You are here: Features > Configuration > Advanced Configuration

Advanced Configuration

The Advanced configuration section is used to fine tune your LCE server configuration. Each section that is changed in the Advanced section will require that the Update button is selected before the updates are completed. Select Cancel to clear any unwanted updates. The exceptions to this would be the Add Syslog Sensor Name, Add New Client Rule, Create Debug File, and Add New SSH Key. Reference each section of this documentation when making changes to each of those advanced configuration options.

Storage

The options available under the Storage subsection are Store Unnormalized Logs and Disk Alert Percentage. These options are described in the table below.

Option Description

Store Unnormalized Logs

If this is enabled, then LCE will store logs even when they are not normalized by existing LCE plugins. These logs will have the type and event set to "unnormalized" and will still be available for text, IP, and sensor-based searches.

Disk Alert Percentage

When disk utilization in the database directory exceeds the specified percentage (from 1 to 99 percent), an alert will be generated so that the user may take appropriate actions and the LCE does not exhaust disk space for log storage. The default value is 75 percent.

LCE Web Server

The LCE Web Server section allows you to specify parameters governing login parameters for user access. These options are described in the table below.

Option Description

Login Banner

Displays a banner (1300 character limit) prior to user login requiring the user to acknowledge a customized statement or warning.

Enforce Complex Passwords

Requires LCE web server user passwords to have at least 1 uppercase, 1 lowercase, 1 number, and 1 special character.

Min Password Length

Minimum length of a password for an LCE web server user login. Only passwords that are created or changed after this setting is updated will be affected.

Idle Session Timeout

Idle login sessions will be logged out after the amount of time specified in minutes.

Web Server Port

Configures the port that the LCE web server will listen on. By default this is set to 8836.

Enable SSL for Web Server

When enabled, SSL connections are enforced for connecting to the LCE web server and it is on by default. Disabling this setting is not recommended as it will allow unencrypted traffic to the LCE web server. When this setting is changed and applied, users must reconnect to the server using the newly configured protocol.

Enable SSL Client Certificate Authentication

When enabled, only SSL client certificates are permitted for user authentication. When disabled (default setting) users authenticate with a username and password.

Sensor Names

This option allows you to override the discovered name of a syslog sensor with a name that is more identifiable in the environment. For example if the host is syslogserver06.example.com but that server resides in the research area of the environment overriding its name to research_syslog may be preferred.

The sensor name can be set by the source of the log, the configured sensor name of the client or syslog source, or the plugin that normalizes the log. If this option is enabled, the sensor name will always be that of the configured client or syslog source name. When creating new sensor names, both the Sensor Name and IP Address fields must be populated. After that is complete select Add Syslog Sensor Name to confirm the changes.

Option Description

Sensor Name

Sensor name to be used within the SecurityCenter logs.

IP Address

The IP address of the configured client or syslog source.

Clients

This section of the Advanced Configuration is used to further define how clients are able to connect to the LCE, and how they are named when viewed in the “Event” section of SecurityCenter. The configurations are Public Server Address, Auto Authorize Clients, Use Client Network Address, and Override Sensor Name, described in the table below.

Option Description

Public Server Address

If the server is run from behind a device performing Network Address Translation (NAT), and the LCE clients that it manages are on the public side of the device, the Public Server Address field must be populated with the NAT address so that the managed clients can connect to it. The LCE Client Manager will use, in order of preference: the Public Server Address setting, the Server Address setting, or the first IP that it finds LCE using that is not 127.0.0.1.

Caution: When this setting is used, all managed clients on either side of the NAT device must use this defined address to connect.

Auto Authorize Clients

LCE Clients version 4 and greater must be authorized in order to send data after the client attempts to connect to the LCE server. Enable this option to automate authorization for a specified number of minutes after LCE server startup or reconfiguration. This automatically authorizes clients that have never previously tried to connect to the LCE server for 10 minutes after startup.

Use Client Network Address

Override private client IP in events with the NAT / public network peer IP.

Override Sensor Name

Override discovered name with configured name.

The Client Assignment Rules subsection allows for specific policies to be applied to specific client ranges along with the IP address and communications port used to communicate with the LCE server. When a Client Assignment Rule is created, a Policies window is displayed to add the desired policies for the Client Network specified in the rule.

Specific LCE policies can be defined for that Client Network. Polices are matched by OS type, and if there are multiple policies for a particular OS type, the first available policy for that type will be assigned. If no Policies match the OS found on the Client Network, the default policy for that OS will be used. The Auto Auth option can be deselected after all expected clients have been authorized by the LCE. After adding one or more policies to the Policies section, select Update at the bottom of the Advanced Configuration page to confirm the addition of those policies.

Option Description

Client Network

The client network range in CIDR notation

LCE IP:port

LCE server IP and port it listens on for incoming LCE client data. The default port is 31300.

