Documentation Center
AlienVault® USM Appliance™

How to Monitor Individual Sensor Events Per Second (EPS)

Version: 5.x
Deployment: All deployments

In AlienVault USM Appliance, Events Per Second, or EPS, is the amount of events being processed, and is a measurement that is used to convey how fast an environment generates data from its security devices.

In a distributed environment with several sensors deployed in the network, it could be possible to determine the EPS used by each plugin by checking the /var/log/alienvault/agent/agent.log. For example we can monitor the EPS key word:

# tail -f /var/log/alienvault/agent/agent.log | grep "EPS"

Oct 4 14:05:34 VirtualUSMRemoteSensorLite ossim-agent: Alienvault-Agent[INFO]: Plugin[8905] Total lines [3689964] TotalEvents:[3689964] EPS: [718.73] elapsed [10.01] seconds

Oct 4 14:05:40 VirtualUSMRemoteSensorLite ossim-agent: Alienvault-Agent[INFO]: Plugin[7007] Total lines [468526] TotalEvents:[468525] EPS: [71.85] elapsed [10.10] seconds

Oct 4 14:05:40 VirtualUSMRemoteSensorLite ossim-agent: Alienvault-Agent[INFO]: Plugin[1510] Total lines [3138] TotalEvents:[3138] EPS: [0.40] elapsed [10.00] seconds

Oct 4 14:05:40 VirtualUSMRemoteSensorLite ossim-agent: Alienvault-Agent[INFO]: Plugin[1690] Total lines [6317] TotalEvents:[6317] EPS: [0.80] elapsed [10.00] seconds

However, we can use the database data to calculate, for each sensor, the number of generated events. For example the number of events per day for a particular sensor (replace <SENSOR_ID> with your sensor id):

mysql> SELECT hex(id),name from sensor;

mysql> SELECT COUNT(*) from alienvault_siem.acid_event WHERE device_id in (select id from alienvault_siem.device where hex(sensor_id)="<SENSOR_ID>") AND timestamp > now() - INTERVAL 1 DAY;

Also we can get all the events for a particular sensor:

mysql> SELECT COUNT(*) from alienvault_siem.acid_event WHERE device_id in (select id from alienvault_siem.device where hex(sensor_id)="<SENSOR_ID>");

And all the events for all sensors:

mysql> SELECT count(timestamp) as events, sensor.name as sensor from alienvault_siem.acid_event, alienvault.sensor, alienvault_siem.device WHERE acid_event.device_id = device.id and device.sensor_id = sensor.id group by sensor.name;

In this way we can set up a monitoring service in order to check all the sensor events and notify us if some limit has been reached.

Take into account that events timestamp in the DB is in UTC, so for example if we are in GMT+1 and want to know how many events are being inserted for a particular sensor in the last 5 minutes we can try the next query:

mysql> select COUNT(*) from alienvault_siem.acid_event WHERE device_id in (select id from alienvault_siem.device where hex(sensor_id)="<SENSOR_ID>") AND timestamp > NOW() - INTERVAL 65 MINUTE;

In his blog, David Vassallo wrote an entry to monitor each sensor’s generated events over a configurable interval and if the number of generated events of a sensor goes below a configured threshold, then notify the user through email.

The original entry (http://blog.davidvassallo.me/2015/02/03/alienvault-monitoring-individual-sensor-events-per-second-eps/) in which David creates this service, uses 2 files:

  • /etc/ossim/eps_monitor.conf: This file is used to store specific settings (threshold, interval and smtp) for the main script.
  • EPS_Script.py: Main script used to load the Events generated per each sensor in the interval configured in the eps_monitor.conf config file and compared with the number of events set in the threshold configuration defined in eps_monitor.conf.

This could be a very good first approach to setup a monitoring service for sensors. The original files were tested in release 5.3.2.