• Support
  • Forums
  • Blogs

No event appear in Alarms and SIEM anymore

OTXFEEDTMSOTXFEEDTMS

New Life Form
From 2 days I don't see alarms and siem events. I done NetFlow Troubleshooting from user guide and all is fine. I also used the command ossim-reconfig -c -v -d , but without results.
I have a master alienvault and a sensor in separate machine.

Share post:

Answers

  • edited September 29






    • Make sure networks are
      defined in Environment > Assets and Groups > Networks.

    • Make sure that global plugins
      are not enabled for too much.

      Configuration > Deployment > Components > Configuration -
      Sensors

      • You'll only want to see the defaults, and maybe a couple more that you've added.

    • Check the Listening
      Interfaces under the Sensor Configuration - Sensors > Detection menu to
      make sure interfaces are set up correctly.

    • tail -f the USM device logs. This
      should show a handful of events every 10 seconds. It will also show
      errors.

      • /var/log/alienvault/devices/<ipaddress>

    • On the sensor that is
      responsible for receiving the log, you can see details for all asset-based
      plugins.

      • /etc/ossim/agent/config.yml will have a mapping for
        every device log. It has a path to the device log and a path to the
        plugin, device IP and device ID. Ensure the IPs are correct.

    • TCPDUMP will show if the USM
      is getting NIDS traffic.

      • tcpdump -i
        eth1 not broadcast and not multicast

    • Make sure all retention values
      are set to default or less-than-default, unless you have a valid
      reason for keeping them at higher custom values. It is
      critical that you keep your retention values relatively low, because a
      full server/logger can severely impact performance.

  • I had to kill ossim-server process and monit and next restart ossim-server.
    After this action, ossim seems to work correctly.
    After 2 weeks same problem appears.
  • Same here... 
  • It seems that AV server takes too long time to restart due to the number of events...

    It's quite urgent that AV solve this big issue.



  • First check to make sure you have plenty of disk space.  Next check that /var/log/alienvault/agent/agent.log file is rotating daily.  I have found that this file does not always rotate as it should and gets too large.  Also check /var/log/alienvault/server/server.log and see if there are any errors.  
  • Hi,

    I've got 500GB free and agent.log and server.log get rotated. 
    I didn't found any error in server.log. I'm trying to elevate the debug level of ossim server daemon. 

    Thanks
  • I have a 34GB server.log file with only this messages:
    OSSIM-Message: tz->_priv->timecnt is 145
    OSSIM-Message: tz->_priv->zoneinfo is 0x7f67dc092000
    OSSIM-Message: tz->_priv->timecnt is 0
    OSSIM-Message: tz->_priv->zoneinfo is 0x7f67dc092c60
    OSSIM-Message: tz->_priv->timecnt is 0
    OSSIM-Message: tz->_priv->zoneinfo is 0x7f67dc092140
    OSSIM-Message: tz->_priv->timecnt is 0

  • Hi,

    I get stuck another time. 

    I found an error in server.log:

    Glib-Error: creating thread 'sim_server_session': error creating thread: Resource temporarliy  unavailable.

    @OTXFEEDTMS, do you have the same error ?


  • @ol.batard no I don't have this error
Sign In or Register to comment.