81
Log Correlation Engine 4.4 Administration and User Guide May 17, 2016 (Revision 7)

Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Embed Size (px)

Citation preview

Page 1: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Log Correlation Engine 4.4 Administration and User Guide May 17, 2016

(Revision 7)

Page 2: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

2

Table of Contents

Introduction ............................................................................................................................................................... 5

Standards and Conventions....................................................................................................................................................................... 5

Components of the Log Correlation Engine ........................................................................................................................................ 5

IDS Collection and Correlation ................................................................................................................................................................. 6

IDS Collection Only ..................................................................................................................................................................................... 6

Prerequisites ................................................................................................................................................................................................... 7

Supported Operating Systems/Platforms .............................................................................................................................................. 7

Licenses .......................................................................................................................................................................................................... 7

SecurityCenter ............................................................................................................................................................................................. 7

Secure Shell Public Keys ............................................................................................................................................................................. 7

Secure the Log Correlation Engine Server System ................................................................................................................................ 7

LCE 4.4 Overview ...................................................................................................................................................... 8

LCE Server Installation........................................................................................................................................... 9

Getting Started .............................................................................................................................................................................................. 9

Installation Location ..................................................................................................................................................................................... 9

Installing the Package ............................................................................................................................................................................... 10

Setup Wizard ............................................................................................................................................................................................. 10 Step 1: Change Default Password ....................................................................................................................................................................... 10 Step 2: Proxy Configuration ................................................................................................................................................................................... 11 Step 3: Set Activation Code .................................................................................................................................................................................... 11 Step 4: Port Configuration ...................................................................................................................................................................................... 13 Step 5: Database Directory .................................................................................................................................................................................... 13 Step 6: Network Ranges .......................................................................................................................................................................................... 13 Setup Complete .......................................................................................................................................................................................................... 14

Files and Layout .......................................................................................................................................................................................... 15

Base Directories ........................................................................................................................................................................................ 15

The admin Directory ................................................................................................................................................................................ 15

The daemons Directory ........................................................................................................................................................................... 15

The db Directory ....................................................................................................................................................................................... 15

The var Directory ...................................................................................................................................................................................... 15

Installing the License ................................................................................................................................................................................. 15

Hostname Determination ....................................................................................................................................................................... 15

Manual Key Installation .......................................................................................................................................................................... 16

Upgrading the License ............................................................................................................................................................................. 16

System Configuration ........................................................................................................................................... 17

Basic Configuration ................................................................................................................................................................................... 17

Storage Configuration .............................................................................................................................................................................. 19

IDS Configuration ...................................................................................................................................................................................... 20

Load Balancing Configuration ............................................................................................................................................................... 21

Configuring the Primary LCE Server..................................................................................................................................................... 22

Configuring the Auxiliary LCE Server ................................................................................................................................................... 22

Advanced Configuration Options ......................................................................................................................................................... 23

Storage ........................................................................................................................................................................................................ 23

LCE Web Server ........................................................................................................................................................................................ 24

Page 3: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

3

Sensor Names ............................................................................................................................................................................................ 25

Clients ......................................................................................................................................................................................................... 26

User Tracking ............................................................................................................................................................................................. 27

Host Discovery and Vulnerabilities ..................................................................................................................................................... 30

Statistical Alerts ........................................................................................................................................................................................ 31

Resource Usage and Performance ........................................................................................................................................................ 33

DNS Caching .............................................................................................................................................................................................. 34

Data Forwarding....................................................................................................................................................................................... 35 Sending Syslog Messages to Other Hosts ......................................................................................................................................................... 35 Syslog Compliant Messages ................................................................................................................................................................................... 35 Content of Forwarded syslog Messages ........................................................................................................................................................... 36 Checksum Forwarding ............................................................................................................................................................................................. 36 TCP Syslog .................................................................................................................................................................................................................... 36 Correlation ................................................................................................................................................................................................................... 37

TASL and Plugins ........................................................................................................................................................................................ 37

Excluding TASL Files ................................................................................................................................................................................ 37

Excluding PRM Files ................................................................................................................................................................................. 37

TASL Parameters ...................................................................................................................................................................................... 38

Event Rules ................................................................................................................................................................................................... 38

Email Syntax .............................................................................................................................................................................................. 38

Syslog Syntax ............................................................................................................................................................................................. 38

Custom Command Syntax ...................................................................................................................................................................... 38

LCE Rule Filters ......................................................................................................................................................................................... 38

LCE Shell Command Options ................................................................................................................................................................. 41

Email/Alerting/Execution ........................................................................................................................................................................ 42

Debugging ..................................................................................................................................................................................................... 43

Debug Mode .............................................................................................................................................................................................. 43

Storing All Logs with “save-all” .............................................................................................................................................................. 43

Different File System ............................................................................................................................................................................... 43

Multiple Plugin Matches per Log File “multiple-matches” ........................................................................................................... 43

Quick Example .......................................................................................................................................................................................... 44

SSH Keys ....................................................................................................................................................................................................... 46

Service Control ........................................................................................................................................................................................... 48

Feed Settings ............................................................................................................................................................................................... 48

Feed Registration ...................................................................................................................................................................................... 48

Plugin Update .............................................................................................................................................................................................. 49

Updating Plugins (PRM Files) and TASL Scripts ................................................................................................................................ 49

Automatic Plugin (PRM Files) and TASL Updates ............................................................................................................................. 49

Updating Individual PRM Files .............................................................................................................................................................. 50

Offline Updates ........................................................................................................................................................................................... 51

Web Proxy .................................................................................................................................................................................................... 51

LCE Health and Status .......................................................................................................................................... 52

Correlation Statistics ................................................................................................................................................................................ 53

LCE Users .................................................................................................................................................................. 57

Add Users ...................................................................................................................................................................................................... 58

Edit Users ...................................................................................................................................................................................................... 58

Remove Users .............................................................................................................................................................................................. 59

Managing Client Configuration Files .............................................................................................................. 60

Page 4: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

4

Upgrading LCE ........................................................................................................................................................ 60

LCE Command Line Operations ........................................................................................................................ 61

Starting LCE ................................................................................................................................................................................................. 61

Halting LCE ................................................................................................................................................................................................... 61

Restarting LCE ............................................................................................................................................................................................ 61

Determine LCE Status .............................................................................................................................................................................. 62

Operating the stats Daemon .................................................................................................................................................................. 62

Additional Features ............................................................................................................................................... 62

Importing LCE Data Manually ............................................................................................................................................................... 62

User Tracking ............................................................................................................................................................................................... 64

Working with SecurityCenter ............................................................................................................................ 65

Adding the LCE to SecurityCenter ....................................................................................................................................................... 65

Configuring Organizations ...................................................................................................................................................................... 67

Analyzing Security Events ....................................................................................................................................................................... 68

Identifying Vulnerabilities ....................................................................................................................................................................... 68

TASL Scripts ............................................................................................................................................................................................... 68

Full Text Searches ...................................................................................................................................................................................... 69

Tokens ......................................................................................................................................................................................................... 69

Operators ................................................................................................................................................................................................... 69

Grouping ..................................................................................................................................................................................................... 70

Examples: Putting it All Together .......................................................................................................................................................... 70

For More Information ........................................................................................................................................... 72

About Tenable Network Security ...................................................................................................................... 73

Appendix 1: Sample msmtp.conf File .............................................................................................................. 74

Appendix 2: Event Rule Table ............................................................................................................................ 75

Appendix 3: Troubleshooting ............................................................................................................................. 78

Appendix 4: Manual SC4/LCE Key Exchange ............................................................................................... 79

Appendix 5: Non-Tenable License Declarations.......................................................................................... 81

Page 5: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

5

Introduction

This document describes the installation, configuration, and administration of Tenable Network Security’s Log Correlation Engine 4.4 for use with SecurityCenter (including SecurityCenter Continuous View). Please email any comments and suggestions to [email protected].

The LCE is used with Tenable’s SecurityCenter, which is installed separately. This documentation assumes that you already have an operational SecurityCenter. Knowledge of SecurityCenter operation and architecture is also assumed. Familiarity with system log formats from various operating systems, network devices, and applications and a basic understanding of Linux and Unix command line syntax is also assumed.

Standards and Conventions

Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as

gunzip, httpd, and /etc/passwd.

Command line options and keywords are also indicated with the courier bold font. Command line examples may or may

not include the command line prompt and output text from the results of the command. Command line examples will display the command being run in courier bold to indicate what the user typed while the sample output generated by the system

will be indicated in courier (not bold). Following is an example running of the Unix pwd command:

# pwd

/opt/local/lce

#

Important notes and considerations are highlighted with this symbol and grey text boxes.

Tips, examples, and best practices are highlighted with this symbol and white on blue text.

Components of the Log Correlation Engine

The Log Correlation Engine (LCE) has three main components: the LCE clients, the daemon/server component (lced), which is referred to as the LCE server, and a GUI interface that is used for LCE server administration. Data gathered by LCE is analyzed using SecurityCenter.

The LCE clients are installed on hosts to monitor and collect events that are forwarded on to the LCE server. When received by the LCE server, events are both stored as raw logs and normalized and correlated with vulnerabilities (if applicable). The SecurityCenter UI makes both the raw and normalized event data available to the user for event analysis and mitigation.

LCE users work with log data from a wide variety of sources. Each organization can make queries to one or more LCE servers that contain events from a wide variety of devices including firewalls, servers, routers, honeypots, applications, and many other sources. The LCE supports many types of agents including:

Windows Event Logs (collected locally or remotely via a WMI client)

Windows, Linux, and Unix system and application logs

Check Point OPSEC events

Cisco RDEP events

Page 6: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

6

Cisco SDEE events

NetFlow

Splunk

Sniffed TCP and UDP network traffic (Tenable Network Monitor)

Sniffed syslog messages in motion

File monitoring (Linux, Unix, and Windows)

LCE has many signature processing libraries to parse logs and can normalize and correlate most network IDS devices, as well as messages from SecurityCenter. The LCE supports the following IDS sources:

IDS Collection and Correlation

Bro

Cisco IDS

Enterasys Dragon

HP TippingPoint

IBM Proventia (SNMP)

Juniper NetScreen IDP

McAfee IntruShield

Fortinet IDS events

Snort (and Snort-based products)

TippingPoint’s syslog event format must be modified to use a comma delimiter rather than a tab delimiter

before it can be processed by the LCE.

IDS Collection Only

AirMagnet

Check Point (Network Flight Recorder)

Portaledge

Toplayer IPS

There are thousands of normalization rules that support most operating systems, firewalls, network routers, intrusion detection systems, honeypots, and other network devices. The list of officially supported log sources is frequently updated on the Tenable website.

Page 7: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

7

Prerequisites

It is important to ensure that the prerequisite requirements for LCE are met before beginning installation. These requirements include:

A CentOS/RHEL OS platform with all unnecessary services disabled

LCE license

LCE management installation (SecurityCenter)

LCE clients 4.0 or higher (if applicable)

Secure Shell (SSH) key generation

Supported Operating Systems/Platforms

The LCE server component is available for the Red Hat Enterprise Linux (RHEL) and CentOS 5.x and 6.x operating systems for 32-bit and 64-bit platforms. One or more LCE servers can be configured to operate with a single SecurityCenter.

The LCE server can be installed on the SecurityCenter’s host system, but this configuration is not recommended for performance reasons

Licenses

LCE servers are licensed to the specific hostname of the system it is to be installed on. There is no licensed limit to the number of events or IPs that the LCE can be configured to monitor.

There are different licenses available for the LCE based on the total amount of storage used by the LCE. The licenses are based on 1 TB, 5 TB, and 10 TB storage sizes. A license for LCE is provided as a part of the SecurityCenter Continuous View offering. The maximum number of silos available to each license size is 103, 512, and 1024, respectively. There is no difference in the LCE software that is installed, just the maximum storage size that can be used by the LCE. Data silos are always limited to a maximum size of 10 GB per silo.

SecurityCenter

LCE information is analyzed utilizing SecurityCenter, so you must have an operational SecurityCenter deployed before installing LCE. Please refer to the SecurityCenter documentation for more information on installation and configuration.

Secure Shell Public Keys

LCE analysis is provided to SecurityCenter through the use of command execution across a Secure Shell (SSH) network session. When SecurityCenter queries a LCE server, it invokes a SSH session to the configured LCE server. All execution and analysis of LCE data occurs on the LCE server.

SSH public keys are configured such that SecurityCenter can invoke commands on the LCE server. Non system-administrator accounts are used to perform these queries. The trust relationship is only needed from SecurityCenter to the LCE server.

Secure the Log Correlation Engine Server System

It is recommended that the server operating system be locked down before installation to ensure that no unnecessary services are running. The only service that is required to support remote users is SSH and the LCE administration web GUI. While the LCE daemon is operational, it will listen by default on UDP port 514 for syslog messages, UDP port 162 for

SNMP, TCP port 601 for reliable syslog service messages over TCP, TCP port 31300 for the LCE API (needed if

Page 8: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

8

LCE clients are operational), TCP port 31302 for load balanced LCE servers, and port 8836 for the LCE administration web GUI. If vulnerability detection features are used with SecurityCenter, the default TCP port 1243 will also be used.

The system running the LCE can operate a syslog daemon, but the syslog daemon must not be listening on

the same port(s) that the LCE server is listening on.

