Troubleshooting
Problem
When using a Local Name Server (Bind) sometimes reverse queries are sent to confirm the IP and hostname relationship. If the local IP addresses are not configured (PTR records), QRadar might not be able to respond to the Bind server. If this happens frequently, QRadar will receive a high number of unwanted events regarding unsuccessful reverse lookups. This volume of events might have an impact on your license.
Resolving The Problem
To Resolve this issue
-
Option 1
Add any missing hostname to the /etc/hosts file on the target collector that is receiving events from the DNS bind server.-
To do this:
-
Backup /etc/hosts to directory /storetmp
cp /etc/hosts /storetmp -
Use vi editor and add each IP and host name on the target collector that you will receive from the DNS bind server.
-
Save the changes by typing:
esc :wq
-
-
Option 2
Create PTR records on the DNS server for all the IP addresses not being resolved on QRadar.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
26 January 2021
UID
ibm10884544