Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

ManRod
New Contributor II

Reverse DNS Queries for CMDB

Hi again,

I have a setup where several devices just report via syslog only (no manual discovery happened).

So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
Is there any chance of using reverse DNS by default to resolve that name?

I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

Regards
Manuel
3 REPLIES 3
FSM_FTNT
Staff
Staff

Hi Manuel,

HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

You can enable DNS lookups on logs by enabling lookup:

vi /opt/phoenix/config/phoenix_config.txt

changing this to yes

use_dns_lookup=no

saving the file and restarting the parser process

killall -9 phParser

However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
ManRod
New Contributor II

Hi Daniel,

thanks for the reply. I was able to test the setting and as you predicted the parsers need to be adjusted accordingly.

One simple sample event is from the CiscoIOSParser (User logged in command activity)
<189>391: Apr 19 12:28:44.172: %PARSER-5-CFGLOG_LOGGEDCMD: User:srv_user logged command:!exec: enable

Would be great if you tell me how do the DNS Lookup inside the parser, then I am able to customize all the others.

Regards
Manuel
ManRod
New Contributor II

Hi @Daniel

​I tried to use convertHostNameToIp, However this really seems to work only for host to IP and not for the other direction.

Regards
Manuel
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.