Recently Viewed Topics
It is important to ensure that the prerequisite requirements for LCE are met before beginning installation. These requirements include:
A CentOS/RHEL OS 64 bit platform with all unnecessary services disabled
LCE management installation (SecurityCenter)
LCE clients 4.0 or higher (if applicable)
Secure Shell (SSH) key generation
LCE servers are licensed to the specific hostname of the system it is to be installed on. There is no licensed limit to the number of events or IPs that the LCE can be configured to monitor.
There are different licenses available for the LCE based on the total amount of storage used by the LCE. The licenses are based on 1 TB, 5 TB, and 10 TB storage sizes. A license for LCE is provided as a part of SecurityCenter Continuous View.
Secure Shell Public Keys
LCE analysis is provided to SecurityCenter through the use of command execution across a Secure Shell (SSH) network session. When SecurityCenter queries an LCE server, it invokes an SSH session to the configured LCE server. All execution and analysis of LCE data occurs on the LCE server.
SSH public keys are configured such that SecurityCenter can invoke commands on the LCE server. Non system-administrator accounts are used to perform these queries. The trust relationship is only needed from SecurityCenter to the LCE server.
Secure the Log Correlation Engine Server System
It is recommended that the server operating system be locked down before installation to ensure that no unnecessary services are running. The only service that is required to support remote users is SSH and the LCE interface. While the LCE daemon is operational, by default it will listen on the following ports:
|601||Reliable syslog service messages|
|1243||Vulnerability detection (if enabled in SecurityCenter)|
|6514||Encrypted TCP syslog messages|
|31302||Load-balanced LCE servers|
Caution: The system running the LCE can operate a syslog daemon, but the syslog daemon must not be listening on the same port(s) that the LCE server is listening on.
If you are using an AWS instance in conjunction with LCE, it is required that you use an Elastic Network Interface (ENI). More information about using an ENI with an AWS instance can be found here.