Documentation Center
AlienVault® USM Appliance™

How to Troubleshoot Exporting Logger Events

Version: 5.x
Deployment: All deployments

If you have problems exporting events from the AlienVault USM Appliance Logger, first, try to export a very small period of time. Start with 1 hour, then 4 hours, then 8 hours...... This way you'll see how long the export really takes. The export should finish and return results quickly for smaller time frames.

When the export finishes, you can download it from Raw Logs > Exports > Saved Exports. You can also find them on the CLI under /var/ossim/logs/searches/admin_<from-date-time>_<to-date-time>_none_<uuid>>. The loglist.txt contains the logs exported while results.txt contains the actual log lines.

To find out how many results the query has returned, run the following command:

wc -l /var/ossim/logs/searches/admin_<from-date-time>_<to-date-time>_none_<uuid>/results.txt

For example:

wc -l /var/ossim/logs/searches/admin_2014-11-21\ 20\:00\:00_2014-11-21\ 22\:08\:54_none_d41d8cd98f00b204e9800998ecf8427e/results.txt 50 /var/ossim/logs/searches/admin_2014-11-21 20:00:00_2014-11-21 22:08:54_none_d41d8cd98f00b204e9800998ecf8427e/results.txt

The process finishes either when it finds 249999 records (the maximum), or when it returns all the records for the period you have specified.

To see which record USM Appliance is exporting, you can execute this command:

watch -n 5 'ps axfwww|grep sh|grep reverse|grep -v watch'

If the export is taking a long time, you may need to verify that wget hasn't timed out and is still running. For example,

ps axf|grep wget |grep "/var/ossim/logs"