LCE 4.4 Overview

LCE 4.4 contains a large number of improvements over previous versions including the new LCE GUI for administration of the LCE server. Previously LCE was configured by logging into the server and manually editing the lce.conf file from the

command line. The new LCE GUI eliminates the need to do this. If the LCE is being upgraded all the previous settings will be imported from the original lce.conf file. If this is a new installation, the initial and basic configuration will be done using the

“Setup Wizard”, described later in this documentation.

The following image shows what the LCE GUI will look like upon initial login after the LCE has been upgraded. The initial section that is displayed is “Health and Status”. Details on each sub-section are described later in this document. To edit any configuration option select “Configuration”. To add or remove a user, select “Users”.

The right side of the screen displays the username of the user that is currently logged in. Clicking on the drop-down arrow beside the username displays a list of options. These options allow the currently signed in user to “Change Password”, view basic “Help & Support” information, or “Sign Out” of the LCE GUI.

Page 9: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

9

There is also a red bell shown in the extreme far right hand corner of the LCE GUI that displays the last few notifications generated by the LCE server. These notifications can also be found in the “Alert” section of the “Health and Status” page.

LCE Server Installation

Getting Started

Before beginning the LCE installation, it is important to understand the high-level steps required to facilitate a successful installation. These steps are typically performed in the following order:

1. Download the LCE server RPM and confirm the integrity of the installation package by comparing the downloaded MD5 checksum with the one listed in the product release notes.

2. Install the LCE server RPM.

3. Download the license key, and copy the activation code from the “Activation Code” section of the Tenable Support Portal (https://support.tenable.com).

4. Using a web browser, navigate to the address or hostname of the LCE server over port 8836 (https://<ip or hostname>:8836), and complete the “Quick Setup” wizard.

5. Add the LCE server to the SecurityCenter, via the SecurityCenter’s web interface as a SecurityCenter Administrator user.

Installation Location

The installation file may be placed anywhere on the installed system. The installation steps described below assume execution from the same directory where the installation package is located.

Page 10: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

10

Installing the Package

To ensure consistency of audit record time stamps between the LCE and SecurityCenter, make sure that the underlying OS makes use of the Network Time Protocol (NTP) as described in: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html

If you are upgrading from a previous version of LCE, please skip this section and see the section titled “Upgrading the Log Correlation Engine” below. Please follow the instructions in this section for new installations.

As the root user, install the LCE RPM using the following command:

# rpm -ivh lce-4.4.x-el6.x86_64.rpm

An example is shown below:

# rpm -ivh /tmp/lce-4.4.0-el6.x86_64.rpm

Preparing... ########################################### [100%]

1:lce ########################################### [100%]

The installation process is complete.

Please refer to /var/log/lce_upgrade.log to review installation messages.

This is a new installation. To configure LCE, please direct your browser to:

https://l92.168.1.101:8836

Setup Wizard

After the initial installation is complete, navigate to the DNS name or the IP address of the LCE server over port 8836 (https://<dns name or IP address>:8836>) in your preferred web browser. The login screen will be displayed. The default login credentials are User name “admin” and password “admin”. Enter the default information, and select “Sign In To Continue”.

Step 1: Change Default Password

Upon initial login, the “Quick Setup” will begin. The first step is to change the password. The password complexity is set to 4 alphanumeric characters. The password complexity can be changed, and will be covered in a later section of this guide.

Page 11: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

11

Step 2: Proxy Configuration

The next section of the configuration wizard requires “Proxy Configuration” information. If a proxy is utilized in the environment where LCE is deployed select “Yes” and enter the required information into the corresponding fields. If a proxy is not required, select “No”. After the appropriate option is selected and any corresponding fields are completed, choose “Next Step”. If the LCE is not connected to the Internet, an offline plugin update will need to be periodically performed. Please review the offline plugin update section of this guide for more information.

Step 3: Set Activation Code

The “Set Activation Code” section requires a valid activation code and license key file. The activation code and license key file can be obtained by logging into the Tenable Support Portal (https://support.tenable.com) and then selecting “Activation Codes”. Enter the Activation Code and click “Apply”. A check mark can be seen next to the “Apply” button to confirm the activation code is valid.

Page 12: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

12

In the “License Key File” section select “Browse”, and locate the license key file previously downloaded from the Tenable Support Portal. Select “Open” to upload the license key file.

When the license key file and activation code have been entered correctly select “Next Step” to proceed.

Page 13: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

13

Step 4: Port Configuration

The “Port Configuration” section displays the default ports already assigned for each type of communication. If an alternate port is used for communication for the services listed, it can be changed here. If changes are made, select “Apply” to ensure those changes are enforced. Then select “Next Step” to continue.

Step 5: Database Directory

The “Database Directory” section displays the default LCE database location, “/opt/lce/db/”. This can be changed to an

alternate directory if needed, but is not recommended. If it is changed after the “Quick Setup” is complete, the database will need to be moved using a manual process. If changes are made, select “Apply” to ensure those changes are enforced. Confirm that there is adequate space available in the directory location for the license that you have uploaded, which is reported in the center of the “Database Directory” window, and then select “Next Step” to continue.

Step 6: Network Ranges

The “Network Ranges” section specifies the networks to be monitored or ignored by LCE. The network ranges that are to be monitored by LCE will need to be entered in CIDR notation (192.168.0.0/24) or IP/netmask (192.168.0.0/255.255.255.0)

Page 14: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

14

into the “Monitored Network” box. The networks that are excluded from LCE will need to be entered in CIDR notation or IP/Netmask in the “Excluded Network” box. After the information is entered select “Next Step”.

Setup Complete

At this point the “Quick Setup” process is complete, and LCE services will require a restart. If you would like to revisit any step before finalizing the configuration, choose “Previous Step” to edit the desired step. Otherwise select “Restart” to complete setup.

Once the LCE has restarted the initial configuration is complete. It is possible to log in to the LCE web interface to address any additional configuration to include syslog forwarding, load balancing across multiple LCE servers, NAT setup for LCE clients, and other advanced settings.

For more information on large scale deployments, please refer to the Log Correlation Engine 4.4 High Availability Large Scale Deployment Guide.

The installation process will create a user and group named “lce” and install the LCE server to the /opt/lce directory. All

files will be installed with the user and group of “lce” except for the actual lced daemon, which is set-user-id root. This must

be started as the “root” user, and once the daemon has bound to the appropriate port(s), it will drop privileges. If the lced

daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a warning to the LCE logs.

Page 15: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

15

Files and Layout

Base Directories

Within the /opt/lce directory are some main tools and various sub-directories including, of particular interest: admin,

daemons, and db.

The admin Directory

This directory contains all of the LCE’s log files. There is a subdirectory named log that contains various log files. System log

file names are based on the format of year and month date such as 2014May.log. Log files in the main log directory are

general LCE log system files. Within subdirectories of the log directory are logs for specific aspects of the LCE such as clientmanager, indexing, stats, queries, reporter, and imports.

The daemons Directory

This directory holds the actual lced binary and several helper functions to update the LCE plugins. The LCE Client Manager

binary and support files are also located within this directory and its subdirectories.

Within this directory is the plugins directory that contains all of the libraries used by the LCE to parse events. When the

LCE loads, it will load all libraries in this directory unless they are disabled.

The db Directory

As the LCE is operating, it keeps all of the event data in the db directory. Each silo will be labeled with a lce(number).ndb

and its log_store and db_index_c directories.

The location of this directory will differ if the configuration was altered at some point.

The var Directory

The db subdirectory under the var directory contains the following databases: lce_alert.db, lce_config.db,

lce_status.db, lce_users.db, and pm.db. The www directory contains the web client, and web server information. The

users subdirectory contains a directory for each user configured in the LCE GUI.

Installing the License

If the license key file needs to be installed or updated after the setup wizard process, the following section provides instructions on how to perform this task.

Hostname Determination

The LCE uses the hostname (not the domain name) of the system it is being installed on. To determine the hostname needed for a LCE license, simply run the hostname tool and report what is returned. For example:

# hostname

honeybadger

#

Page 16: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

16

Manual Key Installation

By default, the demo or commercial license key file for the LCE is uploaded through the LCE user interface during setup. If a key must be installed manually, it must be named lce.key. It must be readable by user and group “lce”. The lced process will

generate an error at run time if the license is not valid. From the directory where the key was copied to initially, in this example named tenable-lce255-16-33.key, run the following commands with the appropriate key name:

# /opt/lce/tools/lce_cfg_utils --display key-file

/opt/lce/daemons/lce.key

# cp tenable-lce255-16-33.key /opt/lce/daemons/lce.key

# cd /opt/lce/daemons

# chown lce:lce lce.key

# chmod 640 lce.key

# ls -l lce.key

-rw-r----- 1 lce lce 1285 May 3 15:14 lce.key

# /sbin/service lce start

#

Use of a file transfer program that utilizes “secure FTP” (SFTP) or “secure copy” (SCP) via SSH to transfer the ASCII key file to the correct location (/opt/lce/daemons/) is recommended if the key originates on a remote

system.

Upgrading the License

It is possible to upgrade from your silo license to one with a higher capacity (e.g., 1 TB to 10 TB). A replacement license key file will be required. Perform the following steps to upgrade your license:

1. Log in to the LCE user interface (https://<ipaddress or hostname>:8836).

2. Select “Configuration” in the LCE user interface.

3. .Choose “Feed Settings” in the “Configuration” menu.

4. Enter the “Activation Code”, and select “Apply”.

5. Select “Browse” next to “License Key File”, locate the LCE key file, and select “Open”.

6. Select update at the bottom of the “Feed Settings” page.

Use the grep command to examine the LCE’s log file in /opt/lce/admin/log to verify what size key is currently installed.

The line with the most recent date will indicate the maximum number of silos permitted with the license:

# grep "number of silos" /opt/lce/admin/log/2014Apr.log

Apr 26, 13 07:41 (LCE Daemon) lced - number of silos is 103 Apr 26, 13 07:41 (LCE

Daemon) lced - number of silos is 512

Apr 26, 13 07:41 (LCE Daemon) lced - number of silos is 1024

The number of silos can indicate the type of license in use. For example, 103 silos indicate a 1 TB license, 512 silos indicate a 5 TB license, and 1024 silos indicate a 10 TB license, when the maximum silos for a license are used.

Page 17: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

17

The total number of silos along with how many silos have been used is displayed in the “Health and Status” section under the “Advanced” section of the LCE GUI as shown below.

System Configuration

The LCE system configuration is administered by logging into the LCE web interface and selecting “Configuration” at the top of the page. The sections that are available in “System Configuration” are “Basic”, “Storage”, “IDS”, “Load Balancing”, “Advanced”, “Control”, and “Feed Settings”. Each of these sections is covered in detail below. Each configuration page in the “System Configuration” section has an “Update” option at the bottom that needs to be selected prior to any changes made in that section being applied to the LCE. The updates are applied while the LCE is running, thus removing the need to restart the LCE services.

Basic Configuration

The Basic Configuration section comprises the essential configuration needed for an LCE server to function. The items in this section are addressed in the initial “Setup Wizard”, but can be changed in this section at a later time if the need arises.

Page 18: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

18

Each menu option for the “Basic” section is covered in detail below.

Option Description

Server Address This option allows you to specify the IP address of the network interface(s) on which lced and lce report proxyd will listen. More than one interface may be specified

on separate lines: 127.0.0.1

172.0.0.2

By default, or if left blank the above LCE services will listen on all available network addresses.

LCE Client Port This option specifies the port number that lced listens on. By default, it is set to 31300,

but may be reset to another value.

Syslog Port(UDP) LCE listens for UDP syslog traffic on the standard port of 514 by default. If the environment requires the LCE to listen on a different port, this setting may be changed.

Syslog Port(TCP) This setting determines the port to listen on for reliable syslog messages via the TCP

protocol.

Include Networks The following sections define your internal network range. All networks specified in the first section are included, while the Exclude Networks option is used to make exceptions.

Page 19: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

19

Make sure this range matches IP addresses that are considered “internal” from an event perspective. This range is used by a number of TASL scripts and the Stats daemon to define inbound/outbound/internal specifications for LCE events. This is different from the “Directions” filter on the SecurityCenter 4 events page, which uses the logged-in user’s managed ranges to determine event direction.

Exclude Networks Provides exceptions to the “Include Networks” directive ranges specified above.

Storage Configuration

The storage section of “System Configuration” is shows the database location, silo size, and number of silos, and also contains the archiving configuration information.

Option Description

Database Directory Specifies the location of the LCE database directory.

Silo Size Specifies the maximum amount of data from matched log events that will be stored in one indexed file (silo). Choose the “MB” to specify megabytes. For example, entering 10240, and choosing MB specifies the maximum silo size of 10 Gigabytes. Choosing “GB” specify gigabytes. For example, entering 1, and choose “GB” specifies 1 gigabyte. By default, this is set to 10G.

Page 20: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

20

Note that the filesystem must support the file size selected within this setting.

Number of Silos Specifies the number of silos that lced will create. The maximum number of silos that

can be created is 1024 for a 10 TB license, 512 for a 5 TB license, and 103 for a 1 TB license. When configuring this setting, consider the silo-size setting and maximum disk space available for storage. Example: 1 TB is available for storage and silos configured for 10 GB would allow for a maximum of 102 silos before disk exhaustion.

Enable Archiving This option allows the archive functionality of LCE to be enabled, or disabled.

