2 Replies Latest reply on Jun 4, 2016 11:07 AM by d_j

    Adding Windows Data sources using only Hostname


      I am trying to add workstations into SIEM, like most networks the workstations are using DHCP. I was using SIEM version 9.3 and this version would only allow me

      to add workstations using the IP address which will of course change over time, no doubt causing the workstations to error in SIEM. I was advised that

      I needed to upgrade to the latest version that would allow me to add workstations using the hostname instead of the IP address, so I recently upgraded to SIEM 9.4.2 version.


      When I now attempt to add a windows data source only using the hostname and not the IP address, I now get this error message when I click the test

      connection option.


      "WMI Event Log Test connection unsuccessful. DNS lookup failed for PC-10062NotOk Incorrect parameters supplied.


      I have made sure the 2 DNS servers for my network are added under the network settings.


      Any idea's how I can overcome this?


      Kind Regards,



        • 1. Re: Adding Windows Data sources using only Hostname



          I do not know that it is possible to add devices by hostname only, I know in 9.4.x McAfee removed the field for WMI netbios name, but I believe you still need the IP address.


          I would consider doing an ePO deployment of the Windows Event Collector to the workstations, and using the client machines host-name as the host-id in the configuration. In the receiver interface, communications tab, you can specify the DHCP range to listen for MEF, and then on the host machines you are creating data sources for, do data retrieval method MEF, and specify a name and host id.


          As long as the host id is correct and matches the host id of the endpoint configuration, you should be able to place your data into appropriate containers.

          • 2. Re: Adding Windows Data sources using only Hostname

            Not sure if this is still an issue for you but I got it going using the FQDN name (pc1.contoso.com) versus just the hostname (pc1). Hope this helps.