cancel
Showing results for 
Search instead for 
Did you mean: 

Match SIEM events by computer name

I would like to get all events from a given computer name in an AD environment where DHCP change host IPs.

- How should I match a host name to its IP on each event loged? (the hostname is not part of most data sources logs)

- How should I match all historical events to a given hostname?

Looking forward to hearing from you.

Thanks in advance.

4 Replies

Re: Match SIEM events by computer name

Do you have an event being logged on the windows side recording this info you are requesting?

Re: Match SIEM events by computer name

Yes, a file on the DHCP Servers records this info.

This is a sample of the file:

30,10/30/15,17:50:20,DNS Update Request,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

11,10/30/15,17:50:20,Renew,10.2.7.10,SRD3V103.Domain.com,5CF9DDEB68FE,,4093880305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:50:20,DNS Update Successful,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

30,10/30/15,17:50:47,DNS Update Request,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

11,10/30/15,17:50:47,Renew,10.2.7.6,SRPC0002.Domain.com,5CF9DDEDE0EC,,4209042516,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:50:48,DNS Update Successful,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

30,10/30/15,17:53:41,DNS Update Request,10.2.7.5,SR1MR48S1.Domain.com,,,0,6,,,,,,,,,0

11,10/30/15,17:53:41,Renew,10.2.7.5,SR1MR48S1.Domain.com,782BCBC1CB27,,712625876,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:53:41,DNS Update Successful,10.2.7.5,SR1MR48S1.Domain.com,,,0,6,,,,,,,,,0

30,10/30/15,17:53:48,DNS Update Request,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

11,10/30/15,17:53:48,Renew,10.2.7.10,SRD3V103.Domain.com,5CF9DDEB68FE,,1913489088,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:53:48,DNS Update Successful,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

30,10/30/15,17:55:24,DNS Update Request,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

11,10/30/15,17:55:24,Renew,10.2.7.6,SRPC0002.Domain.com,5CF9DDEDE0EC,,3766396532,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:55:24,DNS Update Successful,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

30,10/30/15,17:56:24,DNS Update Request,10.2.7.14,SRPC0004.Domain.com,,,0,6,,,,,,,,,0

11,10/30/15,17:56:24,Renew,10.2.7.14,SRPC0004.Domain.com,782BCBC20103,,674437840,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:56:24,DNS Update Successful,10.2.7.14,SRPC0004.Domain.com,,,0,6,,,,,,,,,0

30,10/30/15,18:01:36,DNS Update Request,10.2.7.4,SR20HJ8S1.Domain.com,,,0,6,,,,,,,,,0

11,10/30/15,18:01:36,Renew,10.2.7.4,SR20HJ8S1.Domain.com,782BCBC200FA,,1730255286,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,18:01:36,DNS Update Successful,10.2.7.4,SR20HJ8S1.Domain.com,,,0,6,,,,,,,,,0

Re: Match SIEM events by computer name

did you get this resolved?

Highlighted
btkarp
Level 9
Report Inappropriate Content
Message 5 of 5

Re: Match SIEM events by computer name

I would assume you would need to put the McAfee Agent Collector on each DHCP host in order in order to keep logs separated by hostname...Do you have ePO implemented - you can easily push the Agent to each server this way.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community