Location If the archive functionality is enabled in LCE a location for the archive files must be specified. An example of an archive location is shown below: Example: /opt/lce/silo_archive

Save Database When the maximum number of silos has been reached and an older silo must be overwritten for the next silo roll, the silo to be overwritten can first be saved for future use. This option specifies whether or not to save the normalized database file which includes the event type, normalized event, username, IP addresses, ports, sensor name, and event time.

If there is insufficient disk space on the silo archive device, LCE will no longer attempt to save a silo before overwriting. If this occurs, log messages will be generated warning of the event. The event alerting functionality of LCE can be leveraged to automatically notify concerned individuals (e.g., email alert) when this sort of event occurs. Please reference the section of this document titled “Event Rules” for more information.

Save Index This option specifies if the LCE database index files are to be saved for faster searching of archived silos. The “Save Database” option must be selected for this option to be selectable.

Save Raw Logs This option specifies if the LCE raw log files are to be saved. These files contain the original matched log messages before normalization.

IDS Configuration

LCE has the ability to receive IDS events from multiple sources. In addition to being normalized and stored in the log database, each event will be checked against any SecurityCenter vulnerability databases. If a host is vulnerable to attack, the event is marked as such, allowing rules to trigger on this scenario so that the information can be distributed to the affected administrators.

For each IDS sensor, a sensor name and type must be defined as in the example below. The supported types are Snort, Bro, RealSecure, Dragon, IntruVert, IntruShield, Juniper, NetScreen, NFR, Fortinet, Cisco, TippingPoint-Sensor, and TippingPoint-SMS.

Page 21: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

21

Option Description

IDS IP The IP address of the IDS.

Sensor Name Name to be used within the SecurityCenter logs.

Sensor Type IDS sensor type.

Load Balancing Configuration

Multiple LCEs may be configured in a tiered system. This allows for one LCE to be designated as the primary LCE, which can send incoming log messages to one or more auxiliary LCE servers (depending on loading, which is calculated on a regular interval). This distributes the storage and processing of the log messages among up to 256 different LCE servers. Taking advantage of this configuration allows for all the LCE clients and log sources to be configured for a single LCE server, and that primary LCE server load balances the incoming requests between itself and its auxiliary servers. Additionally, clients may be configured to send their logs directly to an auxiliary server, bypassing the primary LCE if there is a need to do so. One example would be if you want all firewall logs to go to a specific LCE for storage, then they would have their logs point to that specific LCE, bypassing the primary LCE.

Load balancing messages and logs sent between the primary and auxiliary LCEs are encrypted. To provide additional encryption, the encryption passphrase option may be configured. This option can use a phrase between 1-32 characters. When set, all of the connected LCEs must be configured with the same passphrase in their configurations.

When using tiered LCE servers, each one must be configured in SecurityCenter in order to be queried. If SecurityCenter user only has access to three out of four LCE servers in a group, that user will receive incomplete results based only on the data stored in the three LCE servers to which the user has access.

Page 22: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

22

Configuring the Primary LCE Server

The primary LCE server listens on TCP port 31302 (by default) for status data from auxiliary LCE servers. The listening port of the primary LCE server may be changed by modifying the Local Status Port option on the Load Balancing tab. There may only be one primary LCE server configured in a group, and servers may not play a dual role of primary and auxiliary. Unless the server is specifically configured to be an auxiliary LCE server, it considers itself a primary LCE server and listens on port 31302 (by default).

Configuring the Auxiliary LCE Server

When configured as an auxiliary LCE, the server will accept log files sent to it by the primary. To enable the auxiliary mode, configure the Load Balancing Auxiliary setting on the Load Balancing tab with the IP address and port number of the primary LCE. If the primary LCE is running on the default port of 31302, adding the port number is not required.

Note that when utilizing tiered LCE servers, processing of log-related options such as syslog forwarding, storing not-matched logs, and similar are performed on the server processing the logs. Such options must be configured identically on all the LCE servers for consistent results.

Option Description

Load Balancing Local

Local Server Address When there is more than one network interface available to receive data from the primary LCE, enter the IP address of the interface to use. Otherwise, the default interface’s IP address will be used. This can be used to balance bandwidth between multiple interfaces.

Page 23: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

23

Local Status Port When the LCE server is configured to offload log data to auxiliary servers, TCP port 31302 is the default port used. Change the setting here to change the port on which the LCE server communicates.

Encryption Passphrase When load balancing between primary and auxiliary LCE servers, all messages are encrypted. To enhance security, a user-specified key may be added. Enter up to a 32 character encryption phrase. The passphrase must be the same on all connected LCEs.

Allowed characters are alphanumeric and the following characters: [].^$()|*+?{}/#_-~!@%=`'<>:|&\",

Load Balancing Auxiliary

Primary Server Address When used as an auxiliary LCE server, this setting designates the IP address and port of the primary LCE server in the format of ipaddress:port on which it listens for status data.

The port setting is optional when the primary is using the default of port 31302.

Primary Server Port TCP port 31302 is the default port used when the LCE server is configured to offload log data to auxiliary servers. Change the setting here to change the port on which the LCE server communicates.

High Availability

Virtual IP Address This is the IP address used by devices such as syslog sensors and clients to send data to LCE.

Virtual IP Interface When specifying a Virtual IP Address, also specify an existing network adapter on which the LCE will bind the virtual IP defaults to eth0.

Virtual Router ID If you have a VRRP solution deployed or plan on adding one in the future to the same network your LCE is deployed on, use this option to specify a router ID for the LCE cluster, that differs from your other VRRP setup.

Mirror Mode Optionally, instead of receiving a subset of logs, this LCE may register itself as a mirror and receive ALL logs processed by the primary LCE, effectively creating a live backup of the primary database. Check the box to enable this mode.

Advanced Configuration Options

The “Advanced” configuration section is used to fine tune your LCE server configuration. Each section that is changed in the “Advanced” section will require that the “Update” button is selected before the updates are completed. Select “Cancel” to clear any unwanted updates. The exceptions to this would be the “Add Syslog Sensor Name”, “Add New Client Rule”, “Create Debug File”, and “Add New SSH Key”. Reference each section of this documentation when making changes to each of those advanced configuration options.

Storage

The options available under the “Storage” subsection are “Store Unnormalized Logs” and “Disk Alert Percentage”. These options are described in the table below.

Page 24: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

24

Option Description

Store Unnormalized Logs If this is enabled, then LCE will store logs even when they are not normalized by existing LCE plugins. These logs will have the type and event set to “unnormalized” and will still be available for text, IP, and sensor-based searches.

Disk Alert Percentage When disk utilization in the database directory exceeds the specified percentage (from 1 to 99 percent), an alert will be generated so that the user may take appropriate actions and the LCE does not exhaust disk space for log storage. The default value is 75 percent.

LCE Web Server

The LCE Web Server section allows you to specify parameters governing login parameters for user access. These options are described in the table below.

Option Description

Login Banner Displays a banner prior to user login requiring the user to acknowledge a customized statement or warning.

Page 25: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

25

Enforce Complex Passwords Requires LCE web server user passwords to have at least 1 uppercase, 1 lowercase, 1 number, and 1 special character.

Min Password Length Minimum length of a password for an LCE web server user login. Only passwords that are created or changed after this setting is updated will be affected.

Idle Session Timeout Idle login sessions will be logged out after the amount of time specified in minutes.

Web Server Port Configures the port that the LCE web server will listen on. By default this is set to 8836.

Enable SSL for Web Server When enabled, SSL connections are enforced for connecting to the LCE web server and is on by default. Disabling this setting is not recommended as it will allow unencrypted traffic to the LCE web server. When this setting is changed and applied, users must reconnect to the server using the newly configured protocol.

Enable SSL Client Certificate Authentication

When enabled, only SSL client certificates are permitted for user authentication. When disabled (default setting) users authenticate with a username and password.

Sensor Names

This option allows the administrator to override the discovered name of a syslog sensor with a name that is more identifiable in the environment. For example if the host is “syslogserver06.example.com” but that server resides in the research area of the environment overriding its name to “research_syslog” may be preferred.

The sensor name can be set by the source of the log, the configured sensor name of the client or syslog source, or the plugin that normalizes the log. If this option is enabled, the sensor name will always be that of the configured client or syslog source name. When creating new sensor names, both the “Sensor Name” and “IP Address” fields must be populated. After that is complete select “Add Syslog Sensor Name” to confirm the changes.

Option Description

Sensor Name Sensor name to be used within the SecurityCenter logs.

IP Address The IP address of the configured client or syslog source.

Page 26: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

26

Clients

This section of the Advanced Configuration is used to further define how clients are able to connect to the LCE, and how they are named when viewed in the “Event” section of SecurityCenter. The configurations are “Public Server Address”, “Auto Authorize Clients”, “Use Client Network Address”, and “Override Sensor Name”, described in the table below.

Option Description

Public Server Address If the server is run from behind a device performing Network Address Translation (NAT), and the LCE clients that it manages are on the public side of the device, the Public Server Address field must be populated with the NAT address so that the managed clients can connect to it. The LCE Client Manager will use, in order of preference: the Public Server Address setting, the Server Address setting, or the first IP that it finds LCE using that is not 127.0.0.1.

When this setting is used, all managed clients on either side of the NAT device must use this defined address to connect.

Auto Authorize Clients LCE Clients version 4 and greater must be authorized by the LCE administrator to send data after the client attempts to connect to the LCE server. Enable this option to automate authorization for a specified number of minutes after LCE server startup or reconfiguration. This automatically authorizes clients that have never previously tried to connect to the LCE server for 10 minutes after startup.

Use Client Network Address Override private client IP in events with the NAT / public network peer IP

Override Sensor Name Prefer configured name over discovered name

The “Client Assignment Rules” subsection allows for specific policies to be applied to specific client ranges along with the IP address and communications port used to communicate with the LCE server. When a Client Assignment Rule is created, a “Policies” window is displayed to add the desired policies for the “Client Network” specified in the rule.

Specific LCE policies can be defined for that “Client Network”. Polices are matched by OS type, and if there are multiple policies for a particular OS type, the first available policy for that type will be assigned. If no “Policies” match the OS found on the “Client Network” the default policy for that OS will be used. The “Auto Auth” option can be deselected after all expected clients have been authorized by the LCE. After adding one or more policies to the “Policies” section, select “Update” at the bottom of the “Advanced Configuration” page to confirm the addition of those policies.

Page 27: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

27

Option Description

Client Network The client network range in CIDR notation

LCE IP:port LCE server IP and port it listens on for incoming LCE client data. The default port is 31300.

Auto Authorize This enables auto authorization of clients in the defined network range.

Policies This section allows multiple policies to be specified. The exact name of the policy must be used. The policy must be OS specific, and if more than one OS is on the “Client Network” a single policy for each OS type is suggested.

If multiple policies are listed in this section for the same OS type the first policy that matches the client OS will be assigned.

User Tracking

LCE tracks network users on the basis of their usernames. These options set restrictions on which usernames are considered valid. Any usernames failing to match the specified criteria are disregarded and “invalid” is reported as the user for the associated log entries.

Page 28: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

28

Option Description

User Tracking Plugins Only Plugin IDs in this list are used to apply user tracking. Other plugins will normalize usernames, but no tracking is performed based on the source and destination IP addresses. Only usernames normalized by these plugins are subject to the additional user tracking restrictions in this section. If a username is normalized by these plugins but does not meet the additional restrictions it will not be associated with the log and will not be associated with the subsequent logs from that IP address. Some IDs of plugins that can be used as “User Tracking Plugins” are listed below. Example: 4770 tenable_pvs.prm 5450 mail_imaps.prm 1708 mail_wuimap.prm 7293 os_win2008_sec.prm 3260,3262, 3294 os_win2k_sec.prm

LCE login-failure plugins do not normalize usernames because those logs are not assured to provide a valid username, and it would contaminate the username database. Additionally, it is advised never to add a login-failure plugin ID into the list of User Tracking Plugins. Doing so would invalidate user tracking for hosts that triggered the plugin.

Page 29: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

29

Accept Letters This option specifies whether alpha characters [a-zA-Z] are allowed when a plugin normalizes a username.

Accept Numbers This option specifies whether numbers [0-9] are allowed when a plugin normalizes a username.

Valid Username Characters Specifies which special characters are considered valid for usernames. By default, the following characters are considered valid:

The “dash” character, as in “-” The “underscore” character, as in “_” The “dot” character, as in “.” The “at sign” character, as in “@”

For example, the following address would be considered valid under the default criteria: b.j-smith@a_b.com Only the special characters that are specified with the Valid Username Characters setting are considered to be valid when a plugin normalizes a username.

The semicolon character, “;” is not permitted in this context.

Max Username Length Specifies the maximum number of characters allowed in a username.

Untracked Usernames The IPs for this list of users are not tracked. The usernames are normalized and will appear with their associated logs, but no alert is generated when the username switches from one IP to another. Some possible considerations for usernames that are not tracked are listed below. Example: root lce admin administrator Administrator SYSTEM INTERACTIVE NETWORKSERVICE LOCALSERVICE ANONYMOUSLOGON Nobody NTAUTHORITY DIALUP NETWORK BATCH NO_USER_NAME

Page 30: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

30

Host Discovery and Vulnerabilities

This section defines the parameters used by LCE to gather vulnerability information from SecurityCenter, as described in the table below.

