Qradar and Syslog show localhost instead of the SEDR hostname

book

Article ID: 192180

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

When reviewing Symantec Endpoint Detection and Response (SEDR) logs on either QRadar or a Syslog server, localhost is displayed instead of the SEDR hostname.

Cause

The syslog service uses the hostname of the SEDR appliance, localhost.localdomain by default, when sending syslog entries.

Resolution

Change the hostname of the SEDR appliance by performing the following steps.
  1. Log in to the SEDR CLI as 'admin'
  2. Run the command
    hostname <new.hostname>
  3. Reboot the appliance for the changes to take effect