AlienVault USM Appliance includes an update to the database engine in order to improve performance and storage capability. With this update, you can store more data for longer periods of time. You can also correlate and analyze more data in less time, accelerating your ability to detect and respond to threats.
- The database engine update in this version is separate from the functional release. This means that you can update your AlienVault USM Appliance system(s) to version 5.0 first, and then update the database engine at a later time. Your USM Appliance will be fully functional with the current database engine, but it will not have the improvement provided by the new database engine.
- The database engine update is only applicable to USM Appliance All-in-One and USM Appliance Server.
Before you can update to the new database engine in version 5.0, make sure that
- your USM Appliance is on version 5.0;
- you have restarted USM Appliance after updating to version 5.0;
- you have access to the USM Appliance console because this update process is only available through the AlienVault Setup menu.
We perform 5 checks to make sure that your USM Appliance is in a healthy state before starting the update. The table below summaries what these checks are:
|Checks||What it Does|
|Free disk space check||This check makes sure that there is enough free space on the system to perform the update. We need as much free space as the size of the database.|
|Database engine check||AlienVault installs the new database engine on USM Appliance during the version 5.0 update. This check makes sure that the new database engine has been properly installed and activated.|
|Database health check||This check makes sure that IDM data in the database does not exceed a certain amount. If it does, it indicates that either the IDM plugins were not configured properly, or the system backup procedure did not finish correctly.|
|Data consistency check||This check makes sure that the item counts in the SIEM event tables are consistent. Otherwise the system backup procedure may not have finished correctly.|
|Anomalies check||This check makes sure that the database has not been modified manually. For example, someone has created or dropped tables in the database.|
If we detect any error while performing these checks, the update process will not start. You will receive this message instead:
UNABLE TO PERFORM THE DATABASE UPGRADE
PLEASE CONTACT THE ALIENVAULT SUPPORT TEAM
When this happens, contact AlienVault Support so that our technical support engineers can check your system and find out what the issue might be.
After the checks, the update script does the following:
- Stop all services running on the system except for ossim-agent, so that ossim-agent can still process events during the update process.
- For each database table, check its current engine and move it to the new database engine if necessary. (Not all tables will be moved to the new database engine. This is because the new one is better only in tables with more than 1.5 millions entries. So we use both database engines in version 5.0.)
- Optimize indexes.
- Build system tables.
- If no error occurs, an update successful message displays. Otherwise, an error message displays.
- Start all services.
You will find all these activities logged in /var/log/alienvault/database_migration-TIMESTAMP.log.
Finally, to update the database engine,
- Connect to the USM Appliance Console through SSH or putty.
- The AlienVault Setup menu appears.
- Navigate to Maintenance & Troubleshooting, then Maintain Database, and then Upgrade AlienVault Database.
- Read the disclaimer - You will not be able to access the AlienVault device during the update, but data will still be collected and can be accessed once the update is complete.
- Choose <Yes> to continue.
- The AlienVault database update process starts.