Option Description

Enable Host Discovery This option enables or disables host discovery. When set to yes, new hosts on the network will be discovered and reported based on log data.

Report Frequency The frequency, in minutes, in which the report file will be generated and updated on disk. The default is 60 minutes.

Report Lifetime The lifetime of a report in days. The report will be cleared after this amount of time. The default is 7 days.

Learning Period This option determines how many days a host has not been seen before an alert will be generated. A setting of at least 1 or 2 days is recommended. After that, any host that was not discovered during the period will be alerted on as new. Without this setting, LCE would “discover” all of your hosts that are currently running and are not really “new”.

Reporter Port The port used by SecurityCenter to retrieve host and vulnerability reports from LCE.

Reporter Username The username used by both SecurityCenter, and LCE to exchange vulnerability information.

Page 31: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

31

Reporter Password The password used by SecurityCenter and LCE to exchange vulnerability information.

Verify Reporter Password This field is used for password verification.

Report SSL Key File The LCE server reporter key filename, relative to /opt/lce/reporter/ssl/.

Report SSL CA File The LCE server certificate authority filename, relative to /opt/lce/reporter/ssl/.

Report SSL Cert File The LCE server certificate filename, relative to /opt/lce/reporter/ssl/.

Statistical Alerts

There are multiple Statistical anomalies that can occur on a network. Some examples are Social Network, Login Failure, DNS, Virus, and Database anomalies. The LCE stats daemon can track these anomalies, and provide feedback when a specific threshold is reached.

Each statistical anomaly is triggered based on a number of deviations. The list below shows what number of standard deviations need to occur before a statistical anomaly is triggered along with an example event name as it would be seen in the “Events” section of SecurityCenter.

Minor Anomaly - a difference of 1-5 standard deviations from normal

Statistics-Social_Networks_Minor_Anomaly

Anomaly - a difference of 6-9 standard deviations from normal

Statistics-Social_Networks_Anomaly

Medium Anomaly - a difference of 10-99 standard deviations from normal

Statistics-Social_Networks_Medium_Anomaly

Large Anomaly - a difference of 100 - 10000 standard deviations from normal

Statistics-PVS-Network_Large_Anomaly

Page 32: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

32

Option Description

Min Standard Deviation This specifies the minimum standard deviation that must occur for an event before an alert will be generated for it. The higher this number, the more statistically significant a sequence of events needs to be before an alert is raised.

Min Number of Standard Deviations

If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation.

Min Statistical History This specifies the number of iterations (days) per-event are required before alerts will be generated. If a large amount of LCE data is already present, set this number to a low value or even to zero. The stats daemon can be started to read in all or just part of the existing

LCE data. If you have NO LCE data, leave this value around 7 so the stats daemon will not

alert on anything until it has 7 days of event data.

Max Occurrence Frequency If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation.

Syslog Alerts The statistics engine will send anomaly alerts to the syslog servers in this list. It is recommended to include 127.0.0.1 for the local LCE service.

Page 33: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

33

Resource Usage and Performance

This section of the LCE “Advanced Configuration” is used to tune the performance of the LCE server.

Option Description

Additional Query Memory By default, 100 megabytes of memory is used for text queries. For systems with large amounts of available memory, the Additional Query Memory option can be used to allocate additional memory for the text string search functionality of the query daemon. This will improve response time during event analysis in SecurityCenter. The option can be specified in megabytes or gigabytes by selecting an “M” or “G” from the “Additional Query Memory” drop-down menu.

Max TASL Memory Queue To maximize performance on multi-processor and multi-core systems, correlated TASL events are processed in parallel to receive regular incoming events. Since some TASL scripts can run for an extended period of time, the primary event processor can potentially receive many TASL-triggering events while a TASL script is still being executed. In this case, the TASL job is stored in a queue for later processing. This option defines the maximum size of this queue. On systems with extremely large volumes of data, setting the maximum queue size higher results in increased performance. If a TASL script that can be sampled is triggered while the queue is full, its callback functions will not be executed.

Log-Processors This option leverages multicore processors and determines how many threads will be dedicated to log processing. It is recommended that this setting be no higher than the number of CPU cores in the LCE host system. This is an upper-limit, and should not be changed unless you have greater than 8 total cores (e.g., a dual quad-core CPU system). For systems with hyper-threading technology, the value may be scaled accordingly.

Sampleable TASLs Sampleable TASL scripts may be skipped to alleviate processor load when the TASL queue is full.

Page 34: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

34

DNS Caching

When a log message is defined in a plugin, LCE provides the option to specify a hostname instead of an IP address for the srcip and dstip fields. In this case, LCE automatically attempts to resolve the provided hostname to an IP address using

DNS. Since the same hostname is typically encountered multiple times, caching the results of lookups can greatly increase performance. These options configure DNS caching in LCE.

A particular hostname or all domain names with a certain extension can be excluded using the “Always Resolve” section. In this case, the matching hosts are looked up at every occurrence. The “Always Resolve” section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. These host contained in the “Always Resolve” section of DNS Caching is read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the “Update” button at the bottom of the “Advanced Configuration” section of the LCE GUI will need to be selected.

Option Description

Max Memory for DNS Cache LCE will maintain a cache of hostname-to-IP addresses rather than performing the lookup repeatedly, limited to this amount of memory [MB]. The “Max Memory for DNS Cache” option can go up to 360K domain names.

DNS Cache Period The “DNS Cache Period” option specifies the number of days to cache a hostname-to-IP mapping before updating the result with a new lookup. This value can be set between 1 and 30 days.

Always Resolve If a host ends with an extension listed here, it will be resolved each time it is encountered rather than being cached. List each host or extension on a new line. A particular hostname or all domain names with a certain extension can be excluded using the “Always Resolve” section. In this case, the matching hosts are looked up at every occurrence. The “Always Resolve” section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. The hosts contained in the “Always Resolve” section of DNS Caching are read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the “Update” button at the bottom of the “Advanced Configuration” section of the LCE GUI will need to be selected.

Cache at Startup Hosts listed in the “Cache at Startup” are resolved at startup and cached immediately to reduce runtime DNS resolutions and improve performance. The format for these entries is one hostname per line.

Page 35: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

35

Data Forwarding

Sending Syslog Messages to Other Hosts

The LCE can be the focal point of your entire log aggregation strategy. If a Storage Area Network, syslog server, or some

other type of log aggregation solution is deployed in your network, the LCE can be configured to send a copy of any received message to one or more syslog servers. These messages include any message received from any client.

To configure the LCE to forward these messages, go to the “Configuration” section of the LCE GUI. Then select “Advanced”, and in that section locate “Data Forwarding”. In the “Syslog Forwarding” section of “Data Forwarding”, simply enter a line for each syslog server. The actual syslog service is not used to forward the messages. All packet generation is handled by

the lced process.

The format of each entry into the “Syslog Forwarding” section is IP:port,exclude-header as shown below. The IP is

the address of the syslog server to which the messages are sent. The port indicates the UDP port in which the receiving syslog server is listening. The exclude-header option determines if the LCE appends a custom header to indicate if the

messages are sent from the LCE server or not. When omitted or set to “0”, the header is appended. When set to “1”, the header is not added and only the original log message is sent without indication that it was forwarded from the LCE server. If “2” is used the log will be sent in CEF format.

The following is an example section of the “Syslog Forwarding” section that forwards messages to multiple syslog servers.

The first line forwards to UDP port 1234 and appends a LCE server header to each entry. The second forwards to UDP port 514, and a LCE server header is not appended to each entry. The third forwards to UDP port 514 and the log will be sent in CEF (Common Event Format) format.

New in LCE 4.4 is the ability to forward logs in CEF format. However, the log is received by LCE whether it is a log message from an LCE Client, Syslog server, IDS or any other compatible log format LCE will convert the original log generated into CEF format. Shown below is a normal syslog message received by a LCE server followed by the forwarded CEF formatted message.

Apr 16 11:05:52 jetjaguar sudo: rongula : TTY=pts/0 ; PWD=/home/rongula ; USER=foo ;

COMMAND=/bin/bash

CEF:0|Tenable|LCE|4.4.0|1404|Unix-Successful_Sudo|5|dpt=0 dst=192.168.1.23 spt=0

src=172.26.20.66 duser=rongula proto=0 msg=Apr 16 11:05:52 jetjaguar sudo:

rongula : TTY\=pts/0 ; PWD\=/home/rongula ; USER\=foo ; COMMAND\=/bin/bash

Syslog Compliant Messages

Logs forwarded by the LCE will retain the original syslog alert level and facility, if one was present. If one was not present,

the LCE assigns a log level of “auth.warning”.

Page 36: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

36

Typically, LCE clients do not send syslog compliant messages. If a LCE client were configured to monitor a log file that

retained an original message’s syslog alert level and facility, then this would be retained if forwarded by the LCE.

This allows for a remote syslog server that is receiving events from the LCE to process the received messages and place

them in specific files. Depending on the type of syslog server, it may be possible to place logs from a router into one file,

operating system logs into another and so on.

Content of Forwarded syslog Messages

When the LCE forwards a message, it also adds any matched information to the log file as shown below if configured to do so:

Jun 30 17:45:36 lce: [not-matched] 0.0.0.0:0 -> 172.20.1.1:0 ::

<37>sshd(pam_unix)[15322]: authentication failure; logname= uid=0 euid=0

tty=NODEVssh ruser= rhost=172.20.1.1

The “::” characters are used to separate LCE’s heading from the original message. In this case, the message would also have been sent with a syslog facility/severity of <37> since that was the facility of the original message.

Additionally, notice that the LCE tagged the example event above with a not-matched keyword. This means that the LCE did

not possess a .prm file to process the log. If it did, the matched event name would be present in the same location.

If configured to strip the LCE headers from the forwarded syslog messages, only the original log message is sent to the remote syslog server.

Checksum Forwarding

When LCE rolls a silo, the checksum of the completed silo .ndb file will be forwarded to each syslog server IP in this list.

TCP Syslog

This list of decimal ASCII character codes tells LCE how to delimit TCP syslogs. By default only the standard linefeed character (ASCII decimal 10) is recognized but other products may use special characters. [0-255]

Page 37: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

37

Correlation

LCE normally matches the vulnerability port with the port given in the normalized event to correlate an event with a vulnerability. If this option is disabled, LCE will ignore this requirement if the vulnerability port is 0, 22, or 445.

TASL and Plugins

Excluding TASL Files

TASLs may be disabled selectively by adding the TASL script file name (e.g., program_accounting.tasl) to the “Disabled

TASL Scripts” section. This option is located under the “TASL and Plugins” portion of the “Advanced” section of the LCE GUI. This is useful for cases where a particular TASL script is not needed by an organization or where the TASL might be causing performance issues and needs to be disabled either temporarily or permanently.

Any disabled TASLs can be re-enabled by removing them from the “Disabled TASL Scripts” section.

Excluding PRM Files

In some cases, a user may wish to allow the global updates of PRM files, but specifically exclude some from being run. This can be facilitated by using the “Disabled PRM Scripts” section of the LCE GUI. The PRM files to be processed but not loaded can be specified in this location, one per line.

If there is a need to customize a plugin or plugins, rename the original file before making modifications. Once done, include the name of the original plugin in the “Disabled PRM Scripts” section. If an existing PRM file is modified and not renamed, it will be overwritten on the next PRM update. If the original is not disabled, and the Multiple Matches option is not enabled, only one of the two PRM files will match. This option is located under the “TASL and Plugins” portion of the “Advanced” section of the LCE GUI.

Page 38: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

38

TASL Parameters

Advanced TASL parameters can be entered here.

Event Rules

This section is used to configure active response operations used by the LCE daemon. LCE rules are configured to analyze LCE event content and fire if preset conditions are met. Active responses include the ability to send automatic emails (msmtp, sendmail), syslog alerts (syslog,cef), or run custom commands on the LCE system.

Email Syntax

Command: echo "body: $log" | sendmail [email protected] "subject: $name"

Syslog Syntax

The following syslog line would forward any log that triggered the rule to the remote syslog server 10.10.10.10, port 514, with the default priority of 36 (severity=4, facility=4):

syslog: 10.10.10.10 "Possible password guessing evidence: $log"

The following syslog line would forward any log that triggered the rule to two remote syslog servers, 10.10.10.9, and 10.10.10.10, on port 515, with the specified priority of 116 (severity=4, facility=14):

syslog: 10.10.10.9, 10.10.10.10 "Your message goes here: $log" -priority 116 -port 515

Custom Command Syntax

Command: /path/to/scripts/my_custom_firewall_reconfig_command.sh -block $sip

LCE Rule Filters

The following fields are optional filters. A plus sign signifies that events matching the specified values will receive rule application, while a minus sign signifies that matching events will not. If no “+” filter is used, all events are matched by default for the field, unless excluded specifically with the “-” filter. Multiple values can be specified for any filter.

Page 39: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

39

Do not use spaces to precede LCE rules. If there is a space at the beginning of an option, that option will be ignored.

