Per tal que en la consola del SIEM no ens apareguin millions de missatges sobre el SSHD etc..
Crearem un filtre a “/etc/rsyslog.d/av-filter-avapi.conf”
if $fromhost == 'fqdn-alientvaultserver.domain.net' then -/dev/null
& ~
if $fromhost == 'x.x.x.x' then -/dev/null
& ~
if $programname == 'sshd' and $msg contains 'x.x.x.x' then -/dev/null
& ~
if $msg contains 'avapi' then -/dev/null
& ~
if $programname == 'sshd' and $msg contains 'Accepted publickey for avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sshd' and $msg contains 'session opened for user avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sshd' and $msg contains 'session closed for user avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sudo' and $msg contains 'avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sudo' and $msg contains 'www-data' then -/var/log/alienvault/ui/ui.log
& ~
if $programname == 'su' and $msg contains 'user daemon' then -/dev/null
& ~
Configuration
Thread Intelligence
Av Default policies
Create/Modify
AVAPI Filter
Any-Any-Any-Any : DS-Groups: AVAPI Event Types ANY SIEM NO