I figured out where we have an IP address, with two formats...

If ip is static:

Create two assets in the same dynamic zone, one with the proper ip and hostname and static checked, second asset create with short hostname and dynamic incorrect ip.  Then tie the two together using 'alternate interfaces'.

If IP is not static:

Create two assets in the same dynamic zone, both with improper ip addresses, ensure static unchecked, but fqdn and short hostnames.  Tie them together using 'alternate interfaces'.

Now the problem is where you do not have an IP address.

So new question:

Has anyone found out how to use the network model where you have no ip address?  I know this sounds like a silly question given that its a network model...  But we have instances where we will never be able to resolve via DNS the hostnames, and we don't have the capability to manage the amount of massive hostfiles necessary to implement this (it would be hundreds of thousands of hosts).

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Network Model / Asset Management where you have varying hostname formats?

Without an IP address you won't be able to tie anything together. The

primary key for tying things together is the IP address and then zone.

In my opinion you should always have an ip address there, if you don't

it is like having an orphan event.

0 Likes
Reply
Established Member.. raymond.doty
Established Member..

Re: Network Model / Asset Management where you have varying hostname formats?

Thanks for the response Vini,

Yeah, I think I learned that the hard way.  Unfortunately we are a heavy IPv6 shop.  So we have no IPv4 frequently.  And we have 2 or 3 feeds which do not have IP information.  Thinking we may just go manage our assets and categorization via lists, because otherwise we have massive gaps or would have to maintain both lists and the asset model... Yuck

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Network Model / Asset Management where you have varying hostname formats?

It doesn't sound very easy I have to say.

Let us know how you end up doing it, it will be interesting to know.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.