Option Description

IPS This filter allows for the search of IP addresses that are or are not present as either source or destination. The following five formats are supported for both +IPS and -IPS:

172.16.1.1/255.255.255.0 172.16.1.1/32 172.16.1.1-255 172.16.1.1-172.16.1.255 172.16.1.1

SrcIPS This filter will search for source IP addresses that are or are not present. The following five formats are supported for both +SrcIPS and –SrcIPS:

172.16.1.1/255.255.255.0 172.16.1.1/32 172.16.1.1-255 172.16.1.1-172.16.1.255 172.16.1.1

DstIPS This filter will search for destination IP addresses that are or are not present. The following five formats are supported for both +DstIPS and –DstIPS:

172.16.1.1/255.255.255.0 172.16.1.1/32 172.16.1.1-255 172.16.1.1-172.16.1.255 172.16.1.1

Events Considers both the primary and secondary event names. The “Events” field allows

spaces in event names (because Nessus IDS signatures contain spaces), and thus events must only be separated by commas and not spaces. Spaces, commas or both may be used to separate entries in the other fields.

Sensors Sensor that detected the LCE event

Types LCE event type

Ports Source or destination port within the LCE event

Protocols Specified by TCP, UDP, ICMP or a number

Users Username associated with the event

Text Filter on any text token in the log that is or is not present (tokens can include spaces and punctuation but not commas) by using +Text or –Text.

Page 40: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

40

IText This is the same filter as above but the token can be case insensitive, and +IText or –IText must be used.

Vulnerable “yes” or “no”

Ignore Single keyword causes all events matching the rule’s filters to be ignored by LCE. If an event is ignored in this manner, there will be no LCE database entry written for it, no other matching rules will fire and no TASLs filtering on the event will be executed.

RateLimit A string indicating the maximum number of event responses per time period that will be allowed. When the quantity of incoming matching logs exceeds this constraint, the remaining logs will be queued or ignored. This string follows the format: (integer) per [second, minute, hour, day, week, month, year]

Command Runs the given command at the command line as user “lce” (i.e., echo "log matched"

>> /opt/lce/my_log_file.log).

See the /opt/lce/tools/ directory for a tool supplied with LCE for emailing logs.

When using “Command:” to run a command, you may insert some or portions of the log

into your command using the following replacement macros. The following example sends the original log text and the src IP:port dst IP:port via email for network

or connection type logs: Name: Example command

+Types: network,connection

Command: printf "To:[email protected]

\nFrom:[email protected]

\nSubject: Network Connection\n\n

LOG MATCHED RULE $sip:$sport -> $dip:$dport $log .\n" |

/opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf

[email protected]

MaxQueue The maximum number of matching events to queue; those coming in while the queue is full will be ignored.

Threshold A string indicating the minimum number of matching events that must occur in a given time period before event responses are generated. This string follows the format: (integer) in a [second, minute, hour, day, week, month, year]

Log Forwarding Logs that trigger a rule can be forwarded in syslog or Common Event Format (CEF). The log format for CEF is predetermined and forwarded in a fixed format. The syslog option can be sent with the priority and port specified, but it is not required. The syslog option can also contain LCE shell command options, which are explained in detail in the LCE Shell Command Options section. An example of each is shown below. For CEF forwarding: cef: 192.168.1.4

Page 41: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

41

For syslog forwarding: syslog: 192.168.1.4 " Possible password guessing evidence: $log" -priority 36 -port 514

Additional information and examples are available in Appendix 2: Event Rules Tables.

LCE Shell Command Options

The following case sensitive variables may be included in the shell command string:

Any command using the list of shell command variables below need to be encapsulated in double quotations ("").

Option Description

$sip Source IP of event

$dip Destination IP of event

$sport Source port of event

$dport Destination port of event

$proto Protocol of event, displayed as N/A, TCP, UDP, ICMP, or a number for other protocols

$vuln “no” if the event was not correlated with a vulnerability, “yes” otherwise

$sensor Name of sensor generating the event

$event1 Primary event name

$event2 Secondary event name

$type Type name of event

$time Time event was recorded at LCE (format: Mon MM, YYYY H:M:S)

$user Username associated with the event

$log Raw text of log

Page 42: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

42

$queued_logs All logs currently in the event rules queue. Use of this variable has the effect of emptying the rule’s queue

Additional examples of event rules and their usage can be found in Appendix 2: Event Rules Tables.

Email/Alerting/Execution

LCE can be configured with the ability to interpret received log events based on log content and use configurable rules to generate active responses from the LCE server. These rules are configured in the LCE GUI in the “Event Rules” section and can perform three primary responses:

email alerting

syslog alerting

command execution

The LCE server will generate email alerts using the settings found msmtp.conf file, which can be found in the

/opt/lce/tools/ directory on the LCE server. This file will need to include your email server information for

alerting to function correctly. A sample of the msmtp.conf file is also shown in Appendix 1: Sample msmtp.conf

File.

Examples of practical applications include configuring rules to rate limit certain types of log events, email administrators immediately when an attack is detected, and send customized commands to a firewall when an inbound attack is detected and firewall reconfiguration needs to take place.

Various fields within the received log alert are automatically placed in variables that may be used as parameters within the active response. For example, consider the following “Event Rules” entry:

Name: DMZ Login

Matching-IPS: 192.168.20.15,192.168.20.100,192.168.20.110-112

Event: SC4-Login

Command: echo "body: $log" | sendmail [email protected] "subject: $name"

RateLimit: 5m

This rule takes LCE events labeled “SC4-Login” to the specified IP addresses and automatically generates an email alert to the specified administrator email addresses. In addition, a rate limit is applied such that only one email would be sent every five minutes to prevent the LCE server from overwhelming the email server system. Configuration possibilities are limited only by the imagination of the LCE server administrator.

Page 43: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

43

Debugging

Debug Mode

It is possible to add various types of debug parameters in the LCE GUI. Information about plugins loaded, LCE client status, and operation can all be written to the current log file.

The LCE GUI “Debugging” section can be used to log all remote client authentication attempts by enabling “Log Client Authorization”, which can be helpful when diagnosing remote agent problems. One activity that can be logged is the “Log Silo Rollover”, which logs when a silo is rotated and indexed.

Enabling these debug messages is a great way to learn how the LCE operates and troubleshoot issues. However, they can generate a lot of information and can create multi-gigabyte log files when left enabled.

If the lced daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a

warning to the LCE logs.

Storing All Logs with “save-all”

Many organizations have regulatory requirements to save all of their log data for a specified length of time. It may also be part of that requirement that the data not be manipulated, normalized, or otherwise processed in case it must be used in a legal proceeding. Any exculpatory evidence in the original logs must not be missing as well.

The LCE’s method of storing data in silos for high-speed normalization and analysis by many different administrators is not the best place to keep one central log file. The LCE has means to save every message, even ones that do not match a certain plugin to a central log file.

This log file can be saved by adding the full path to the log file under the “Save All Logs File” section found in the “Debugging” section of the advanced menu in the LCE GUI. The default location of the “Save All Log File” in previous versions of LCE was /opt/lce/db/lce.log, which is in the same directory as the silos, but it can be changed to any desired location that has

adequate disk space. In new installations, the path and filename must be specified.

As the LCE daemon receives events through the API or from syslog, it will save the message into the file specified in the LCE GUI. This log file will grow very large. Maintain rotation and compression of these logs with the logrotate program that is already installed on all Linux systems supported by the LCE.

Different File System

Since the file that stores all the log files will grow to extremely large sizes when left enabled, it is highly recommended to place this file on a different physical file system. If the LCE server is placed on a system with two hard drives, consider creating physically separate partitions for both the LCE silo data and the “save-all” files.

If your network has use of a Storage Area Network (SAN), consider using this to store the “save-all” file. Many times, these storage devices can be mounted through a network file system (NFS) or Windows file share (SMB) resource. Make sure that write permissions from the LCE server are available and there is sufficient network bandwidth to send the data, if you use a SAN.

Multiple Plugin Matches per Log File “multiple-matches”

By default, the LCE daemon will stop processing a log file as soon as one match has been made. This behavior may be overridden by selecting “Enable Multiple Matches” in the “Debugging” section of the “Advanced” menu in the LCE GUI. With this feature enabled, the LCE daemon will attempt to exercise the entire plugin set across every log message. This behavior is useful for extracting multiple forms of information out of a log file. For example, there may be a plugin that looks for a generic

Page 44: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

44

user login failure and another that looks for a login failure for user “root”. Without the multiple matches option enabled,

only one of the plugins will match, even though both are valid.

Even more so than with normal LCE operation, be sure to remove unneeded libraries with multiple matches feature enabled, otherwise the LCE’s performance can be diminished.

Quick Example

Tenable implemented this feature for a customer who had a firewall log with NAT addresses. For each transaction, the firewall logged the external Internet address, the customer’s Internet address and their internal RFC1918 address. What they wanted was the ability to type in any of the IP addresses in question to produce a report of the history.

For example, a student may receive 192.168.20.10 via DHCP inside a high school. The school’s public IP address at the firewall may be 64.64.64.64 and the student may have been attacking a web site at 99.99.99.99.

These “public” addresses were chosen at random and are in no way intended to be example organizations or potential targets. We did not want to use RFC1918 addresses as example external addresses.

A firewall log may have all three IP addresses for any network browsing. Without “Enable Multiple Matches” options selected, there is only one pair of IP addresses that can be matched. However, with “Enable Multiple Matches” enabled, two rules can be used to process the same log file and extract the specific IP addresses.

The customer decided to log “external to public IP” and “public IP to internal IP” firewall logs. They generated two LCE events for each firewall log event. However, when they added in the DHCP logs, they were able to use the IP address of a potentially attacked target to get the actual internal IP address and MAC address. When someone outside of their network contacted them and complained of a spammer, worm, or malicious activity, they were able to type in the IP address of the target, see which public IP address was in use at the time, and then see which internal IP addresses were related.

If any changes are made to the “Debugging” section below, select the “Update” button at the bottom of the “Advanced” page for the changes to go into effect.

Page 45: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

45

Option Description

Write Unnormalized Logs If this is enabled, LCE will create a file named notmatched.txt in the database

directory and fill it with log events that have not matched any LCE plugin. This is an excellent way to analyze events that may be inadvertently ignored. There is a hardcoded limit of 2 GB for this option in addition to the number of events specified.

This option is deprecated - users are encouraged to instead enable “Store Unnormalized Logs” above. If non-zero, this is the number of unnormalized logs to write to the rolling notmatched.txt file in the database directory.

Save All Logs File Specifics a log file where all events (not just the ones matched with a LCE plugin) are stored. This log file does not rotate and must be managed by the logrotate process.

Note that this will require significantly more disk space than just keeping the events that match plugin criteria. This option is most useful when used in conjunction with logrotate and an external storage device.

Deprecated - this should be enabled temporarily for debugging only. The “Save All Logs File” option is only useful if a text version of all incoming logs is desired.

Enable Multiple Matches By default, LCE stops evaluating plugins when it encounters a match for a log. If this option is enabled, LCE will evaluate all plugins for each log.

Page 46: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

46

Log Client Event Packets LCE server receives an event or event-related message from a LCE Client.

Log Client Authorization LCE server receives a login, logout, version info, or related message from a LCE Client.

Log Server Client Tracking LCE server connects, disconnects, updates status for, or performs related actions for a LCE Client.

Log Plugin Matches (successful)

LCE server successfully matches a log with a plugin match statement.

Log Plugin Matches (failed) LCE server fails to match a log with a plugin match statement.

Log Plugin Matches (attempted)

LCE server attempts to match a log with a plugin match statement.

Log Plugin Construction LCE server parses the plugins and constructs internal representations

Log Plugin Match Organization

LCE server sorts and builds the plugin execution structure internally.

Log Silo Rollover LCE server fills a silo and prepares to write to the subsequent silo.

Log Load Balanced Data LCE server offloads an event to an Auxiliary LCE, or LCE server receives an event from Primary LCE in a load balancing configuration.

Log Load Balanced Status LCE server receives a status heartbeat from an Auxiliary LCE, or LCE server sends a status heartbeat to the Primary LCE in a load balancing configuration.

Log Load Balance Connections

LCE server connects or disconnects to another LCE in a load balancing configuration

Log High Availability LCE server connects, disconnects, fails over, or performs a related action in high availability mode.

Log Reconfiguration LCE server receives a configuration update from the web-based user interface.

Log User Tracking LCE server processes an event with a normalized user name and performs a user tracking action.

SSH Keys

The SSH key section displays the SSH keys that have already been exchanged between the SecurityCenter, and the LCE server during the setup process that is performed on the SecurityCenter.

Page 47: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

47

However if there is a problem with automatic SSH key exchange that occurs during setup, or if it is preferred to upload the key instead of performing the automatic SSH key exchange, the SSH keys can be uploaded by selecting “Add New SSH Key”.

In the “New SSH KEY” window, copy the public key for the SecurityCenter server, and provide a comment if desired. In the example, the username for the public key being uploaded is included in the comments section. When the SSH Key, and Comment fields have been completed select “Create SSH Key”.

After the key has been created it will be displayed under “SSH Key”. If the key needs to be removed, hovering over the key will display an “X” next to the key. Clicking on the “X” will open a dialog box asking to confirm the deletion of the key.

Page 48: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

48

Service Control

The “Control” section of “System Configuration” is used to verify the status of an LCE service. This section can also be used to start and stop each service that is related to LCE if needed.

