I recently re-deployed our SIEM environment since it’s initial incarnation was never meant to be “production”. One of the issues I had immediately is that after adding the sensor machines, they didn’t show up under the “Alienvault Center” section of the Components page. They did show up under “Sensors” and were basically functioning normally as they were sending data and I was able to run discovery and vulnerability scans with them. However, not having them under the AV Center section prevented me from viewing and editing much of the sensor configuration (including applying updates) from the web interface.
It seems there is a specific way sensors need to be added. I had manually added the sensor in the web interface, which I guess is “wrong”. Here’s how I fixed it:
1) SSHed to the sensor and changed the framework IP to 127.0.0.1 and the AV Server IP to an unused IP.
2) “disassociate” any Groups, Networks and Assets from the sensor. In my case, I kept the networks and just associated them with the “master”, but ended up just deleting the 100+ assets, since I really didn’t want to manually edit all of those and haven’t found a way to bulk-edit assets. Please let me know in the comments if you do!
3) Delete the sensor from the Deployment->Components->Sensors list.
4) SSHed to the sensor again and changed both the Framework IP and the AV Server IP back to the IP of the Master.
5) Log into the web interface and go back to Deployment->Components->Sensors
Here you should now be notified that a sensor is “reported as enabled but hasn’t been configured.” Clicking “Insert” on this message appears to be the correct way to add a sensor.
Once I had “Inserted” the sensor, it showed up properly under both the “Alienvault Center” view as well as under “Sensors”.
I didn’t find this exact issue in any of the forums (but did find a hint here: https://www.alienvault.com/forums/discussion/1322/adding-sensors-to-the-alienvault-centre-display), so thought I’d post it here. Hope it helps someone.
One thought on “How to properly add a sensor to AlienVault/OSSIM”
Which type of sensors do you use and how did you set them to forward logs to AV ?