This is a tough one, and one of the most common problems we see. Aanval is an event management console, so events being critical and central to the operation of the console, it is a common issue that has a wide range of causes. We'll try and break down the processes and where the disconnect could be.
We'll start by describing the common event lifecycle and flow process.
To summarize, a snort or suricata engine needs to be running, matching signatures against packets and storing this information in a log directory for Aanval to later retrieve, import and display.
Let's start at the beginning, and work our way through the steps ensuring everything is properly functioning along the way.
Is the snort or suricata process running?
This is extremely common, the engine process dies for a variety of reasons. A system reboot, a bad signature, or a bug in the engine code itself causes the process to die. Start the process in the foreground and look for errors if it is not running, and correct as needed.
Is there traffic on the sniffing interface?
Another very common problem, is that the sniffing interface is unplugged, ports are switched, firewall rules are changed, etc. The engine needs traffic, and if the wrong traffic (broadcast only), or no traffic at all are on the sniffing interface, then the engine isn't going to be alerting.
If there isn't any traffic, you will need to address this right away.
Are there enough enabled signatures for the engine to match against traffic?
This is also quite common, where the engine is running, traffic is flowing, but the combination of enabled signatures isn't relative to the traffic. We'd recommend enabling some basic ICMP signatures that can be used just to verify that the engine is working as intended.
Are there new unified2 logs or current unified2 logs in the /var/log/snort (or wherever your logs are stored)?
Take a look at the unified2 logging directory and see what files are created and what their timestamps and file sizes are. If you are not seeing current files or just empty files, you will need to ensure the engine is running and that signatures and traffic are properly configured.
Is the disk full?
This isn't quite as common, but we do still see this from time to time. Ensure you have plenty of disk space.
Aanval's Sensor Management Tools (SMTs) are required for your console to function properly, they lift binary chunks of unified2 log data up to the Aanval console where it can be imported by Aanval. If they aren't running, event data isn't making it to Aanval.
Are the SMTs running?
You can check this by running the following command on your sensor system, and if they are not running, get them started.
ps aux | grep SMT
If they aren't running, get them started back up.
Aanval's Background Processing Units (BMTs) are required for your console to function properly, they receive events from remote sensors, ingest and process.
Are the BPUs running?
You can check this by running the following command on your Aanval console system, and if they are not running, get them started.
ps aux | grep BPU
Aanval utilizes a rotating datastore system where the storage system automatically rotates on a specific size or total number of events. These datastores allow Aanval to store millions and even billions of events.
There are two types of datastores, read and write. The write datastore is always the most recently created datastore and is where all new event information will be written, while the read (or search) datastore is where the current user is pointed to at a particular time. Users can select the current datastore or any previous datastore for reading, so they may go back and run reports, perform searches or browse old events.
If a user has a previous datastore selected, it can give the appearance that no new events are being imported, when in reality they are importing just fine, but the user is simply looking at an old datastore.
Do you have the proper search datastore selected?
In the Aanval Configuration menu, select Datastores, and look at the current read and write settings. If they do not match the most recent datastore, select the most recent datastore and update both read and write. Once this has been done, go back tot he main dashboard, wait a few moments and refresh, check if events have changed.
You may also need to clear the console cache, which can be done with the following command from your Aanval installations /bin/ directory:
php console aanval:repair
Aanval has an event suppression system, which allows users to temporarily suppress events that match user definable criteria. On occasion, we have seen customers that have created wide ranging suppression rules, and believe no events are coming in, when in fact they are just being suppressed for a short period of time.
Check your Event Suppression rules and disable any questionable ones that you might believe to be an issue.
If you are still unable to identify where the issue is, or need more assistance with troubleshooting, let us know by creating a support ticket or giving us a call.
We want each of our customers to find success in using Aanval, and also to educate them along the way regarding maintenance and management of the product.