• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Stop logging local alienvault to alienvault Messages

debian.start.2.enddebian.start.2.end

New Life Form
Hi im looking and bringing down the amount of messages the AV sensor is using.

Im seeing lots of messages here that i dont care about local on the sensor 192.168.1.1 to 192.168.1.1
AV - Alert - "1453213293" --> RID: "5502"; RL: "3"; RG: "pam,syslog,"; RC: "Login session closed."; USER: "None"; SRCIP: "None"; HOSTNAME:
"alienvault"; LOCATION: "/var/log/auth.log"; EVENT: "[INIT]Jan 19 14:21:32 alienvault sshd[121677]: pam_unix(sshd:session): session closed for
user avapi[END]";

How do i stop these from being logged as they are unnecssary to me?
It would be good to whitelist as such so they dont get logged from certain IP address's too, is this possible?
Really wanting to Filter out alot of the excess.


Share post:

Answers

  • debian.start.2.end,

    This looks like an avapi alert. Local logging of this is system logging, so we do not disable it. On the other hand, this is rotated with normal system log rotation.

    With regard to eventing, the entry which you are showing is part of the avapi filter included (but disabled by default) in the "AV Default Policies" section of the policies page. Enabling this drop rule will eliminate all of the AVAPI events from correlating or being written to the SIEM tables. There will be some leftover events that are not avapi related, but these are used by a few other plugins for correlation, such as the pam_unix plugin.
  • I have the rule enabled and still see a ton of events that end with avapi ...
  • So not knowing if this is related...

    AlienVault HIDS: Successful sudo to ROOT executed [USERNAME] as the signature when events are grouped

    BUT shows

    AlienVault HIDS: Successful sudo to ROOT executed [avapi] as the signature when you filter by the above signature...

    Could this be why the policy isn't working correctly?
    pcrespo
  • Two things I found to shut up the internal Alien Vault messages.

    1) The AVAPI policy uses DS Group AVAPI Event Types,  it does not have all of them in there.  Here are my settings
    1501     apache     Apache                              304, 302
    4003     ssh     SSHd: Secure Shell daemon     11, 27, 1000008, 10
    4005     sudo     Sudo allows users to run ...     5, 6, 1000003, 3
    7001     AlienVault HIDS-syslog     syslog         1005502
    7009     AlienVault HIDS-authentication...         1005501, 1005715
    7033     AlienVault HIDS-sudo     sudo             1005402, 5402 


    2)  Reorder or move the AVAPI policy to the top. It needs to have precedence.
    pcrespoMontiBobtbppicyberdcsdne1ct21
  • Solid advise Tom! Thanks for sharing.
  • I have the same problem. Who anybody how to filter this type of events?

    Thanks in advance.
Sign In or Register to comment.