Quick Support: “None of my sensor’s events are showing in Aanval.”

After getting Aanval installed, set up, and sensors connected, users sometimes ask: “Why aren’t I seeing any events?”

Not a problem. Aanval 8 is loaded with new security and analytical tools. If you aren’t seeing your sensor’s events, first go to the Configuration Menu and select the proper import module (Unified2 Module, MySQL Module, Syslog Module). Under each module you’ll find Sensor Configuration.


After going to Sensor Configuration, choose the sensor in question. At the bottom of the menu you’ll see Sensor Permissions. These options allow admins to securely limit access to active sensors. When a box is unchecked for a given user, that user will not be able to view or manage event data for that sensor.


Make sure the chosen sensor’s Sensor Permissions are enabled for the desired user.

Aanval 8 further allows users to quickly filter sensor data on any menu, so that, for example, when viewing Frequent Offenders on the Charts menu, users can disable the view of certain sensors to focus on particular areas of the network, while sensor importing and functionality remains active in the background, just out of view.

Once Sensor Permissions are enabled, hover over the name of the logged-in user to view the drop-down menu and select Change Sensors View.


Once selected, all sensors that are both active and have the Sensor Permissions enabled for that logged-in user will be displayed. Check the box of each sensor for which you want to view and manage event data.


Once sensors are checked, event data will be immediately displayed. If after taking these steps you still do not see event data, start with making sure your sensors are active, properly logging in the Unified2 or syslog formats, depending on which sensor you’re troubleshooting, and that sensors are properly connected to Aanval.

Writing Regex with Aanval 8

Aanval and Syslog Data

While Aanval can import IDS logs from sources like Snort and Suricata, it can also import from any source outputting in a syslog format, and have available to both IDS and syslog formats the same powerful management tools, such as reporting, alerting, and correlation. This opens the gate to hundreds of vendors, products, and devices that can easily send data to Aanval for syslog processing.

Importing Syslog Data

Syslog data can be imported to Aanval by two methods: directly sending the data over UDP port 514 to Aanval’s own syslog server, or have Aanval fetch the event data from a file.

Screen Shot 2016 07 14 at 3 13 42 PM

Regex Filters

Once syslog sensors are configured and event data starts being imported, users then need to write regex based filters to parse specific data from their logs, such as the source IP or port. Below is a listing of all the values Aanval can parse:

* Date
* Time
* Protocol
* Source Address
* Destination Address
* Risk Level
* Source Port
* Destination Port
* Payload
* Event Name
* Category Name

Screen Shot 2016 07 14 at 3 13 19 PM

Aanval 8 makes it especially easier to write advanced regex filters. Aanval now includes its own regex tester, so now you can quickly see the match results of your regex, without having to externally test or wait for results. Aanval further includes advanced capabilities to join two different regex to be used as one. For example, we may use the following regex to search for and grab everything that follows “src=“ in an attempt to grab the source port where the actual port number is attached to the source address (src=


While this regex would grab the source port, it also grabs everything that follows, which might then include additional details we don’t want for this value, and we still haven’t identified the actual port number or parsed it. By adding a double tilde (~~) to the end of our first regex, we can add a second regex that will then search for and grab what we want from what the smaller portion following “src=“ that was just grabbed:


This second expression now searches for the first colon and grabs the number, despite its length, that immediately follows; thus, identifying and parsing the desired source port. Our entire regex would then look like and be entered into Aanval as follows:


These advanced regex working and testing tools have enabled users to quickly set up their syslog sensors and parse the exact details they need to then have their syslog data appear and work as their IDS data. This then makes searching easier, reports more detailed, and the overall network visibility stronger and clearer.

Screen Shot 2016 07 14 at 3 12 44 PM

See Also

* Aanval Wiki: Syslog Sensor Configuration
* Aanval Wiki: Syslog Filter Assignment

Sensor Filtering with Aanval 8

Aanval 8 Sensor Filtering

New to Aanval 8 is an all-new system for quickly filtering data based on sensors. For example, while viewing Frequent Events, a user can filter the view to focus on a single sensor or group of sensors by quickly disabling the view of other active sensors. While event importing and processing for disabled/filtered sensors continues in the background, event and analytical tools calculate and display data from only selected/unfiltered sensors. As filtered sensors are again checked or enabled, displays quickly and automatically update to account for the additional sensors and data.

How to Filter a Sensor

Hover over the name of the logged-in user in the upper right-hand corner, and a listing of options will show in a drop-down box.