Option Description

All Processes “Stop” or “Start” all LCE daemons

Log Engine “Stop” or “Start” the LCE daemon

Query Interface “Stop” or “Start” the LCE query daemon

Log Indexer “Stop” or “Start” the LCE indexer daemon

Vulnerability Reporter “Stop” or “Start” the LCE Vulnerability Reporter daemon

Statistics Engine “Stop” or “Start” the Statistics daemon

Feed Settings

Feed Registration

The last section under “System Configuration” is “Feed Settings” that contains the “Feed Registration” section where the activation code is entered, and license key file is uploaded. Once a new code and/or key is selected, click the “Update” button at the bottom of the page to apply the change(s).

Page 49: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

49

Option Description

Activation Code The Activation Code is obtained from Tenable’s support site. If an updated code is required, enter it in the field and click the “Apply” button.

License Key File The License Key may be downloaded from Tenable’s support site. When an updated key is required, select the “Browse” button and select the new key from its saved location.

Plugin Update

Updating Plugins (PRM Files) and TASL Scripts

This section describes methods for updating LCE plugins (files with a .prm extension) and TASL scripts.

Automatic Plugin (PRM Files) and TASL Updates

Plugin updates occur over a HTTPS connection at a set “Plugin Update Interval”. The default update interval is set to 3 days, but can be increased or reduced if required. The updating of PRM and TASL files via the lce_update_plugins.pl script,

which is found in the /opt/lce/daemons directory, has been deprecated, but can still be used only to update plugins. The

script will not update the HTML client or LCE web server. The LCE web interface “Plugin Update” section which is found in the “Configuration” section under “Feed Settings” shown below can be easily used to update all plugins along with the HTML client, and LCE web server by simply selecting “Update Plugins”.

The lce_update_plugins.pl script, if utilized, will automatically look at each PRM and TASL that is present in the

plugins directory and compare it to the one online at Tenable’s web site. If there is a difference, the script will download and install any new scripts and optionally restart the LCE.

Usage of the lce_update_plugins.pl script can be found on the command line by running the script without any options

or using the “–h” (help) option.

Page 50: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

50

Updating Individual PRM Files

Individual PRM files can be updated using lce_update_plugins.pl located in the /opt/lce/daemons directory. This

script offers several options for updating PRM files and TASL scripts, which are displayed using the “-h” (help) option as

shown below:

# ./lce_update_plugins.pl -h

*** This utility is deprecated and will not update the HTML client or LCE web server

****

*** Please use the LCE web interface for future plugin updates ****

LCE Plugin Updated Help Screen

Usage: ./lce_update_plugins.pl -OPTIONS

Available options:

-a (download & update all latest plugins from Tenable)

-p (download & update latest PRM plugins from Tenable)

-t (download & update latest TASL scripts from Tenable)

-c (download & update latest client packages from Tenable)

-y (download & update latest client policies from Tenable)

-x (download & update latest threat list data from Tenable)

-o (download & update only plugins/TASL scripts available in corresponding

directories)

-i (Only inspect if new plugins are available. This switch will report plugins

that changed, but will not update them.)

-s (silent mode)

-v (verbose mode)

-D (default mode - equivalent to -aov)

-f (force LCE to reload plugins, TASLs, policies, etc regardless of whether

underlying content has been modified)

-k (keep the original combined plugins tar file and signature in /tmp/ after a

successful download)

Examples:

./lce_update_plugins.pl -a (Update all plugins/TASL scripts)

./lce_update_plugins.pl -as (Update all plugins and remain silent)

./lce_update_plugins.pl -aov (Update plugins/TASL scripts available in corresponding

directories and report all actions)

./lce_update_plugins.pl -aiv (Check for updated versions of all installed plugins, but

do not update them, and report all actions)

./lce_update_plugins.pl -tiv (Check for updated versions of all installed TASL

scripts, but do not update them, and report all actions)

The directories containing the PRM files and TASL scripts are specified in the /opt/lce/daemons/plugins directory.

When the lce_update_plugins.pl script is manually invoked, the files contained in these plugins and correlation scripts

(TASL) directories will be archived to the /opt/lce/daemons/plugins_archive directory. The backups of the files in

the TASL directory will appear in the plugins_archive directory as a time stamped file such as

tasls_2008091222457616.tar.gz, and the backups of the files in the plugins directory will appear in the

plugins_archive directory as a time stamped file such as plugins_2008091222457421.tar.gz.

For example, if the script is invoked with the -p option, only the PRM files will be updated, without affecting the TASL

scripts. In this case, all files in the plugins directory will first be archived to the plugins_archive directory before

downloading and updating the latest plugins. Likewise, invoking the script with the -t option will only update the TASL

Page 51: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

51

scripts without affecting the PRM files. In this case, all files in the correlation scripts (TASL) directory will first be archived to the plugins_archive directory before downloading and updating the latest TASL scripts. Invoking the script with the -a

option will first archive all files in both the plugins and correlation scripts (TASL) directories before downloading and updating all the latest PRM files and TASL scripts.

Offline Updates

The “Offline Plugin Update” section can be found under “Configuration”, “Advanced”, and “Feed Settings” of the LCE GUI. It allows for a tar file of the LCE plugins to be uploaded by browsing to the file, and then selecting “Process Plugins”.

Option Description

Offline Update File This option allows a user to upload a new set of plugins to the LCE.

This option is only needed when an LCE server does not have internet access.

Process Update Selecting this option will complete the update process using the plugins file that was uploaded.

Web Proxy

Page 52: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

52

Option Description

Proxy Address The IP address of the proxy server to be used with LCE

Proxy Username The username for the proxy if it is required

Proxy Password The password for the proxy if its required

Verify Proxy Password The password entered again for verification

Custom Plugin Feed Host If a custom plugin feed is used with the LCE server, that host information is entered here.

Custom User Agent Custom user agent string used during plugin update requests.

LCE Health and Status

Included in the LCE 4.4 web interface is “Health and Status” information. In the “Service Status” section the name of the “Service” of each daemon is shown along with the “Status” of each daemon. It also includes when the daemon was “Last Started” and the “Version” of the daemon.

The “Plugins” section displays the “LCE Server Version”, “Web Server Version”, “HTML Client Version”, “Activation Status”, “Plugin Set”, “Plugin Set Loaded”, and the “Feed Expiration” information.

Page 53: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

53

Correlation Statistics

In the “Statistics” section the amount of events are displayed by each “Source” of event data. The “LCE” source shows the number of internally generated events from the LCE being administered. The “TCP Syslog”, and “UDP syslog” source displays the number of events received on the configured TCP syslog or UDP syslog listening port. Likewise the “Client” source is the total amount of event data that all the LCE clients produce. The IDS event source type is the total amount of event data from all IDS sources. The “TASL” source type is all the event data created by the LCE TASL scripts.

The “Source” data is displayed in “Average Events / Second”, and “Average Bytes / Second since the startup of the LCE server. The “Source” data also displays the “Total Events (today)” for the day, and the “Total Events (since startup)” is the total number of events since the LCE server daemon was last restarted.

Runtime statistics pertaining to logging and correlation are collected including:

Logs/bytes per second

Number/percentage of logs matched/unmatched

Number of events correlating with vulnerabilities

Number/percentage of logs from clients, syslog, and IDS

Number of TASL alerts generated

This information is logged once per hour and is written both to the application log and to the normalized database under the event name “LCE-Server_Statistics” (type “lce”).

Example Correlation Statistics Output found in the LCE admin logs (e.g., /opt/lce/admin/log/2014Jul.log):

An average of 50 logs are being received each second.

A total of 5,778 logs (521,046 bytes) have been received.

2,232 logs have been matched by plugins (38.63%). 3,546 logs did not match (61.37%).

Log source breakdown: 5,774 from clients (99.93%), 2 via syslog (0.07%), 0 from IDS

devices (0.00%).

Page 54: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

54

No log events have correlated with vulnerabilities.

2 TASL alerts have been generated.

Example of Correlation Statistics found in the Health and Status section of the LCE GUI:

In the “Data Sensors” section there is a drop-down to select the type of data sources to be displayed. The “Clients” option is selected by default, and each client that has sent events to LCE is displayed. The “Source” column will display the IP address of the client. The “Logs Today” section will show the total number of logs collected by that client in the current day. The “Client Type” column will display the type of client, and the “Last Timestamp” will show when the client last sent an event.

Page 55: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

55

The second option under “Select Data Source” is “Syslog Sensors”, which will display all hosts that are forwarding syslog to the LCE server. The “Source” column displays the IP address of the syslog server, and the “Logs Today” column displays the total number of logs sent in the last day for each syslog server. The “Last Timestamp” shows the last time each syslog server sent logs to the LCE server.

The “Alerts” page is a simple way to see when a condition on the LCE server requires attention from the LCE administrator. It includes informational alerts, such as when a new LCE client requests authorization to send events to LCE. It also includes warnings, such as login failures to the LCE interface, or license expiration warnings. Finally, it includes error conditions that could prevent LCE from working properly.

Page 56: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

56

Finally the “Advanced” page displays information about the LCE database. The “Current Silo” displays the current silo number, and the total amount of silos that are available. The “Current Silo Size” displays the amount of space that used out of the configured silo size. The “Advanced” page also displays an estimate of how many days it will take to fill the current silo. On the “Advanced” page you will also find the amount of space that is currently being used by the database under “Active DB File System Usage”, and the total amount of space that is being used by the database under “Archive DB File System Usage”. The “Estimated Time to Fill Disk” is also displayed. The “Indexing DB Silo”, “Indexing Text DB silo”, and the “Indexing Log Store” is also included on the “Advanced” page.

The current silo number range starts at 0. If you have 103 total silos and see 102/103 silos this indicates the last silo before rolling over and restarting at 0.

Page 57: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

57

LCE Users

The LCE GUI can be accessed by two user types: “Administrator” and “Read Only”. An “Administrator” user has the ability to perform all administration of the LCE GUI. The “Read Only” user can only view the “Health and Status” section of the LCE GUI. A user’s privilege can be seen under “User Type”.

Page 58: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

58

Add Users

To add a new user, log in to the LCE GUI as an “Administrator” user, and then select the “Users” section of the LCE GUI. Choose “+New User” to start the process to add a new user. The “New User” screen is shown below:

Enter a “Username”, “Password”, and then “Confirm Password”. Select the “Administrator” box if the user is to be an administrator, and select “Create User”. The maximum username length is 127 characters.

The Administrator user “bsmith” that was added is shown in the LCE GUI below.

Edit Users

A user’s privileges and status can be edited by selecting the username to be edited. The “Edit User” window will open, and the user name will be shown in the window at the top. The user can have “Administrator” privileges added or removed. The user account can also be locked or unlocked. If a user has too many failed login attempts their account will be locked and may be unlocked using this setting. If the user is an “Administrator” they can be demoted to a “Read Only” user by deselecting

Page 59: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

59

“Administrator” before the account can be locked. After the desired changes are made, select “Update” to complete the edits to the user.

Remove Users

To remove a user, select the box beside the user to be deleted and choose “Actions” followed by “Delete Users”.

The following window will be displayed to confirm the user deletion. Choose “Delete” to remove the user or “Cancel” to abort the process.

Page 60: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

60

Managing Client Configuration Files

Starting with version 4.2 of the LCE clients, the client configuration files are managed centrally from the SecurityCenter 4.6 or LCE server using the /opt/lce/daemons/lce_client_manager command line utility. This allows a central server to

manage the configuration files of all the deployed LCE clients that are configured for the server.

For more information on this option, see the LCE Clients Guide available from http://support.tenable.com.

Upgrading LCE

The LCE is upgraded simply by using the “rpm” command with the “-U” switch to force an upgrade. The LCE stops and starts

the service during the upgrade process, which makes a manual stop/start unnecessary. After the upgrade is completed it is recommended that you run the /opt/lce/daemons/activate.sh script. The script will require your LCE activation

code. The activation code for LCE can be located by logging into the Tenable Support Portal and selecting “Activation Codes” from the menu on the right followed by “Log Correlation Engine”. After you have entered the activation code, the script will complete once the plugin update is finished.

# rpm -Uvh lce-4.4.0-DEV04-el6.x86_64.rpm

Preparing... ########################################### [100%]

1:lce warning: /opt/lce/.ssh/authorized_keys created as

/opt/lce/.ssh/authorized_keys.rpmnew

########################################### [100%]

Moving deprecated file lce.conf to /opt/lce/tmp; OK to delete it once upgrade

succeeds.

Moving deprecated file feed.cfg to /opt/lce/tmp; OK to delete it once upgrade

succeeds.

Moving deprecated file rules.conf to /opt/lce/tmp; OK to delete it once upgrade

succeeds.

Moving deprecated file excluded_domains.txt to /opt/lce/tmp; OK to delete it once

upgrade succeeds.

Moving deprecated file trusted_plugins.txt to /opt/lce/tmp; OK to delete it once

upgrade succeeds.

Moving deprecated file hostlist.txt to /opt/lce/tmp; OK to delete it once upgrade

succeeds.

Moving deprecated file untracked_usernames.txt to /opt/lce/tmp; OK to delete it once

upgrade succeeds.

Moving deprecated file disabled-tasls.txt to /opt/lce/tmp; OK to delete it once

upgrade succeeds.

Moving deprecated file disabled-prms.txt to /opt/lce/tmp; OK to delete it once upgrade

succeeds.

Moving deprecated file sampleable_tasls.txt to /opt/lce/tmp; OK to delete it once

upgrade succeeds.

