Fortinet black logo

FortiSIEM Reference Architecture Using ClickHouse

Home FortiSIEM 6.7.3 FortiSIEM Reference Architecture Using ClickHouse
6.7.3
7.1.6
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0

DNS

DNS

FortiSIEM can be configured to perform DNS resolution of parsed IP address fields as part of event processing and enrichment. This allows the analyst to see the domain name of the address when reviewing logs and performing investigations.

If enabled, DNS resolution is performed by the ingesting node as the event is processed. This could be a collector at a remote site in a distributed solution. When using this feature, design the supporting DNS services to provide resolution of addresses received by the system at the point of ingestion, and ensure the nodes are configured with the correct DNS server addresses to allow the request to be sent.

Failing to provide suitable DNS services will result in many failed DNS requests on the node, which can impact performance. If the deployment scenario prevents adequate DNS services being deployed and the node is experiencing DNS based performance issues, disable DNS for the entire node by modifying the phoenix_config.txt file value use_dns_lookup=no and restarting the node services. By default, DNS lookups are already disabled.

Previous
Next

DNS

FortiSIEM can be configured to perform DNS resolution of parsed IP address fields as part of event processing and enrichment. This allows the analyst to see the domain name of the address when reviewing logs and performing investigations.

If enabled, DNS resolution is performed by the ingesting node as the event is processed. This could be a collector at a remote site in a distributed solution. When using this feature, design the supporting DNS services to provide resolution of addresses received by the system at the point of ingestion, and ensure the nodes are configured with the correct DNS server addresses to allow the request to be sent.

Failing to provide suitable DNS services will result in many failed DNS requests on the node, which can impact performance. If the deployment scenario prevents adequate DNS services being deployed and the node is experiencing DNS based performance issues, disable DNS for the entire node by modifying the phoenix_config.txt file value use_dns_lookup=no and restarting the node services. By default, DNS lookups are already disabled.

Previous
Next