Screen Shot 2016 06 28 at 3 57 17 PM

Select Change Sensors View and a box will be displayed of sensors that have been set up and enabled on their respective Sensor Configuration pages. Check or uncheck sensors to change the data view on any menu. And because the Change Sensors View is part of the menu bar, it’s available to access on any page, allowing you to quickly make changes and get the focus and data you need.

Screen Shot 2016 06 28 at 3 57 21 PM


Checking the Change Sensors View is the first menu to check when users setting new sensors question why they aren’t seeing events or sensors after just setting them up. Sensors do not automatically enable in this menu after being added to Aanval in a Sensor Configuration menu.

If the Change Sensors View is blank after adding new sensors, go back to the proper Sensor Configuration menu and check the User Permissions at the bottom of the page to ensure each user has intended access to each sensor. Once updated, refresh the page and select the Change Sensors View menu again and the new sensors will be available to check.

Upcoming Webinar on June 15th: Tactical FLEX, Inc. Debuts Aanval 8


Wed, Jun 15, 2016 7:00 AM – 7:30 AM PDT

Come join us and discover the excitement of Aanval 8 and find how to monitor every aspect of your network environment without breaking the bank! This upcoming webinar will provide an overview of Aanval 8 and cover a few selected features and enhancements including an all-new HTML5 look and feel, direct Unified2 IDS event importing, threat level displays and global heat maps, automation and reporting systems, and syslog enhancement. Learn why Aanval 8 is the complete end-to-end security solution for your IDS and syslog data.

Register Here

Screen Shot 2016 06 09 at 1 21 04 PM

Tactical FLEX, Inc. Advances Best Performing IDS with Debut of Aanval 8

An Unparalleled End-to-End SIEM-Based Snort, Suricata, and Syslog IDS Solution

Seattle, May 31, 2016 /PRNewswire/ – Tactical FLEX, Inc., a global leader of information security, vulnerability, and risk management software solutions, today announced the debut of Aanval 8, the latest version of its market-leading IDS and SIEM platform. Tactical FLEX, Inc. continues to set a new bar and advances Aanval 8 with performance upgrades, enhanced threat detection, and a host of new features designed to deliver complete security visibility, real-time monitoring, and situational awareness.

Budget constraints are one of the main obstacles that challenge information security operations. Tactical FLEX, Inc. understands that all organizations need a comprehensive, scalable, and affordable real-time threat management solution that gives IT departments the technological power and operational efficiency to accelerate the accurate detection of security threats as well as pinpoint security risks in order to safeguard critical assets while maintaining regulatory compliance. Aanval 8 is designed and priced to deliver affordable enterprise-class security for all business sizes.

A few selected features and enhancements in Aanval 8:

* All-New HTML5 Look and Feel: A complete re-write of nearly the entire code-base to make it our most stable and advanced version of Aanval yet.

* Direct Unified2 IDS Event Importing: Getting Barnyard2 working with IDS engines has been a major headache in the IDS community, along with its lack of IPv6 support. With Aanval 8, users can import and manage IDS event data, including IPv6 addresses, directly from Snort or Suricata by way of Aanval’s new and advanced Sensor Management Tools (SMTs). Alternate use importing with Barnyard2 and a MySQL database are still supported but not required.

* Threat Level Displays and Global Heat Maps: Visual Heat Maps technology, along with improved GeoLocation and brilliant customizable dashboards, are aimed to help users pinpoint and translate security issues and risks for upper management with contextual views replacing pointless charts and manual spreadsheets.

* Automation and Reporting Systems: Many security departments consist of one or two admins trying to stay on top of security threats and manage logs and reports. Aanval 8 delivers the necessary automation and operational efficiency for security pros. Quickly and easily create or modify any number of automated tasks for alerts and event management. Custom on-demand and scheduled reports provide clear results with helpful graphs and displays.

* Syslog Enhancements: Aanval 8 adds increased speed and capacity for retrieving and filtering large amounts of syslog data sent by various network devices. Also included is a new regex testing tool designed specifically for Aanval’s advanced syslog filtering logic.

Details of Aanval 8 are available at https://www.aanval.com/aanval. Aanval software, hardware, support, and training services may be purchased at https://www.aanval.com/purchase. Aanval may be downloaded for testing and evaluation. Follow Aanval on Twitter @Aanval.

About Tactical FLEX, Inc.

Tactical FLEX, Inc. is a privately owned software development firm based in Washington state, specializing in information security research, engineering, technology design, and production. For over a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world including government security, defense organizations, financial services, energy companies, educational institutions, healthcare organizations, and many others. As a trusted security vendor, there are over 6,000 customers worldwide that rely upon Aanval as part of their security infrastructure. Please visit https://www.aanval.com for more information.