Moving deprecated file syslog_sensors.txt to /opt/lce/tmp; OK to delete it once

upgrade succeeds.

The installation process is complete.

Please refer to /var/log/lce_upgrade.log to review installation messages.

To configure LCE, please direct your browser to:

https://192.168.0.123:8836

After the upgrade changes to the LCE configuration will be done in the LCE GUI. To access the LCE GUI navigate to the IP address or hostname of the LCE server over port 8836 (https://<ip address or hostname>:8836). The previous configuration files are stored in /opt/lce/tmp and may be deleted once the upgrade is determined to be successful.

Page 61: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

61

LCE Command Line Operations

The version of the lced binary can be determined in two ways. The version is displayed in the “Service Status” section of the

LCE GUI, but it can also be found by running the lced binary with the -v option as shown below:

# /opt/lce/daemons/lced -v

Log Correlation Engine version 4.4

#

Use the following command to see how the LCE is configured during Linux startup and shutdown (installation defaults are shown):

# chkconfig --list lce

lce 0:off 1:off 2:on 3:on 4:on 5:on 6:off

#

To change how the LCE will behave during Linux startup and shutdown use the following command:

# chkconfig [--level <levels>] lce <on/off/reset>)

Please refer to your own Red Hat Linux documentation on how to use chkconfig in conjunction with Linux run levels to

configure the LCE startup and shutdown to your requirements.

Starting LCE

The RPM installation places a LCE start-up (/etc/rc.d) script in /etc/rc.d/init.d.

Use the following command to start the LCE:

# service lce start

If the lced daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a

warning to the LCE logs.

Halting LCE

Similarly, the /etc/rc.d script can be used to halt the LCE and gracefully exit any log analysis or log writing it is performing.

Use the following command to stop the LCE server:

# service lce stop

Restarting LCE

The /etc/rc.d script can be used to restart the LCE, gracefully exiting any log analysis or log writing it is performing and

starting the LCE again. Use the following command to restart the LCE server:

# service lce restart

Page 62: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

62

Determine LCE Status

The /etc/rc.d script can be used to determine the status of the LCE components and their PIDs. Use the following

command to acquire the status of the LCE server processes:

# service lce status

Operating the stats Daemon

Although this document does not cover all aspects of the stats daemon, a separate RC script is included in the LCE RPM for

starting and stopping the daemon. Use the following commands to stop and start the stats daemon:

# service stats stop

# service stats start

# service stats restart

# service stats status

Additional Features

Importing LCE Data Manually

LCE data can be collected both via real-time logging and manually in batch mode using the “import_logs” tool. These

events will show up in the normalized event view along with events collected in real-time. This command-line tool allows data to be imported into the LCE that may not be available in real-time, but is still important for correlation of vulnerability data and for analysis of security posture and events.

Usage:

# /opt/lce/tools/import_logs <list of log files and directories to import> [-d, --

disable-rules] [-a, --approximate-timestamps] [-c, --current-time] [-o, --

output-prefix <prefix>]

Each item in the <list of log files and directories to import> is a file name or directory name. A directory name may or not end with a slash. For example:

# /opt/lce/tools/import_logs /directory1 file1 file2 /directory2/

Directory imports are non-recursive.

Page 63: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

63

The following table describes the options available for import_logs:

Option Description

-d –disable-rules Do not apply LCE event rules to imported logs.

-a, --approximate-

timestamps If no timestamp can be determined for an event, assign the most recent known timestamp.

-c, --current-time Use the current system time for all imported logs rather than the timestamps contained within the event text.

-o, --output-prefix <prefix>

Use the specified prefix when naming newly generated silos. For example, the “-o

Snort” option will generate silos with names like SnortJun142009-

Aug242009.db.gz. The default prefix is “lce”. This option can aid in the process of

searching for logs created by a particular import instance.

The log importer tool logs its actions to /opt/lce/admin/log/importer and archives within this directory can be

checked in the event that an import does not execute as expected.

The log import tool only supports importing logs into an archived silo.

Page 64: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

64

User Tracking

The LCE server has a feature that is designed to track users. User tracking can be applied to any event coming into the LCE server, regardless of the source of the event. Events correlated from Windows, Linux, Unix, or other network devices can be monitored.

When LCE encounters a log that has no username field, it will assign the username of the user most recently associated with the source IP of the incoming log, or associated with the destination IP of the log if a destination IP (dstip) is provided but a source IP (srcip) is not. If no user was previously tracked at either of the IPs, or if no IP is provided, an “(unknown)” entry is assigned.

When a user changes IP addresses (i.e., a LCE receives a log where the user’s srcip differs from the srcip in the previous log tagged with the username), the new IP address is also associated with the user. The last three IP addresses per user are stored for the user, allowing for cases where a single user logs into multiple systems at the same time. For example, the following event shows a user becoming active at a new IP address:

Network user IP address change: user someguy94 became active at 169.254.96.232 with

event login (169.254.96.232:0)

The data used to track usernames is stored in the files usernames.txt, ip_user.dat, and user_ip.dat in the LCE

database directory. The .dat files are written when the LCE service is shut down gracefully. In case of a server crash, the

data is automatically backed up every 10 minutes.

A maximum of 65,534 unique usernames can be stored. If the maximum is reached, incoming logs with new users will have the user fields marked with the “(unknown)” entry.

Page 65: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

65

User tracking in LCE will function if the following conditions are met:

The LCE server has plugins that can match the events and pull usernames from the events. For example, plugin 3209 in os_win2k_sec.prm has the following line:

log=event:Windows-Account_Used_For_Login sensor:$1 dstip:$2 user:$3 type:login

event2:WindowsEvent-680

The “user:$3” directive tells the plugin to add the username to the available event searchable fields. As a result,

searches that query this event based on the username will return results.

The plugin IDs have been added to the “User Tracking Plugins” in the “User Tracking” section in the configuration section of the LCE GUI (one plugin ID per line).

A list of the plugins provided by Tenable that include user information is found at the end of /opt/lce/daemons/plugins/prm_map.prm.

The user tracking settings have been properly configured in the LCE GUI under “User Tracking”. Please refer to the

Advanced Configuration Options section of this document for a description of the following applicable keywords:

- accept-letters

- accept-numbers

- additional-valid-characters

- max-username-characters

If these conditions are not met, usernames may still be stored in normalized events; however, they cannot be searched using the event filter “username” parameter. Another way to search for usernames in logs is through the raw log search feature of SecurityCenter described below.

Working with SecurityCenter

Adding the LCE to SecurityCenter

To add your LCE server to SecurityCenter, log into SecurityCenter as the admin user and click on “Resources” and then “Log Correlation Engines”. A screen similar to the one below is displayed with the currently available LCE servers.

Page 66: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

66

The “Add” button displays a dialog box with the following fields:

Option Description

Name The unique name that this LCE server will be known as.

Description Descriptive text for the LCE server.

Host The IP address of the LCE server.

When the SecurityCenter resides on the same host as the LCE server, it is recommended to use the localhost IP address of 127.0.0.1.

Organizations Select the customer that this LCE is assigned to from the drop down menu.

Event Vulnerability Data

Import Vulnerabilities Selecting this box will allow you to configure your LCE use Event data to detect vulnerabilities.

Repositories This will allow you to select which repository you would like to keep the vulnerability data collected from LCE events.

Event Vulnerability Host

Host This is the IP address of your LCE server.

Port This allows you to configure the port used for communication between SecurityCenter and LCE. The default port is 1243.In the LCE GUI this is known as the “Reporter Port”.

Username This is the “Reporter Username” that was set in the LCE GUI under the “Configuration”, “Advanced”, “Host Discovery and Vulnerabilities” section.

Password This is known as the “Reporter Password” which is found in the “Configuration”, “Advanced”, “Host Discovery and Vulnerabilities” section.

Page 67: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

67

An example of this screen is shown below:

After clicking on “Submit”, the LCE admin credentials (“root” user or equivalent) are requested to establish an authenticated session between SecurityCenter and the LCE. After the LCE server is successfully added, highlight the new LCE server to display options pertinent to that server.

If you are using DNS in your environment, make sure it is configured for reverse DNS resolution to facilitate query speeds. If you are not using DNS, modify the /etc/hosts file to include your SecurityCenter IP address

and hostname. For example: 192.168.1.22 SecurityCenter4.example.com SecurityCenter4

More information about SecurityCenter configuration options is available through the “SecurityCenter Administration Guide” available on the Tenable Support Portal.

Configuring Organizations

As a SecurityCenter administrator, LCE servers can be associated with various organizations. Through the web interface, SecurityCenter can be configured such that users of specific organizations can make queries to each LCE server. This is documented in the SecurityCenter documentation.

Page 68: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

68

Analyzing Security Events

A wide variety of LCE analysis and reporting tools are available to SecurityCenter users. These users can make use of any LCE event that intersects with their range of managed IP addresses. All analysis and reporting options are described in the “SecurityCenter 4 User Guide”.

Identifying Vulnerabilities

LCE can leverage log data to find vulnerabilities. The Tenable plugins that report this information will have the plugin ID range of 800,000 - 899,999. A sample screen capture of data that can be found is shown below:

You can filter for the vulnerabilities identified by LCE in SecurityCenter by using the ID Filters and selecting Plugin ID, then selecting “>=” and then entering “800000”.The filter setting is pictured below:

TASL Scripts

After PRM processing normalizes an event, the event is submitted to the LCE TASL engine for advanced processing by TASL scripts. TASL scripts are used for many types of detection events such as thresholds, successful attack detection, and alerting. By default, all TASL scripts are included on the LCE server; however they can be disabled manually in the “TASL and Plugins” section of the LCE GUI described in detail earlier in this document.

Page 69: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

69

For more information regarding TASL scripts review the LCE 4.2 TASL Reference Guide.

Full Text Searches

Full text searches may be performed on the data stored within the attached LCE servers. When viewing the events page the Search field will accept text strings as valid search criteria. Search terms are case insensitive and Boolean searches may be utilized to further enhance search results. This enables searching the raw logs for details contained in the events.

The LCE text search feature is powerful but requires a bit of knowledge of the available operators as well as the underlying search engine. To summarize, we will explain what it means when we say that LCE can search for compound groups of full text tokens.

Tokens

What is a token? It's a full word, 2 characters or more, separated by punctuation or whitespace and not including that punctuation or whitespace. In the previous sentence, the tokens are underlined. It doesn’t include single-character strings, and it doesn’t include punctuation (like periods, hyphens, underscores, commas, apostrophes, etc).

LCE searches on full tokens, meaning that if you want to find “software” and “Microsoft” because you want to see your Windows software update logs, then you must search for “software AND Microsoft” rather than “soft”, which would be a common substring.

Operators

These are CASE SENSITIVE. If you do not capitalize the operator, it will be considered a search term. Search for “mike or miked” will actually yield “mike AND or AND miked”, which is probably undesirable.

1. AND

Finds logs containing both of the results.

2. OR

Finds logs containing either of the results.

Page 70: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

70

3. NOT

Finds logs without the subsequent token.

4. XOR

Finds logs with exactly one but not both tokens.

These can be chained, as well.

Grouping

Parentheses may be used to group conditionals together to show evaluation precedence just as in mathematics. This is useful in compound conditionals. Without grouping, this query:

text="blocked AND denied AND dropped OR firewall"

would return any log with just “firewall” in it because it satisfies the entire query. In reality, we probably wanted the other terms in there and we want something more like:

text="blocked AND denied AND (dropped OR firewall)"

This requires that the log contains “blocked”, “denied”, and either “dropped” or “firewall”. Because it has additional constraints now on the other terms, we expect that this query would return the same or fewer results.

Examples: Putting it All Together

Query String Actual Query What It Means Example Result Example Non-Result

Why It Didn't Match

text="Heartbeat" text="Heartbeat"

Show me logs with the term "Heartbeat"

LCE Client Heartbeat| 07/23/2014 00:25:00 AM Hostname: lce_demo IP: 192.168.1.106 Revision: LCE Client 4.2.0 build 20131004

Heart does not contain the full term "Heartbeat" by itself, only as a substring

text="linux process" text="linux AND process"

Show me logs with the term "linux" and the term "process"

This linux host executed process "ls".

This linux host executed nothing.

missing "process"

text="linux NOT process"

text="linux NOT process"

Show me logs with the term "linux" but NOT the term "process"

This linux host executed nothing.

This linux host executed process "ls".

contains "process"

text="linux OR nothing"

text="linux OR nothing"

Show me logs with either term "linux" or term "nothing"

This linux host executed process "ls". This linux host executed nothing.

This nix host did everything.

does not contain "linux" and does not contain "nothing"

text="(linux OR nothing) AND

text="(linux OR nothing) AND

Show me logs that have terms "linux"

This linux host executed process "ls".

This process did

contains "process"

Page 71: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

71

process" process" and "process" or "nothing" and "process"

The process did nothing.

everything. This linux host did nothing.

but not "linux" and not "nothing" contains

"linux" and

"nothing"

but not

"process"

text="172.26.20.66" text="172 AND 26 AND 20 AND 66"

Show me logs with 172 and 26 and 20 and 66. The punctuation in the query string is treated as a delimiter like whitespace and ignored, then the terms and AND'd together by default. In general, if you have an IP in your log it is more desirable to filter these using an "ip=", "sourceip=", or "destinationip=" filters, all of which accept an IP (172.26.20.66) or IP/CIDR (172.26.20.0/24).

