|AlienVault Ticket ID||ENG-103229|
Sometimes you may see a message similar to the following in the Message Center, even though your asset does not send logs to AlienVault USM Appliance any more:
Asset logs are not being processed (172.27.16.42) 2016-03-20 13:46:44 The asset is sending logs to the system but they are not being processed. Ensure that the appropriate data source plugin is enabled. At 2016-03-20 17:46:44 UTC.
This is because such an asset did send logs to the USM Appliance at some point, but later stopped. USM Appliance stores all the logs that it receives in /var/log/alienvault/devices/ and never removes them. It then creates a message for those assets with logs but with no plugin enabled.
You must jailbreak and manually delete the old log folder and its content.
- SSH to your appliance and select the jailbreak option from the menu.
On the command line, enter
rm -r /var/log/alienvault/devices/x.x.x.x
Where "x.x.x.x" is the IP address of the offending asset.
- Exit the command line.