SIEM & UEBA

Expand all | Collapse all

Reverse DNS Queries for CMDB

  • 1.  Reverse DNS Queries for CMDB

    Posted Mar 19, 2021 05:51 AM
    Hi again,

    I have a setup where several devices just report via syslog only (no manual discovery happened).

    So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
    Is there any chance of using reverse DNS by default to resolve that name?

    I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

    If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

    Regards
    Manuel


  • 2.  RE: Reverse DNS Queries for CMDB

    GROUP ADMIN
    Posted Mar 22, 2021 05:45 AM
    Hi Manuel,

    HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

    You can enable DNS lookups on logs by enabling lookup:

    vi /opt/phoenix/config/phoenix_config.txt

    changing this to yes

    use_dns_lookup=no

    saving the file and restarting the parser process

    killall -9 phParser

    However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

    Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------



  • 3.  RE: Reverse DNS Queries for CMDB

    Posted Apr 19, 2021 05:29 AM
    Hi Daniel,

    thanks for the reply. I was able to test the setting and as you predicted the parsers need to be adjusted accordingly.

    One simple sample event is from the CiscoIOSParser (User logged in command activity)
    <189>391: Apr 19 12:28:44.172: %PARSER-5-CFGLOG_LOGGEDCMD: User:srv_user logged command:!exec: enable

    Would be great if you tell me how do the DNS Lookup inside the parser, then I am able to customize all the others.

    Regards
    Manuel


  • 4.  RE: Reverse DNS Queries for CMDB

    Posted May 09, 2021 11:30 PM
    Hi @Daniel

    ​I tried to use convertHostNameToIp, However this really seems to work only for host to IP and not for the other direction.

    Regards
    Manuel