Host Records
Host records identify and assign useful information to important systems in your network. When analyzing log messages and creating events, the MPE tries to associate the actors involved in the event such as the source IP of an event to a known host. If a known host can be identified, the risk threshold identified by the host records is used to create the Risk-Based Priority (RBP). If a host record is not found, the network risk threshold is used. Host records are also good places to add information such as the purpose of the system, any known issues, and key contacts.
Duplicate Host Names
Host names within Entities should be unique. However, some sites may have hosts in two different entities that have identical host names or host name identifiers as shown in the following diagram.
When the situation that is shown in the preceding diagram occurs, an additional step is required in LogRhythm to allow an unregistered agent to auto-register. A LogRhythm administrator must specify the EntityID in the General section of the scsm.ini file in the format:
[General]
EntityID=X
When the EntityID is present, the agent sends this to the mediator in its identification message (otherwise known as the agent info string). In an example where the EntityID=5, the agent info string sent to the mediator will look like:
HOSTGUID=00093D13802A,HOSTNAME=platinum.schq.secious.com,VERSION=1.2.3.4,OS=Linux,OSVERSION=2.6.23.17,IPS=[10.1.1.38],CLIENTADDRESS=10.1.1.38,CPU=0.40,MEMORY=3785445376,MEMORYFREE=3230511104,AGENTMEMORYUSED=0,AGENTCPU=0,DISKIDLE=0,DISK=0,DISKFREE=0,ENTITYID=5
Known Hosts
Known Hosts are specific devices and hosts that are entered in LogRhythm to:
- Provide a consolidated roll-up of log message activity.
- Be used in the calculation of Risk Based Priority and Direction.
- Be available as criteria for all filtering functions across the product.
Log messages are associated to Known Hosts based on host identifiers in the log. The identifiers can be: Windows Host Name(s), DNS Host Name(s), and IP Address(s). When applicable, host is searched for first by host name then IP.
Zones
Hosts and Networks are also assigned a Zone value of Internal, External, or DMZ. The Zone is assigned in the order:
- Zone of the resolved Known Host.
- Zone of the resolved Network.
- The IP address:
- If the IP Address is private, set the Zone to Internal.
- If the IP Address is public, set the Zone to External.
- If there is no IP Address, set the Zone to Unknown.
Direction
A Direction is assigned to log messages when the zone of both Origin and Impacted Host is known.
Direction | Set If |
---|---|
Local | Origin and Impacted Host are the same |
External | Origin Zone External and Impacted Zone anything |
Internal | Origin Zone Internal and Impacted Zone Internal Origin Zone DMZ and Impacted Zone Internal Origin Zone Internal and Impacted Zone DMZ Origin Zone DMZ and Impacted Zone DMZ |
Outbound | Origin Zone Internal and Impacted Zone External Origin Zone DMZ and Impacted Zone External |
Unknown | No value for both Origin and Impacted Host Origin Zone undetermined Impacted Zone undetermined Unidentified logs |
Batch Import Host Records Overview
Global Administrators can add hosts to an entity in batch using a clipboard paste/copy option or importing from an existing file of hosts. The clipboard functionality uses the Windows copy/paste feature. Whatever you copy from a document is pasted into the Host Import Manager when you select that option. You can then review what has been pasted and choose to accept or reject. When adding hosts from the clipboard, hosts are added to the selected Entity. The file functionality allows you to import data from an existing file in a specified format. The feature allows you to review the hosts that were pasted from the clipboard or hosts that were imported from a file prior to persisting them to your LogRhythm Deployment.
Host Import Manager
When batch importing Host Records, the Host Import Manager appears. The Host Import Manager grid contains the following columns.
Column | Explanation |
---|---|
Action | Used in conjunction with the context menu actions option |
Status | The status of that host record based on its current existence in the deployment |
LogRhythm Host Name | |
Entity Name | |
Description | |
Details | |
Risk Level | Integer from 0 (None/No risk) to 9 (high-high/highest risk) |
Threat Level | Integer from 0 (None/No threat) to 9 (high-high/highest threat) |
Zone | Internal, External, or DMZ |
Windows Name | |
DNS Name | |
IP Address |
Status Column Values in the Host Import Manager
The Status column displays different values based on the record being imported and its current existence in your deployment. The table below outlines the outcome of Host Record Analysis and its associated status value.
Host Record Analysis Outcome | Status Value |
---|---|
No existing Host conflicts | New Host: The host record will be added as a new host. |
Host exists in selected entity and is enabled | Warning Type 1: Host exists in specified entity and is active. Accepting this Host will add any new identifiers and overwrite other specified values of the existing Host. |
Host exists in selected entity and is retired | Warning Type 2: Host exists in specified entity and is retired. Accepting this Host will re-enable the existing host, add any new identifiers and overwrite other specified values of the existing Host. |
Host exists in root or child entity and is enabled | Warning Type 3: Host exists for another Entity within the specified Entity family and is active. Creating a new Host with the same identifiers is not recommended. Accepting this Host causes a new Host to be created in the specified Entity. |
Host exists in root or child entity and is disabled | Warning Type 4: Host exists for another Entity within the specified Entity family and is retired. Creating a new Host with the same identifiers is not recommended. Select the action you would like to take for this Host within the Warning Type 4 Acceptance Mode control. When a Warning Type 4 is experienced, there is an Acceptance Mode on the Host Import Manager that allows you to choose an action to take for the host record with that warning type. |