This linux host IP is 172.26.20.66. This linux host IP is 66.20.172.26. This linux host IP is 172.26.20.100 and there are 66 users.

This linux host IP is 172.26.20.100.

missing "66"

Page 72: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

72

For More Information

Tenable has produced a variety of documents detailing the LCE’s deployment, configuration, user operation, and overall testing. These documents are listed here:

Log Correlation Engine 4.2 Architecture Guide – provides a high-level view of LCE architecture and supported platforms/environments.

Log Correlation Engine 4.4 Administrator and User Guide – describes installation, configuration, and operation of the LCE.

Log Correlation Engine 4.4 Quick Start Guide – provides basic instructions to quickly install and configure an LCE server. A more detailed description of configuration and management of an LCE server is provided in the “LCE Administration and User Guide” document.

Log Correlation Engine 4.4 Client Guide – how to configure, operate, and manage the various Linux, Unix, Windows, NetFlow, and other clients.

Log Correlation Engine 4.4 OPSEC Client Guide – how to configure, operate, and manage the OPSEC Client.

LCE 4.4 High Availability Large Scale Deployment Guide – details various configuration methods, architecture examples, and hardware specifications for performance and high availability of large scale deployments of Tenable’s Log Correlation Engine (LCE).

LCE Best Practices – Learn how to best leverage the Log Correlation Engine in your enterprise.

Tenable Event Correlation – outlines various methods of event correlation provided by Tenable products and describes the type of information leveraged by the correlation, and how this can be used to monitor security and compliance on enterprise networks.

Tenable Products Plugin Families – provides a description and summary of the plugin families for Nessus, Log Correlation Engine, and the Passive Vulnerability Scanner.

Log Correlation Engine Log Normalization Guide – explanation of the LCE’s log parsing syntax with extensive examples of log parsing and manipulating the LCE’s .prm libraries.

Log Correlation Engine TASL Reference Guide – explanation of the Tenable Application Scripting Language with extensive examples of a variety of correlation rules.

Log Correlation Engine 4.0 Statistics Daemon Guide – configuration, operation, and theory of the LCE’s statistic daemon used to discover behavioral anomalies.

Log Correlation Engine 3.6 Large Disk Array Install Guide – configuration, operation, and theory for using the LCE in large disk array environments.

Example Custom LCE Log Parsing - Minecraft Server Logs – describes how to create a custom log parser using Minecraft as an example.

Documentation is also available for Nessus, the Passive Vulnerability Scanner, and SecurityCenter through the Tenable Support Portal located at https://support.tenable.com/.

There are also some relevant postings at Tenable’s blog located at http://www.tenable.com/blog and at the Tenable Discussion Forums located at https://discussions.nessus.org/community/lce.

For further information, please contact Tenable at [email protected], [email protected], or visit our web site at http://www.tenable.com/.

Page 73: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

73

About Tenable Network Security

Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, visit tenable.com.

Page 74: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

74

Appendix 1: Sample msmtp.conf File

Note that when utilizing the msmtp.conf file a required entry is the password for the mail account. Anyone

with read access to the file on the file system will be able to read the password. This will be stored in clear text on the disk so a low-priority email account should be used for this feature.

# Example msmtp configuration file

#

# Please replace the following with the desired settings for mail server, encryp

tion and authentication. The full

# msmtp documentation is located at http://msmtp.sourceforge.net/doc/msmtp.html.

#

# msmtp usage example: echo "This is a test message." | /opt/lce/tools/msmtp -C

/opt/lce/tools/msmtp.conf your_name@your_address.com

account provider

host smtp.gmail.com

tls on

tls_certcheck off

tls_starttls off

from your_username@your_domain.com

auth on

user your_username

password your_password

port 465

logfile /opt/lce/tools/msmtp.log

# Set the above account to be the default when the -a flag is not used

account default : provider

Page 75: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

75

Appendix 2: Event Rule Table

The following table contains all the filter types that can be used for a rule. Each rule created must contain one or more filters, and start with a “Name” and ending with either “ignore”, “Command”, or a log source. If “Command” is used, an action must be given. If the filter is matched, the “Command” will execute. Entering “ignore” at the end of the filter will ignore all events that are matched by that filter. If a log source is used it can be either “cef” or “syslog” and if the rule is matched the log would be forwarded to the log server in either “cef” or “syslog” format. See each example for additional details in the table below.

Filters Description Usage

IPS Filter on source or destination IP or CIDR. Examples: 192.168.1.1, 192.168.0.0/16

Name: Ignore local logins +Types: login +IPs: 127.0.0.1 ignore

SrcIPS Filter strictly on source IP. Examples: 192.168.1.1, 192.168.0.0/16

Name: Ignore local login failures +Types: login-failure +SrcIPS: 127.0.0.1 ignore

DstIPS Filter strictly on destination IP. Examples: 192.168.1.1, 192.168.0.0/16

Name: Ignore local file access +Types: file-access +DstIPs: 127.0.0.1 ignore

Events Filter on LCE normalized event name. Example: Cisco-IDS_Command_Execution

Name: Ignore Application Changes +Events: Application_Change +IPs: 192.168.1.0/24 ignore

Sensors Filter on sensor name, available in the LCE sensor summary view or specified in the syslog_sensors.txt file. Example: XPmarketing01, Win7payroll02

Name: Ignore Application Changes +Events: Application_Change +IPs: 192.168.1.0/24 +Sensors: Exchange-10 ignore

Types Filter on LCE event type. Example: login, lce, intrusion, scanning, system

Name: Ignore local file access and system +Types: file-access, system +IPs: 127.0.0.1 ignore

Ports Filter on the source or destination port. Example: 80, 443, 8080

Name: Ignore lce / login events on port 22 +IPS: 192.168.1.1 +Types: lce,login +Ports: 22 Ignore

Protocols Filter on the protocol of the event. Example: 1 for ICMP, 2 for IGMP, 6 for TCP, 17 for UDP

Name: Ignore DNS Query +Event: PVS-DNS_Client_Query +IPS: 192.168.1.0/24 +Protocols: UDP +Ports: 53 Ignore

Page 76: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

76

Users Filter on the username in a log. Example: Bob, Phil, Dan

Name: Ignore System login +IPS: 192.168.1.0/24 +Types: login +Users: SYSTEM ignore

Text Filter on any text token in the log (tokens can include spaces and punctuation, but not commas). Example: Login, Failure

Name: Ignore 404 errors +IPS: 192.168.1.0/24 +Text:404 page not found ignore

IText Filter on any text token in the log, but the text considered would be case insensitive (tokens can include spaces and punctuation, but not commas). Example: Login, Failure

Name: Ignore 404 errors +IPS: 192.168.1.0/24 +IText:404 page not found ignore

Vulnerable "yes" or "no" – yes if you want to only match logs that correlate to vulnerable hosts. Example: “yes”, or “no”

Name: E-mail vulnerability correlations Vulnerable: yes Command: echo “body: $log" | sendmail [email protected] "subject: $name”

Threshold The number of events required over a specified length of time to trigger the rule. The timeframe can be expressed in "second", "minute", "hour", "day", "week", "month", or "year". Example: 5 in a minute

Name: Potential SSH account username/password guessing +Events: SSH-Invalid_User, SSH-Failed_Password +IPs: 10.0.0.0/8 -IPs: 10.0.0.1, 10.0.0.7-15 +Sensors: DMZ-1, DMZ-2 -Users: (unknown) syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100

MaxQueue The number of events that will be placed into the event processing queue before being dropped from rule evaluation. Example: 100

Name: Potential SSH account username/password guessing +Events: SSH-Invalid_User, SSH-Failed_Password +IPs: 10.0.0.0/8 -IPs: 10.0.0.1, 10.0.0.7-15 +Sensors: DMZ-1, DMZ-2 -Users: (unknown) syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100

Page 77: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

77

Ratelimit The maximum number of triggers that will occur over a specified length of time regardless of the number of triggering events. The timeframe can be expressed in "second", "minute", "hour", "day", "week", "month", or "year". Example: 1 per minute

Name: Potential SSH account username/password guessing +Events: SSH-Invalid_User, SSH-Failed_Password +IPs: 10.0.0.0/8 -IPs: 10.0.0.1, 10.0.0.7-15 +Sensors: DMZ-1, DMZ-2 -Users: (unknown) syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100

Page 78: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

78

Appendix 3: Troubleshooting

The following are troubleshooting steps for determining LCE client/server functionality:

1. Install and configure the LCE and clients by following the instructions in the documentation.

2. Verify the clients are connecting by viewing the file /opt/lce/admin/log/client.status.

a. If the clients never connect, review configuration.

b. If the configuration is correct, then there is a network issue. Check for proxies, firewalls or ACLs that may be blocking traffic.

c. If the clients connect but do not stay connected, continue to test.

3. The LCE client will not remain connected with the LCE server unless the client has some data to send. To “force” a client to forward data to the LCE server, an observed log on the LCE client machine can be appended with entries that are known to cause alerts within SC4. This gives the LCE client some data to send to the server. It is advised to put “TEST OF FUNCTIONALITY” in the beginning of the log entries to ensure that these tests do not interfere with actual alerts. Check your client logs to ensure communication is taking place.

a. Yes? Communication is taking place. Continue to Step 4.

b. No? Contact Tenable Support for an LCE Client Issue.

4. Once the logs are appended, check the client.status file. Has it changed?

a. Yes? Functionality is working.

b. No? Continue with next step.

5. Check SC4 for the IP address in question and the time of the test. Were there entries found?

a. Yes? Your LCE is functioning properly. However, there may be an issue with the client.status

heartbeat. Notify Tenable Support of the issue.

b. No? Continue to the next step.

6. Grep the logs in the LCE’s notmatched.txt file for the IP address in question and the time of test. Were there

entries found?

a. Yes? Your LCE is functioning and logs are being updated properly. However there may be an issue with the client.status heartbeat. Notify Tenable Support of the issue.

b. No? Continue to the next step.

7. Perform a TCPDump on the LCE and capture traffic from the IP address of the client in question. Repeat step 3 to force communications. Did you receive traffic?

a. Yes? Notify Tenable Support of the issue for further assistance.

b. No? You may have a network issue. Please work with your network support to troubleshoot the issue.

Page 79: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

79

Appendix 4: Manual SC4/LCE Key Exchange

A manual key exchange between SecurityCenter and the LCE is normally not required; however, in some cases where remote root login is prohibited or key exchange debugging is required, you will need to manually exchange the keys.

For the remote LCE to recognize SecurityCenter, you need to copy the SSH public key of SecurityCenter and append it to the “/opt/lce/.ssh/authorized_keys” file on the LCE server. The “/opt/lce/daemons/lce-install-key.sh”

script performs this function. The following steps describe how to complete this process:

The LCE server must have a valid license key installed and the LCE daemon must be running before performing the steps below.

1. Download the SSH public key for SecurityCenter by logging in as the SecurityCenter administrator user and

navigating to the “Keys” section (“System” -> “Keys”).

2. Click on “Download Key”, choose the desired key format (both DSA or RSA work for this process) and then click on “submit”.

3. Save the key file (SSHKey.pub) to your local workstation. Do not edit the file or save it to any specific file type.

4. From the workstation where you downloaded the key file, use a secure copy program, such as “scp” or “WinSCP” to copy the SSHKey.pub file to the LCE system. You will need to have the credentials of an authorized user on the LCE server to perform this step. For example, if you have a user “bob” configured on the LCE server (hostname “lceserver”) whose home directory is /home/bob, the command on a Linux or Unix system would be as follows:

# scp SSHKey.pub bob@lceserver:/home/bob

5. After the file is copied to the LCE server move the file to /opt/lce/daemons by doing the following:

# mv /home/bob/SSHKey.pub /opt/lce/daemons

6. On the LCE server, as the root user, change the ownership of the SSH key file to ‘lce’ as follows:

# chown lce /opt/lce/daemons/SSHKey.pub

7. Then append the SSH public key to the “/opt/lce/.ssh/authorized_keys” file with the following steps:

# su lce

# /opt/lce/daemons/lce-install-key.sh /home/bob/SSHKey.pub

8. To test the communication, as the user “tns” on the SecurityCenter system, attempt to run the ‘id’ command:

# su tns

# ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id

If a connection has not been previously established, you will see a warning similar to the following:

Page 80: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

80

The authenticity of host '192.168.15.82 (192.168.15.82)' can't be established.

RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f.

Are you sure you want to continue connecting (yes/no)?

Answer “yes” to this prompt.

If the key exchange worked correctly, a message similar to the following will be displayed:

# uid=251(lce) gid=251(lce) groups=251(lce)

9. The IP address of SecurityCenter can be added to the LCE system’s /etc/hosts file. This prevents the SSH daemon

from performing a DNS lookup that can add seconds to your query times.

10. The LCE can now be added to SecurityCenter via the normal administrator “LCE add” process documented in the SecurityCenter Administration Guide.

Page 81: Log Correlation Engine 4.4 Administration and User …static.tenable.com/prod_docs/LCE_4.4_admin_user.pdfIBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks

of their respective owners.

81

Appendix 5: Non-Tenable License Declarations

Below you will find the command that will list all the third-party software packages that Tenable provides for use with the Log Correlation Engine. This command may be run at the command line interface by users with permissions to the lced binary.

# /opt/lce/daemons/lced –l