|AlienVault Ticket ID||PL-2044, PL-2046|
AlienVault has become aware that some customers experienced problems with the HIDS functionality in USM Appliance after updating to the 5.5 release. Specifically, customers have reported that the Windows account “lockout” and “unlocked” events are no longer parsing properly. Additionally, there are reports of extremely long events that result in the "Non standard syslog message (size too large)" warning after the update.
All the cases we have investigated reveal that the HIDS Agents are on an earlier version than the HIDS Server running in USM Appliance 5.5 (version 2.9.1). We’ve identified that the version mismatch between the agent and server is the root cause of these issues. Updating the HIDS Agents to the same version typically resolves the issue. Therefore, if you believe that the HIDS functionality is not behaving normally after the 5.5 update, we recommend redeploying the affected HIDS Agents to the latest version.
If redeploying your agent(s), please be aware that two issues have been recently identified with the deployment process. The mass HIDS deployment feature now requires user action on the target host after each installation. Additionally, EventChannel support is currently not available in the packaged version of the agent. We are resolving both issues in the USM Appliance 5.6 release, currently scheduled for mid-May.