Skip to main content
ManRod
ManRod
Visitor III
March 19, 2021
Question

Reverse DNS Queries for CMDB

  • March 19, 2021
  • 1 reply
  • 1685 views
Hi again,

I have a setup where several devices just report via syslog only (no manual discovery happened).

So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
Is there any chance of using reverse DNS by default to resolve that name?

I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

Regards
Manuel

    1 reply

    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    March 22, 2021
    Hi Manuel,

    HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

    You can enable DNS lookups on logs by enabling lookup:

    vi /opt/phoenix/config/phoenix_config.txt

    changing this to yes

    use_dns_lookup=no

    saving the file and restarting the parser process

    killall -9 phParser

    However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

    Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: Mar 19, 2021 05:50 AM
    From: Manuel Rodriguez
    Subject: Reverse DNS Queries for CMDB

    Hi again,

    I have a setup where several devices just report via syslog only (no manual discovery happened).

    So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
    Is there any chance of using reverse DNS by default to resolve that name?

    I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

    If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

    Regards
    Manuel
    ManRod
    ManRodAuthor
    Visitor III
    April 19, 2021
    Hi Daniel,

    thanks for the reply. I was able to test the setting and as you predicted the parsers need to be adjusted accordingly.

    One simple sample event is from the CiscoIOSParser (User logged in command activity)
    <189>391: Apr 19 12:28:44.172: %PARSER-5-CFGLOG_LOGGEDCMD: User:srv_user logged command:!exec: enable

    Would be great if you tell me how do the DNS Lookup inside the parser, then I am able to customize all the others.

    Regards
    Manuel-------------------------------------------
    Original Message:
    Sent: Mar 22, 2021 05:45 AM
    From: Daniel Hanman
    Subject: Reverse DNS Queries for CMDB

    Hi Manuel,

    HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

    You can enable DNS lookups on logs by enabling lookup:

    vi /opt/phoenix/config/phoenix_config.txt

    changing this to yes

    use_dns_lookup=no

    saving the file and restarting the parser process

    killall -9 phParser

    However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

    Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------

    Original Message:
    Sent: Mar 19, 2021 05:50 AM
    From: Manuel Rodriguez
    Subject: Reverse DNS Queries for CMDB

    Hi again,

    I have a setup where several devices just report via syslog only (no manual discovery happened).

    So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
    Is there any chance of using reverse DNS by default to resolve that name?

    I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

    If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

    Regards
    Manuel
    ManRod
    ManRodAuthor
    Visitor III
    May 10, 2021
    Hi @Anonymous_User

    ​I tried to use convertHostNameToIp, However this really seems to work only for host to IP and not for the other direction.

    Regards
    Manuel-------------------------------------------
    Original Message:
    Sent: Apr 19, 2021 05:29 AM
    From: Manuel Rodriguez
    Subject: Reverse DNS Queries for CMDB

    Hi Daniel,

    thanks for the reply. I was able to test the setting and as you predicted the parsers need to be adjusted accordingly.

    One simple sample event is from the CiscoIOSParser (User logged in command activity)
    <189>391: Apr 19 12:28:44.172: %PARSER-5-CFGLOG_LOGGEDCMD: User:srv_user logged command:!exec: enable

    Would be great if you tell me how do the DNS Lookup inside the parser, then I am able to customize all the others.

    Regards
    Manuel
    Original Message:
    Sent: Mar 22, 2021 05:45 AM
    From: Daniel Hanman
    Subject: Reverse DNS Queries for CMDB

    Hi Manuel,

    HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

    You can enable DNS lookups on logs by enabling lookup:

    vi /opt/phoenix/config/phoenix_config.txt

    changing this to yes

    use_dns_lookup=no

    saving the file and restarting the parser process

    killall -9 phParser

    However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

    Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

    ------------------------------
    Daniel
    FortiSIEM Product Manager

    Original Message:
    Sent: Mar 19, 2021 05:50 AM
    From: Manuel Rodriguez
    Subject: Reverse DNS Queries for CMDB

    Hi again,

    I have a setup where several devices just report via syslog only (no manual discovery happened).

    So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
    Is there any chance of using reverse DNS by default to resolve that name?

    I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

    If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

    Regards
    Manuel
    Terms & ConditionsAccessibility statement