Clear All Events from the SIEM Database

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance backs up events every day and purges them after a threshold (Event Backup Configuration). But sometimes you may want to clear the entire database to start fresh again. For example, after the initial deployment and benchmarking exercise (Establishing Baseline Network Behavior), you may have concluded that all events in the database are noise. After configuring policies and making sure they are effective, you want a clean database to receive new events. In this case, you can clear exiting events from the SIEM database manually.

Important: For compliance reasons, you may need to keep all events for a number of days. If you are not sure, consult your compliance officer.

To delete all the events through the web UI

  1. Login to the USM Appliance web UI.
  2. Go to Configuration > Administration > Backups.
  3. Click Clear SIEM Database.

To delete all the events through the LevelBlue Setup menu

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. Select Maintenance & Troubleshooting.
  3. Select Maintain Database.
  4. Select Reset SIEM database.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.