Auto Authorize

This enables auto authorization of clients in the defined network range.

User Tracking

LCE tracks network users on the basis of their usernames. These options set restrictions on which usernames are considered valid. Any usernames failing to match the specified criteria are disregarded and the user is reported as invalid for the associated log entries.

Option Description

User Tracking Plugins

Only Plugin IDs in this list are used to apply user tracking. Other plugins will normalize usernames, but no tracking is performed based on the source and destination IP addresses. Only usernames normalized by these plugins are subject to the additional user tracking restrictions in this section. If a username is normalized by these plugins but does not meet the additional restrictions it will not be associated with the log and will not be associated with the subsequent logs from that IP address. Some IDs of plugins that can be used as “User Tracking Plugins” are listed below.

Example:

4770 tenable_pvs.prm

5450 mail_imaps.prm

1708 mail_wuimap.prm

7293 os_win2008_sec.prm

3260,3262, 3294 os_win2k_sec.prm

Note: LCE login-failure plugins do not normalize usernames because those logs are not assured to provide a valid username, and it would contaminate the username database. Additionally, it is advised never to add a login-failure plugin ID into the list of User Tracking Plugins. Doing so would invalidate user tracking for hosts that triggered the plugin.

Accept Letters

This option specifies whether alpha characters [a-zA-Z] are allowed when a plugin normalizes a username.

Accept Numbers

This option specifies whether numbers [0-9] are allowed when a plugin normalizes a username.

Valid Username Characters

Specifies which special characters are considered valid for usernames. By default, the following characters are considered valid:

  • The “dash” character, as in “-”
  • The “underscore” character, as in “_”
  • The “dot” character, as in “.”
  • The “at sign” character, as in “@”

For example, the following address would be considered valid under the default criteria:

b.j-smith@a_b.com

Only the special characters that are specified with the Valid Username Characters setting are considered to be valid when a plugin normalizes a username.

Note: The semicolon character, “;” is not permitted in this context.

Max Username Length

Specifies the maximum number of characters allowed in an username.

Untracked Usernames

The IPs for this list of users are not tracked. The usernames are normalized and will appear with their associated logs, but no alert is generated when the username switches from one IP to another. Some possible considerations for usernames that are not tracked are listed below.

Example:

  • root
  • lce
  • admin
  • administrator
  • Administrator
  • SYSTEM
  • INTERACTIVE
  • NETWORKSERVICE
  • LOCALSERVICE
  • ANONYMOUSLOGON
  • Nobody
  • NTAUTHORITY
  • DIALUP
  • NETWORK
  • BATCH
  • NO_USER_NAME

Host Discovery and Vulnerabilities

This section defines the parameters used by LCE to send vulnerability information to SecurityCenter, as described in the table below.

Option Description

Enable Host Discovery

This option enables or disables host discovery. When set to yes, new hosts on the network will be discovered and reported based on log data.

Report Frequency

The frequency, in minutes, in which the report file will be generated and updated on disk. The default is 60 minutes.

Report Lifetime

The lifetime of a report in days. The report will be cleared after this amount of time. The default is 7 days.

Learning Period

This option determines how many days a host has not been seen before an alert will be generated. A setting of at least 1 or 2 days is recommended. After that, any host that was not discovered during the period will be alerted on as new. Without this setting, LCE will repeatedly discover all of your hosts that are currently running, and not accurately identify hosts that are actually new.

Reporter Port

The port used by SecurityCenter to retrieve host and vulnerability reports from LCE.

Reporter Username

The username used by both SecurityCenter, and LCE to exchange vulnerability information.

Reporter Password

The password used by SecurityCenter and LCE to exchange vulnerability information.

Verify Reporter Password

This field is used for password verification.

Report SSL Key File

The name of the LCE server reporter key file as it appears in /opt/lce/reporter/ssl/. By default, the file is serverkey.pem.

Report SSL CA File

The name of the LCE server certificate authority file as it appears in /opt/lce/reporter/ssl/. By default, the file is cacert.pem.

Report SSL Cert File

The name of the LCE server certificate file as it appears in /opt/lce/reporter/ssl/. By default, the file is servercert.pem.

Statistical Alerts

There are multiple statistical anomalies that can occur on a network. Some examples are Social Network, Login Failure, DNS, Virus, and Database anomalies. The LCE stats daemon can track these anomalies, and provide feedback when a specific threshold is reached.

Each statistical anomaly is triggered based on a number of deviations. The table below shows what number of standard deviations needs to occur before a statistical anomaly is triggered along with an example event name as it would be seen in the There are multiple Statistical anomalies that can occur on a network. Some examples are Social Network, Login Failure, DNS, Virus, and Database anomalies. The LCE stats daemon can track these anomalies, and provide feedback when a specific threshold is reached.

