Documentation Center
AlienVault® USM Appliance™

Known Issue: Message Center Keeps Generating Alerts

Reported Version: 5.2.2
Deployment: All deployments
AlienVault Ticket ID ENG-103229

Description

Sometimes you may see a message similar to the following in the Message Center, even though your asset does not send logs to AlienVault USM Appliance any more:

Asset logs are not being processed (172.27.16.42) 2016-03-20 13:46:44 The asset is sending logs to the system but they are not being processed. Ensure that the appropriate data source plugin is enabled. At 2016-03-20 17:46:44 UTC.

This is because such an asset did send logs to the USM Appliance at some point, but later stopped. USM Appliance stores all the logs that it receives in /var/log/alienvault/devices/ and never removes them. It then creates a message for those assets with logs but with no plugin enabled.

Workaround

You must jailbreak and manually delete the old log folder and its content.

  1. SSH to your appliance and select the jailbreak option from the menu.
  2. On the command line, enter

    rm -r /var/log/alienvault/devices/x.x.x.x

    Where "x.x.x.x" is the IP address of the offending asset.

  3. Exit the command line.