Troubleshooting
Problem
An IP address seen in Log Activity is not resolving hostnames, despite the nslookup command line can resolve DNS lookup for same IP.
Symptom
-
Log in to the QRadar interface.
-
Click Log Activity tab.
-
Using right-click an IP address >More Options >Information>DNS
Results: The lookup gave no result and instead of a hostname an IP address was resolved.
-
Log in to the Console using an SSH session.
-
Type the command nslookup with an IP Address.
Example nslookup 208.67.222.222
Results: This command returns opendns.com as the hostname.
Resolving The Problem
To resolve this issue
- Check the DNS entries in QRadar
- QRadar Versions 7.2.8 and 7.3.2
- On all the appliances check the entries in /etc/resolv.conf to confirm that the correct DNS values are correct.
- QRadar Versions 7.3.0 and 7.3.1
- Check the Console entries in /etc/resolv.conf.masq are correct.
- Check the Managed Host entries in /etc/resolv.conf are correct.
- QRadar Versions 7.2.8 and 7.3.2
- Check the DNS server to verify that it is configured correctly or that the DNS server QRadar is pointing to is correct.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2019
UID
ibm10876744