Each statistical anomaly is triggered based on a number of deviations. The table below shows what number of standard deviations needs to occur before a statistical anomaly is triggered along with an example event name as it would be seen in the Events section of SecurityCenter.

section of SecurityCenter.

Type Minimum number of standard deviations from the mean Maximum number of standard deviations from the mean Example

Minor Anomaly

1.0

5.99

Statistics-Login_Minor_Anomaly

Anomaly

6.0

9.99

Statistics-USB_Anomaly

Medium Anomaly

10.0

99.99

Statistics-SPAM_Medium_Anomaly

Large Anomaly

100.00

999999.99

Statistics-Intrusion_Large_Anomaly

Option Description

Min Standard Deviation

This specifies the minimum standard deviation that must occur for an event before an alert will be generated for it. The higher this number, the more statistically significant a sequence of events needs to be before an alert is raised.

Min Number of Standard Deviations

If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation.

Min Statistical History

This specifies the number of iterations (days) per-event are required before alerts will be generated. If a large amount of LCE data is already present, set this number to a low value or even to zero. The stats daemon can be started to read in all or just part of the existing LCE data. If you have no LCE data, leave this value around 7 so the stats daemon will not alert on anything until it has 7 days of event data.

Max Occurrence Frequency

If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation.

Syslog Alerts

The statistics engine will send anomaly alerts to the syslog servers in this list. It is recommended to include 127.0.0.1 for the local LCE service.

Resource Usage and Performance

This section of the LCE Advanced Configuration is used to tune the performance of the LCE server.

Option Description

Additional Query Memory

By default, 100 megabytes of memory is used for text queries. For systems with large amounts of available memory, the Additional Query Memory option can be used to allocate additional memory for the text string search functionality of the query daemon. This will improve response time during event analysis in SecurityCenter. The option can be specified in megabytes or gigabytes by selecting an M or G from the Additional Query Memory drop-down menu.

Max TASL Memory Queue

To maximize performance on multi-processor and multi-core systems, correlated TASL events are processed in parallel to receive regular incoming events. Since some TASL scripts can run for an extended period of time, the primary event processor can potentially receive many TASL-triggering events while a TASL script is still being executed. In this case, the TASL job is stored in a queue for later processing. This option defines the maximum size of this queue. On systems with extremely large volumes of data, setting the maximum queue size higher results in increased performance. If a TASL script that can be sampled is triggered while the queue is full, its callback functions will not be executed.

Log-Processors

This option leverages multicore processors and determines how many threads will be dedicated to log processing.

 

It is recommended that this setting be no higher than the number of CPU cores in the LCE host system. This is an upper-limit, and should not be changed unless you have greater than 8 total cores (e.g., a dual quad-core CPU system).

 

For systems with hyper-threading technology, the value may be scaled accordingly.

Sampleable TASLs

Sampleable TASL scripts may be skipped to alleviate processor load when the TASL queue is full.

DNS Caching

When a log message is defined in a plugin, LCE provides the option to specify a hostname instead of an IP address for the srcip and dstip fields. In this case, LCE automatically attempts to resolve the provided hostname to an IP address using DNS. Since the same hostname is typically encountered multiple times, caching the results of lookups can greatly increase performance. These options configure DNS caching in LCE.

A particular hostname or all domain names with a certain extension can be excluded using the Always Resolve section. In this case, the matching hosts are looked up at every occurrence. The Always Resolve section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. These host contained in the Always Resolve section of DNS Caching is read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the Update button at the bottom of the Advanced Configuration section of the LCE GUI will need to be selected.

Option Description

Max Memory for DNS Cache

LCE will maintain a cache of hostname-to-IP addresses rather than performing the lookup repeatedly, limited to this amount of memory [MB]. The Max Memory for DNS Cache option can go up to 360K domain names.

DNS Cache Period

The DNS Cache Period option specifies the number of days to cache a hostname-to-IP mapping before updating the result with a new lookup. This value can be set between 1 and 30 days.

Always Resolve

If a host ends with an extension listed here, it will be resolved each time it is encountered rather than being cached. List each host or extension on a new line. A particular hostname or all domain names with a certain extension can be excluded using the Always Resolve section. In this case, the matching hosts are looked up at every occurrence. The Always Resolve section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. The hosts contained in the Always Resolve section of DNS Caching are read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the Update button at the bottom of the Advanced Configuration section of the LCE GUI will need to be selected.

Cache at Startup

Hosts listed in the Cache at Startup are resolved at startup and cached immediately to reduce runtime DNS resolutions and improve performance. The format for these entries is one hostname per line.

Correlation

LCE normally matches the vulnerability port with the port given in the normalized event to correlate an event with vulnerability. If this option is disabled, LCE will ignore this requirement if the vulnerability port is 0, 22, or 445.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.