TOC & Recently Viewed

Recently Viewed Topics


When LCE is installed, it includes a number of tools and utilities. By default, the tools are all installed in the /opt/lce/tools/ directory.

LCE 5.x versions contain additional tools for Elasticsearch administration and troubleshooting under the /opt/lce/tools/es-helper-scripts directory.

General Tools

The following table lists in alphabetical order each tool and describes its function.

Tool Description Usage

Imports a directory of log files or a list of one or more logs on disk into the active database on the LCE server. You must specify whether the logs you are importing are encoded as ASCII (--ASCII) or UTF-8 (--UTF8).

# /opt/lce/tools/import_logs

Usage: /opt/lce/tools/import_logs <list of log files and directories to import>

[--ASCII or --UTF8] (required)

[-d, --disable-rules] (optional)

[-c, --current-time] (optional)

[-j <N>, --jobs <N>] (optional)

[-n, --not-approximate-timestamps] (optional)

[debug] (optional)

[--cleanup] (optional) Contains various shell functions that are used to control and display LCE services and values.

The following functions are included:












Used to generate and view self signed CA certificates in .pem format.

# /opt/lce/tools/lce_crypto_utils

--generate-LCE-Server-creds <into_dir> [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <cert_path>.pem <CRL_path>.pem

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

list-clients Used to list clients since LCE 5.0.3.

# /opt/lce/tools/list-clients

Note: The --brief option can be used for brief output. The default output is verbose.
make_cert Creates an SSL certificate for LCE Proxy.

# /opt/lce/tools/make_cert



Creation of the LCE Proxy SSL Certificate


This script will now ask you the relevant information to create the SSL

certificate for LCE Proxy. Note that this information will *NOT* be sent to

anybody (everything stays local), but anyone with the ability to connect to your

LCE Proxy will be able to retrieve this information.


CA certificate life time in days [1460]:

Server certificate life time in days [365]:

Your country (two letter code) [US]:

Your state or province name [NY]:

Your location (e.g. town) [New York]:

Your organization [LCE Users]:

This host name [-----------]:

Note: The -q (quiet option) prevents the user from being prompted.
msmtp An SMTP client with a sendmail compatible interface.

To configure msmtp, update msmtp.conf and provide an smtp host, username, password, and port. Used to generate and view self signed CA certificates in .pem format

# /opt/lce/tools/

--generate-LCE-Server-creds <into_dir> [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <cert_path>.pem <CRL_path>.pem

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

The LCE Disabled Plugins Management Tool is a script that generates a list of plugin libraries that contain no plugins that have ever matched an event processed by the system. You are prompted to automatically disable all of the unused plugin libraries. If this option is not chosen, the unused PRM files are simply listed for reference.

# /opt/lce/tools/

query-plan-explainer A convenient wrapper around the PostgreSQL EXPLAIN command, making its output both more concise and better readable.

[--estimate-only] <sqlFile> | "SQL query"

send_syslog Sends syslog messages to one or more servers.

# /opt/lce/tools/send_syslog (server address 1) [...] [server address N] -message "(message)"

[-port <port num>]

[-priority #]

[-facility <facility>]

[-severity <severity>]

Configures Elasticsearch in a single node configuration. An ES index is created. Ensure ES analysis-icu is installed. The appropriate user level credentials are checked.

Caution: Do not use this tool unless directed by Tenable, Inc. or the product itself to do so.


Starts PostgreSQL daemon and all LCE daemons.

# /opt/lce/tools/start_lce

stop_lce Stops all LCE daemons (except the stats daemon).

# /opt/lce/tools/stop_lce


Used to identify the timestamp formats that appear for event timestamps in logs imported by import_logs. By default, this file includes a list of date formats.

If you are importing logs with timestamps in formats that are not included in this file, you can append the new formats to the list. Internal

Caution: This script is used by the tools that are installed with LCE, and should not be interacted with directly.

Elasticsearch Administration and Troubleshooting Utilities

The following table lists in alphabetical order each helper script and describes its function.

Caution: Exercise caution when invoking these scripts to avoid unintended changes.

Tool Description Usage

Contains indicators of JVM heap memory utilization, operations related to Lucene datafiles underlying the Elasticsearch datastore, selected indicators of activity of Elasticsearch itself, and a various Elasticsearch configuration display conveniences.

# /opt/lce/tools/es-helper-scripts/admin

USAGE: ./admin

--coalesce [<indexName>,=*]

--sync [<indexName>,=*]

--stats [<indexName>,=*]

--datafiles [<indexName>,=*]


--config-index [<indexName>,=*]

--config-global [<attribute>, e.g. 'path.repo' | <section>, e.g. 'jvm']











--get-config-global--es-offline <attribute>

archival Used for viewing and managing snapshots (silos archived from activeDb to archiveDb), for restoring snapshots back into activeDb, and for triggering out-of-sequence archive jobs.

# /opt/lce/tools/es-helper-scripts/archival

USAGE: ./archival

--show [<snapshotId>]

--list--range <YYYY-MM-DD,begin> <YYYY-MM-DD,end> // NB: bounds inclusive.

--list--of-silo <indexName>


--archive-silo <indexName>


--restore <from_snapshotId> [<into_indexName>]

--restore--range <YYYY-MM-DD,begin> <YYYY-MM-DD,end> // NB: bounds inclusive.



--restore-job-progress [<snapshotId>]

--cancel-job <snapshotId> // NB: Can be archive job or restore job.


--delete <snapshotId>

--delete--range <YYYY-MM-DD,begin> <YYYY-MM-DD,end> // NB: bounds inclusive.

--delete--of-silo <indexName>

data Used for fetching per-silo event counts and periods of coverage, and for ad-hoc queries of event data.

# /opt/lce/tools/es-helper-scripts/data

USAGE: ./data

--counts [<indexName>,=*] // NB: subtract 1 to get count of events.

--latest [<indexName>,=*] [<maxN>,=1]

--search [<indexName>,=*] [<maxN>,=1] [<fieldName>,=rawLog] <regex>

--equals [<indexName>,=*] [<maxN>,=1] <fieldName> <fieldValue>


--silo-status [<indexName>,=*]


Best-effort repair and recovery tool for corrupt datastores.

# /opt/lce/tools/es-helper-scripts/harmonize-datastore

USAGE: ./harmonize-datastore


move-activeDb Moves activeDb from its current location (usually /opt/lce/db/) to another location.

USAGE: ./move-activeDb <absolute path of new activeDb directory

register-archiveDb Used to configure archiving, by directing the creation of archiveDb at any location the user chooses. Can also be used to disable archiving.

USAGE: ./register-archiveDb <absolute path of archiveDb directory> | --deregister


Used to roll silos (make the next silo be the current silo) on-demand, and contains various operations pertaining to the data schema definition.

# /opt/lce/tools/es-helper-scripts/schema

USAGE: ./schema



--exists <indexName> [<typeName>]


--show-mappings [<indexName>,=silo0]


--show-aliases [<indexName>,=*]

--list-aliased-indices <aliasName>





Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.