Lance Grover

Lance Grover

Too many Tickets and Alarms in your Alienvault system?

Posted date:


Working on an Alienvault IDS system, the company that was setting it up made some mistakes and had over 50k alarms and over 50k tickets that they wanted removed.  Time to do some database changes to clear those out.

  1. ssh into the alienvault database server or all-in-one server, and jailbreak to the command line.
  2. use the ossim-db command:
    #  ossim-db
  3. use the alienvault database:
    > use alienvault
  4. First lets look at the tables involved with tickets – or incidents:
    > show tables like ‘incident%’;
  5. Now mark all the incidents as closed:
    > select * from incident where not status = “Closed” limit 5;
  6. Now look at the alarm tables:
    > show tables like ‘alarm%’;
  7. Now mark all alarms as closed:
    > update alarm set status = “closed”;
  8. Note: notice the incidents use a capitol on Closed, and the alarms use a lower case on closed.