Troubleshooting
Problem
An IP address seen in Log Activity is not resolving hostnames, despite the nslookup command line can resolve DNS lookup for same IP.
Symptom
-
Log in to the QRadar interface.
-
Click Log Activity tab.
-
Using right-click an IP address >More Options >Information>DNS
Results: The lookup gave no result and instead of a hostname an IP address was resolved.
-
Log in to the Console using an SSH session.
-
Type the command nslookup with an IP Address.
Example nslookup 208.67.222.222
Results: This command returns opendns.com as the hostname.
Resolving The Problem
To resolve this issue
- Check the DNS entries in QRadar
- QRadar Versions 7.2.8 and 7.3.2
- On all the appliances check the entries in /etc/resolv.conf to confirm that the correct DNS values are correct.
- QRadar Versions 7.3.0 and 7.3.1
- Check the Console entries in /etc/resolv.conf.masq are correct.
- Check the Managed Host entries in /etc/resolv.conf are correct.
- QRadar Versions 7.2.8 and 7.3.2
- Check the DNS server to verify that it is configured correctly or that the DNS server QRadar is pointing to is correct.
Where do you find more information?
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2019
UID
ibm10876744