Troubleshooting
Problem
If a local name server (Bind) is in use on the same network as QRadar, reverse DNS queries can be sent to QRadar to confirm IP and hostname relationships.
If the local IP addresses for QRadar Managed Hosts are not included in PTR records on the local name server, the Operating System of the QRadar host might not be able to respond to the Bind server. If these incidents happen frequently, then the QRadar monitoring engine may receive a high number of unwanted events for unsuccessful reverse lookups. The excessive volume of these kinds of events might have an impact on your license and they are counted as all the other events.
Resolving The Problem
To Resolve this issue
Option 1
Add any missing IP addresses & hostnames to the
/etc/hosts
file on the target collector that is receiving events from the DNS bind server.
- ssh to the target collector
- Back up /etc/hosts to your chosen location.
- Use your preferred text editor to add the IP address and hostname for any DNS servers on the network.
- Save the changes
Option 2
Create PTR records on your DNS server for the IP addresses & hostnames of each of your QRadar Managed Hosts.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
30 June 2023
UID
ibm10884544