IBM Support

QRadar: Heavy DNS traffic from QRadar

Troubleshooting


Problem

When using a Local Name Server (Bind) sometimes reverse queries are sent to confirm the IP and hostname relationship. If the local IP addresses are not configured (PTR records), QRadar might not be able to respond to the Bind server. If this happens frequently, QRadar will receive a high number of unwanted events regarding unsuccessful reverse lookups. This volume of events might have an impact on your license.

Resolving The Problem

To Resolve this issue

  • Option 1
    Add any missing hostname to the /etc/hosts file on the target collector that is receiving events from the DNS bind server.

    • To do this:

    1. Backup /etc/hosts to directory  /storetmp
      cp /etc/hosts /storetmp

    2. Use vi editor and add each IP and host name on the target collector that you will receive from the DNS bind server.

    3. Save the changes by typing:
      esc :wq

  • Option 2
    Create PTR records on the DNS server for all the IP addresses not being resolved on QRadar.

Related Information

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
26 January 2021

UID

ibm10884544