You are here: Features > Configuration > Load Balancing Configuration

Load Balancing Configuration

Multiple LCEs may be configured in a tiered system. This allows for one LCE to be designated as the primary LCE, which can send incoming log messages to one or more auxiliary LCE servers (depending on loading, which is calculated on a regular interval). This distributes the storage and processing of the log messages among up to 256 different LCE servers. Taking advantage of this configuration allows for all the LCE clients and log sources to be configured for a single LCE server, and that primary LCE server load balances the incoming requests between itself and its auxiliary servers. Additionally, clients may be configured to send their logs directly to an auxiliary server, bypassing the primary LCE if there is a need to do so. One example would be if you want all firewall logs to go to a specific LCE for storage, then they would have their logs point to that specific LCE, bypassing the primary LCE.

Load balancing messages and logs sent between the primary and auxiliary LCEs are encrypted. To provide additional encryption, the encryption passphrase option may be configured. This option can use a phrase between 1-32 characters. When set, all of the connected LCEs must be configured with the same passphrase in their configurations.

When using tiered LCE servers, each one must be configured in SecurityCenter in order to be queried. If SecurityCenter user only has access to three out of four LCE servers in a group, that user will receive incomplete results based only on the data stored in the three LCE servers to which the user has access.

Configuring the Primary LCE Server

The primary LCE server listens on TCP port 31302 (by default) for status data from auxiliary LCE servers. The listening port of the primary LCE server may be changed by modifying the Local Status Port option on the Load Balancing tab. There may only be one primary LCE server configured in a group, and servers may not play a dual role of primary and auxiliary. Unless the server is specifically configured to be an auxiliary LCE server, it considers itself a primary LCE server and listens on port 31302 (by default).

Configuring the Auxiliary LCE Server

When configured as an auxiliary LCE, the server will accept log files sent to it by the primary. To enable the auxiliary mode, configure the Load Balancing Auxiliary setting on the Load Balancing tab with the IP address and port number of the primary LCE. If the primary LCE is running on the default port of 31302, adding the port number is not required.

Note: When utilizing tiered LCE servers, processing of log-related options such as syslog forwarding, storing not-matched logs, and similar are performed on the server processing the logs. Such options must be configured identically on all the LCE servers for consistent results.

Option Description

Load Balancing Local

Local Server Address

When there is more than one network interface available to receive data from the primary LCE, enter the IP address of the interface to use. Otherwise, the IP address of the default interface will be used. This can be used to balance bandwidth between multiple interfaces.

Local Status Port

When the LCE server is configured to offload log data to auxiliary servers, TCP port 31302 is the default port used. Change the setting here to change the port on which the LCE server communicates.

Encryption Passphrase

When load balancing between primary and auxiliary LCE servers, all messages are encrypted. To enhance security, a user-specified key may be added. Enter up to a 32 character encryption phrase. The passphrase must be the same on all connected LCEs.

Note: Allowed characters are alphanumeric and the following characters: [].^$()|*+?{}/#_-~!@%=`'<>:|&\",

Load Balancing Auxiliary

Primary Server Address

When used as an auxiliary LCE server, this setting designates the IP address of the primary LCE server.

Primary Server Port

TCP port 31302 is the default port used when the LCE server is configured to offload log data to auxiliary servers. Change the setting here to change the port on which the LCE server communicates.

High Availability

Virtual IP Address

This is the IP address used by devices such as syslog sensors and clients to send data to LCE.

Virtual IP Interface

When specifying a Virtual IP Address, also specify an existing network adapter on which the LCE will bind the virtual IP defaults to eth0.

Virtual Router ID

If you have a VRRP solution deployed or plan on adding one in the future to the same network your LCE is deployed on, use this option to specify a router ID for the LCE cluster, that differs from your other VRRP setup.

Mirror Mode

Optionally, instead of receiving a subset of logs, this LCE may register itself as a mirror and receive ALL logs processed by the primary LCE, effectively creating a live backup of the primary database. Check the box to enable this mode.

Note: For more information Load Balancing and High Availability review the Log Correlation Engine 4.6 High Availability Large Scale Deployment Guide.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.