Events include either IP addresses or hostnames, by default. You can configure Sentinel to resolve IP addresses to hostnames or vice versa so that events include both IP addresses and the corresponding hostnames. You can also configure Sentinel to include both IPv4 and IPv6 IP addresses. This additional information helps you to easily relate events from devices reporting IP addresses and other devices reporting hostnames when analyzing events and alerts.
You can configure Sentinel to resolve hostnames to IP addresses or vice versa by editing the configuration.properties file. These two options can be enabled independently. Both successful and failed lookups are cached for a short period to minimize lookups to the DNS server and maximize event throughput.
To resolve hostnames and IP addresses in an event:
Log in to the Sentinel server as novell user.
Open the <sentinel_install_directory>/etc/opt/novell/sentinel/config/configuration.properties file.
(Conditional) To resolve hostnames to IP addresses, add the enrich.event.host_ip_lookup property and set the value to true as follows:
enrich.event.host_ip_lookup=true
This includes the corresponding IP addresses of the hostnames in events.
If the hostname resolution returns both IPv4 and IPv6 addresses, only the IPV4 address is included in an event, by default. To include the IPV6 address in the event, add the event.host_ip_lookup.prefer.ipv6 property and set the value to true as follows:
event.host_ip_lookup.prefer.ipv6=true
(Conditional) To resolve IP addresses to hostnames, add the enrich.event.ip_host_lookup property and set the value to true as follows:
enrich.event.ip_host_lookup=true
This includes the corresponding hostnames of the IP addresses in events.
Restart Sentinel to apply the changes made to the configuration.properties file.