Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 5

Match SIEM events by computer name

I would like to get all events from a given computer name in an AD environment where DHCP change host IPs.

- How should I match a host name to its IP on each event loged? (the hostname is not part of most data sources logs)

- How should I match all historical events to a given hostname?

Looking forward to hearing from you.

Thanks in advance.

4 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 5

Re: Match SIEM events by computer name

Do you have an event being logged on the windows side recording this info you are requesting?

Level 9
Report Inappropriate Content
Message 3 of 5

Re: Match SIEM events by computer name

Yes, a file on the DHCP Servers records this info.

This is a sample of the file:

30,10/30/15,17:50:20,DNS Update Request,,,,,0,6,,,,,,,,,0

11,10/30/15,17:50:20,Renew,,,5CF9DDEB68FE,,4093880305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:50:20,DNS Update Successful,,,,,0,6,,,,,,,,,0

30,10/30/15,17:50:47,DNS Update Request,,,,,0,6,,,,,,,,,0

11,10/30/15,17:50:47,Renew,,,5CF9DDEDE0EC,,4209042516,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:50:48,DNS Update Successful,,,,,0,6,,,,,,,,,0

30,10/30/15,17:53:41,DNS Update Request,,,,,0,6,,,,,,,,,0

11,10/30/15,17:53:41,Renew,,,782BCBC1CB27,,712625876,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:53:41,DNS Update Successful,,,,,0,6,,,,,,,,,0

30,10/30/15,17:53:48,DNS Update Request,,,,,0,6,,,,,,,,,0

11,10/30/15,17:53:48,Renew,,,5CF9DDEB68FE,,1913489088,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:53:48,DNS Update Successful,,,,,0,6,,,,,,,,,0

30,10/30/15,17:55:24,DNS Update Request,,,,,0,6,,,,,,,,,0

11,10/30/15,17:55:24,Renew,,,5CF9DDEDE0EC,,3766396532,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:55:24,DNS Update Successful,,,,,0,6,,,,,,,,,0

30,10/30/15,17:56:24,DNS Update Request,,,,,0,6,,,,,,,,,0

11,10/30/15,17:56:24,Renew,,,782BCBC20103,,674437840,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,17:56:24,DNS Update Successful,,,,,0,6,,,,,,,,,0

30,10/30/15,18:01:36,DNS Update Request,,,,,0,6,,,,,,,,,0

11,10/30/15,18:01:36,Renew,,,782BCBC200FA,,1730255286,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

32,10/30/15,18:01:36,DNS Update Successful,,,,,0,6,,,,,,,,,0

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5

Re: Match SIEM events by computer name

did you get this resolved?

Level 9
Report Inappropriate Content
Message 5 of 5

Re: Match SIEM events by computer name

I would assume you would need to put the McAfee Agent Collector on each DHCP host in order in order to keep logs separated by hostname...Do you have ePO implemented - you can easily push the Agent to each server this way.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community