Security Operations Center - Relative Security Relative Security

Alien Vault Update

19 Apr 2020

  • If there is an update available from the Alien Vault please follow the below mentioned points.

  • To check if there is an update available, go to your browser and type Alien Vault server URL.

  • Login to Alien Vault and go to “Configurations –> Deployment” and look for any comments under the “New Updates” column.

alt text

Alien Vault Plugins Troubleshoot

15 Apr 2020

Some of the options that can be pursued to troubleshoot and resolve this issue have been mentioned below:

  • Login to Alien Vault server using putty with “root” credentials.
  • After login, you will see the following screen.

alt text

  • Select the “Jailbreak System”
  • Click “Yes” or Press “Enter” from the keyboard and accept the “Jailbreak Commandline Notice” in next screen by clicking “Yes:”

alt text

  • This will give you a command line access to Alien Vault server and screen will be displayed as below.

alt text

  • Depending on the plug in which you are troubleshooting, go to the defined log file for that plugin and run this command to see if the logs are being written on the log file. Please make sure that you have the correct log file for the plugin.
tail -f /path/to/.log </div> For example, in our any client's deployment, if we have to check the log file for nxlog we will run the following command.
tail –f /var/log/nxlog.log
* If there is no logs being written in the above file, run the following command and then run the command in step 7 again.
/etc/init.d/rsyslog restart
* If you see new messages in the log files, check the events in the browser

Alien Vault TCPDump

11 Apr 2020

Some of the options that can be pursued to troubleshoot and resolve this issue have been mentioned below:

  • Login to Alien Vault server using putty with “root” credentials.
  • After login, you will see the following screen.

alt text

  • Select the “Jailbreak System”
  • Click “Yes” or Press “Enter” from the keyboard and accept the “Jailbreak Commandline Notice” in next screen by clicking “Yes:”

alt text

  • This will give you a command line access to Alien Vault server and screen will be displayed as below.

alt text

  • Run the following command in the console and wait for this to complete. Command: tcpdump -i eth0

alt text

  • Run this command to see if the sensor is receiving the traffic from a particular log source. For example the log source ip is (10.10.30.217) we will run the following command to see if the logs are coming. tcpdump -i eth0 | grep 10.10.30.217

alt text

  • If the above command shows you traffic from the log sources as mentioned below that means you have the traffic coming in from the log sources.

alt text

  • Check if the Alien Vault is receiving the syslog traffic from the log sources or not by using the below mentioned command. tcpdump -i eth0 | grep syslog

alt text

alt text

If something is still wrong and you don’t see the alerts in the web GUI, then we need to pivot and try some other method. The next suggested step is a bit too much at this stage but will get you through the task. Click Here for the Event Level Troubleshooting or here for OSSIM agent troubleshoot if alarms are not coming.