Documentation Center
AlienVault® USM Appliance™

Avoiding SQL Storage for Events - Video

Version: 5.x
Deployment: All deployments

Watch the following video to learn about how to avoid storing events in the MySQL database in AlienVault USM Appliance:

This module will show you how to avoid storing some events in the SQL database within AlienVault, but still allow those events to be correlated by the AlienVault correlation engine and saved in the logger. You may want to avoid storing some events in the database in order to save space in the database.

In this example, we show how to avoid storing a sample type of event, SSH login attempts. To do this, we create a policy.

  1. Go to Configuration, then Threat Intelligence, and then choose Policy.
  2. Under Default Policy Group, click New to create a new policy.
  3. Type a name for the policy rule, such as “No SQL Storage.” In the Policy Conditions area, choose ANY as the source.
  4. Click on the vertical word Destination, and choose "Insert New Net".
  5. Enter a name, such as "IMPORTANTHOSTS". In the CIDR field, enter the network address. Click Save.
  6. Close the next dialog box that appears. In the Policy Conditions area, select the network and the name IMPORTANTHOSTS.
  7. Click on the vertical words Event Types, and choose “Insert New DS Group.”
  8. Choose Add by Data Source. Select the sshd data source. Enter the name “ssh login tries” for the DS Group. Click on the edit icon to edit the event type selection.
  9. In the next box, in the search area,

    1. Enter “denied” to find the Denied connection event. Drag the event to the left side of the screen.
    2. Enter “failed.” Drag the Failed password and Failed publickey events to the left side of the screen.
    3. Click the Submit Selection button.
  10. On the next screen, click Update. Close the next dialog box.

    We now see our new DS group. Uncheck ANY, and check “ssh login tries.”

  11. Click in the green area below SIEM to show the SIEM section under Policy Consequences.
  12. Click the button to change SQL Storage to No.
  13. Click on the vertical word LOGGER. Click the button to change Logger to Yes.
  14. Click Update Policy.
  15. Click Reload Policies.

This task is completed. As you can see, SQL Storage is not enabled, but Logger and SIEM are enabled. This completes our session.