• Support
  • Forums
  • Blogs

update 5.6.0 issues

haifaisghaifaisg

New Life Form
+3

Share post:

«1

Answers

  • hi,
    After updating to the newest version 5.6.0 and rebooting I ended with an interface that does not show any raw data, thread Intelligence does not work either.. I did read about the problems with this update.. but I have no idea what to do from here..

    thank you
  • I am having the same issues, ever since the 5.6 update haifaisg. There are security issues with 5.5 so we won't be rolling back but I have no raw data on any SIEM events which makes trying to troubleshoot alarms near impossible. Events show up in the database but if i open up an event there is no data under "raw log"
    For syslog it means that the source all shows up as the alienvault server and there is no real information on it anyways and for windows event logs we don't get any real information except the source and event type.

    I'm attaching some examples. I hope they fix it soon. 5.6 has been a total fail



    syslog


    eventlog
    RCSec
  • Exactly the same issue with my server. That's because they've renamed the DB tables, but server still trying to write in the old ones. Waiting for a database fix.
    ssewellfis
  • kmstrube it is the same for me. thank you for your reply. email notification does not work either.. I do search for raw data  using ELK now .

    I do see logs in /var/logs. Nothing has changed.. Daniil thank you for the info .. I was getting ready to install a new server. :)

    I hope we get an update soon.
     
    tracy.dangerkmstrube
  • I am seeing the same thing.  In the server.log file I am getting the following error for each event:  

    018-08-14 10:04:16 OSSIM-Message: Query: INSERT IGNORE INTO extra_data (event_id, filename, username, password, userdata1, userdata2, userdata3, userdata4, userdata5, userdata6, userdata7, userdata8, userdata9, data_payload, binary_data) VALUES (...) error: Unknown column 'event_id' in 'field list'

    It looks like the alienvault_siem.extra_data table was altered and the event_id column was changed to just id and the data_payload and binary_data columns were moved to a different table however the ossim-server binary still has the old code.  Anyone come up with a workaround?
  • @jrydzy 

    I've tried to bring back the old table (it called extra_data_old) in my DB, alerts from server logs are gone, but still nothing displayed in the web GUI. 
    I think it's because new server tries to find records with new format(id instead of event_id, etc).
    It's possible to convert all old records into the new table, but you have to force ossim(or av)-server to write newly formatted events into old DB table. I wouldn't recommend to do that, you have to know the server on a very under-the-hood level to do such things. 
  • Hi all,

    Just the same problem here, no raw log on the event details. The same error on server.log error: Unknown column 'event_id' in 'field list'

    Is there any workarround to solve this or we must wait to 5.6.1 update?


  • until now they are nothing.. just waiting for the new update 5.6.1..
    maybe it will solve the problem..
  • Just to make sure I am not missing anything, having no data in the raw logs and "N/A" in all of the relevant fields is to be expected in 5.6? This was a new build and I've been running in circles all day trying to figure out what I had done wrong. 
  • I have a new installation of OSSIM 5.6, but I am getting no information in raw logs and N/A in everything as well. Is this just an OSSIM limitation, do I have something not set up right, or is 5.6 broken for fresh installations as well as upgrades?
  • I have no idea that a fresh installation has problems..
    but what I can say is that after the update to 5.6.0..
    I can see no raw data as you..
    until now they are no solution
  • I have the same issue in my server, no data in raw log and N/A in all the fields of destination and email notification does not work either.

    How do you resolve this in your server?

    Is there any option other than wait for update 6.0 or install a new Ossim?
  • I do have the same issue .. I am still waiting for the new update maybe it well resolve the problem..

  • Just an FYI to those wondering about a fresh install, I did a fresh install of 5.6.0 and have no detail or raw data for any of my events.
  • @Daniil You're exactly right. It looks like a DB schema change that wasn't correctly handled. For 5.6.0, from my diagnostics, it appears that the process that spools the unified2 format from Suricata and writes it to the database targeting alienvault.extra_data.data_payload. However, when viewing the event from the web interface it attempts to pull the data from alienvault_siem.extra_data_content.data_payload

    If I manually query alienvault.extra_data.data_payload via MySQL I can see the data is continuing to be captured there, but alienvault_siem.extra_data_content.data_payload is completely empty.
  • Hi There, is any news in this issue? Thanx!!
  • file:///home/ctrivedi/Desktop/Alienvault_log.png


    Having same issue. 
    Any fix??
  • I guess I can't complain about a free product but this is pretty crappy. Due to organizational risk policy I can't downgrade to OSSIM 5.5 (which has HUGE security issues) but we have been without a functional frontend for Alienvault for 2 months now.
  • Is there any solution for this? Or is the OSSIM discontinued? Please if there is no solution for this let us know and we will change to another SIEM.

    Thx in advance.
    kmstrube
  • Parece que esa info aparece solamente en la Version Enterprise
    sudos

  • Then for OSIM there is no more RAW data on the siem events? What a pity :(
  • I did install an older version 5.2..It works.
    I give up waiting.. perhaps we will move on to another SIEM.
  • So now alienvault sees the 5.6.5 patch but can not install it through the GUI? Has anyone been able to install the upgrade via GUI or otherwise?
    martin.hepworth
  • Same here.  I see the patch, but cannot update via GUI or CLI interface. Get a very generic error via GUI.  I've tried a few times, and once the update appeared to install with a successful update response, but the version remains unchanged and the system continues to report an update is available, so it appears the message of successful install was a false positive.
  • same issue here.. update success same version
  • I have done a fresh install with the 5.6 ISO and can confirm that SIEM events now work as intended at least. May be an option for those of you who can format and reinstall on a new box/VM
  • My update did work yesterday via the GUI.  I am now on 5.6.6, however, as near as I can tell I still have no detail data in my SIEM events.
  • @brettkish

    If I understood right this is a expected behavior in accordance with option 3 of this article https://alienvault.com/forums/discussion/18058/alienvault-v5-6-6-functional-release. The database changes will be fixed in the next update 5.7.
Sign In or Register to comment.