Help
FortiSIEM Discussions
ManuelRodriguez
New Contributor

Created on ‎03-19-2021 05:51 AM

Reverse DNS Queries for CMDB

Hi again,

I have a setup where several devices just report via syslog only (no manual discovery happened).

So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
Is there any chance of using reverse DNS by default to resolve that name?

I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

Regards
Manuel
675
0 Kudos
3 REPLIES 3
DanielHanman
Staff
Staff

Created on ‎03-22-2021 05:45 AM

Hi Manuel,

HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

You can enable DNS lookups on logs by enabling lookup:

vi /opt/phoenix/config/phoenix_config.txt

changing this to yes

use_dns_lookup=no

saving the file and restarting the parser process

killall -9 phParser

However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Mar 19, 2021 05:50 AM
From: Manuel Rodriguez
Subject: Reverse DNS Queries for CMDB

Hi again,

I have a setup where several devices just report via syslog only (no manual discovery happened).

So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
Is there any chance of using reverse DNS by default to resolve that name?

I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

Regards
Manuel
675
0 Kudos
ManuelRodriguez
New Contributor
In response to DanielHanman

Created on ‎04-19-2021 05:29 AM

Hi Daniel,

thanks for the reply. I was able to test the setting and as you predicted the parsers need to be adjusted accordingly.

One simple sample event is from the CiscoIOSParser (User logged in command activity)
<189>391: Apr 19 12:28:44.172: %PARSER-5-CFGLOG_LOGGEDCMD: User:srv_user logged command:!exec: enable

Would be great if you tell me how do the DNS Lookup inside the parser, then I am able to customize all the others.

Regards
Manuel-------------------------------------------
Original Message:
Sent: Mar 22, 2021 05:45 AM
From: Daniel Hanman
Subject: Reverse DNS Queries for CMDB

Hi Manuel,

HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

You can enable DNS lookups on logs by enabling lookup:

vi /opt/phoenix/config/phoenix_config.txt

changing this to yes

use_dns_lookup=no

saving the file and restarting the parser process

killall -9 phParser

However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

Original Message:
Sent: Mar 19, 2021 05:50 AM
From: Manuel Rodriguez
Subject: Reverse DNS Queries for CMDB

Hi again,

I have a setup where several devices just report via syslog only (no manual discovery happened).

So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
Is there any chance of using reverse DNS by default to resolve that name?

I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

Regards
Manuel
675
0 Kudos
ManuelRodriguez
New Contributor
In response to ManuelRodriguez

Created on ‎05-09-2021 11:30 PM Edited on ‎12-04-2022 11:34 PM By Community Manager

Hi @Daniel

​I tried to use convertHostNameToIp, However this really seems to work only for host to IP and not for the other direction.

Regards
Manuel-------------------------------------------
Original Message:
Sent: Apr 19, 2021 05:29 AM
From: Manuel Rodriguez
Subject: Reverse DNS Queries for CMDB

Hi Daniel,

thanks for the reply. I was able to test the setting and as you predicted the parsers need to be adjusted accordingly.

One simple sample event is from the CiscoIOSParser (User logged in command activity)
<189>391: Apr 19 12:28:44.172: %PARSER-5-CFGLOG_LOGGEDCMD: User:srv_user logged command:!exec: enable

Would be great if you tell me how do the DNS Lookup inside the parser, then I am able to customize all the others.

Regards
Manuel
Original Message:
Sent: Mar 22, 2021 05:45 AM
From: Daniel Hanman
Subject: Reverse DNS Queries for CMDB

Hi Manuel,

HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

You can enable DNS lookups on logs by enabling lookup:

vi /opt/phoenix/config/phoenix_config.txt

changing this to yes

use_dns_lookup=no

saving the file and restarting the parser process

killall -9 phParser

However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

------------------------------
Daniel
FortiSIEM Product Manager

Original Message:
Sent: Mar 19, 2021 05:50 AM
From: Manuel Rodriguez
Subject: Reverse DNS Queries for CMDB

Hi again,

I have a setup where several devices just report via syslog only (no manual discovery happened).

So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
Is there any chance of using reverse DNS by default to resolve that name?

I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

Regards
Manuel
675
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.