Aanval 8 Is Here!

Aanval 8 is a major update and it’s packed with new and upgraded features:


  • An all-new HTML5 look and feel. Responsive. Faster.
  • Directly import Unified2 logs from Snort and Suricata. Barnyard2 is not required but still supported.
  • IPv6 support
  • Global Heat Maps and Improved GeoLocation
  • Improved syslog importing and new regex testing
  • Improved reports
  • Much more!

Check out Aanval.com for full details and other valuable documents:

We’re very excited about this release and want to make sure everyone has a chance to use Aanval 8. Download now at aanval.com/download. It comes with a license to test with a single IDS sensor and a single syslog sensor.

We have an Aanval solution for every environment. Each package includes an unlimited sensor-monitoring license, support, and console maintenance, so you’ll always have access to the latest features, fixes, and major version releases. From Aanval Small Business and Standard, to Enterprise, we have you covered.

Aanval Support Q&A: Expired Console and I Can’t Log In

Q: I tried opening Aanval on my browser, but I received a message saying the license has expired and my console is locked. I know the license is still valid. What’s happening?

A: If you’re having this or any login issue, the root of it generally stems from the connection to MySQL, since Aanval retrieves login and license information from the Aanval MySQL database.

Remedy: Make sure MySQL is up and running and the connection is solid. What we sometimes see is that MySQL is down because the disk is full. You may try connecting via another host or method to ensure MySQL is accessible. 

Once MySQL is back online, navigate to Aanval as you normally would and log in.

If you’re still receiving an Expired message, enter the address to Aanval in the browser and add the following to the end of the URL:


This will take you directly to the login screen. In some cases the license really has expired. If that is the case, not a problem; all the data is intact and the console simply needs an updated license key. This login method will allow you to log in and navigate to License Management and update the license. If you’re still having issues, there may be further issues with the disk or database or login credentials. For further questions or issues, check out our Troubleshooting Guide at our Aanval Wiki, or contact Support. 

Aanval Support Q&A: Aanval Installation Issue: Can’t Connect to MySQL?

Q: During the web-based portion of the Aanval installation, I get to a menu where I enter the location of the aanvaldb and the credentials to access it, but upon submitting them I get a few errors and I can’t proceed. I can connect to MySQL on the command line and confirm it’s running and the credentials are correct. What’s going on?

Install Error

A: Aanval connects to MySQL with the default port of 3306. If these errors display, it is because the MySQL instance is started and accessible only by port 3307 (used in SSL connections).

There are two methods to remedy the error. The first is to locate and edit the script or plist that starts MySQL and update the line which would read something similar to <string>–port=3307</string> to read <string>–port=3306</string> and then restart MySQL.

The other method would be to return to the configuration menu on the browser and when entering the location of the Aanval database enter also the specific port. So in the example of a local installation, you’d enter

Aanval Support Q&A: Aanval Installation Issue: Missing Modules?

Q: I downloaded and untarred Aanval according to the guide provided (http://wiki.aanval.com/wiki/Aanval:V7_Installation_Guide) and installed all prerequisites, but after I point my browser to the Aanval location and accept the EULA, I get an error noting that MySQL is missing. I show that MySQL is installed and running. Can you help? I’m using CentOS 6 on a VM.

A: That step is an Environmental Test in which all necessary PHP modules and directory structures and permissions are searched and tested. Your results show that not MySQL but the PHP MySQL module is missing. It’s a very simple fix.

First, install that module:

yum install php-mysql

Second, restart Apache:

apachectl restart

Third, while on the browser, click the Retest option at the bottom of the page showing the Environmental Test results (you can also completely restart the web-based portion of the install by directing a new browser window to the Aanval location). The test will now confirm that module is installed and you can continue to the next step of pointing Aanval to the location of the aanval database so that Aanval can automatically build its structure and tables, and then log in.

Aanval 8: Coming Soon!

Aanval 8 Sneak Peak
Aanval 8 is almost here, with a brand new look, and loaded with new and improved features and performance!

Nearly a year in the making, Aanval 8 boasts dozens of new features and a complete re-write of nearly the entire code-base to make it our most stable and advanced version of Aanval yet.

Featuring: HTML5, IPv6 Support, Direct Unified2 Support, Threat Levels Displays, Heat Maps, Syslog Updates, New Automation System, and more.

Aanval v8

Check out other screenshots and details at https://www.aanval.com/aanval8

Aanval 8 will be publicly released in the coming weeks, and will be a free upgrade to all current Aanval SMB, SAS, and SAS Enterprise customers.