TOC & Recently Viewed

Recently Viewed Topics

Tools

When LCE is installed, it includes a number of tools and utilities. By default, the tools are all installed in the /opt/lce/tools/ directory.

LCE 5.0.3 and later contain additional tools for Elasticsearch administration and troubleshooting under the /opt/lce/tools/es-helper-scripts directory.

General Tools

The following table lists in alphabetical order each tool and describes its function.

Tool Description Usage
import_logs

Imports a directory of log files or a list of one or more logs on disk into the active database on the LCE server. You must specify whether the logs you are importing are encoded as ASCII (--ASCII) or UTF-8 (--UTF8).

# /opt/lce/tools/import_logs

Usage: /opt/lce/tools/import_logs <list of log files and directories to import>

[--ASCII or --UTF8] (required)

[-d, --disable-rules] (optional)

[-c, --current-time] (optional)

[-j <N>, --jobs <N>] (optional)

[-n, --not-approximate-timestamps] (optional)

[debug] (optional)

[--cleanup] (optional)

install-logrotate-config

Directs linux logrotate(8) to manage LCE's logs (the .log files under the log directory, /opt/lce/admin/log/ by default)

Note: Logs from 2+ months ago are compressed e.g., tasls2018Jul.log becomes tasls2018Jul.log.gz.

/opt/lce/tools/install-logrotate-config --erase-after-months <N>

Note: The value (N) must be greater than 1.

lce-common.sh Contains various shell functions that are used to control and display LCE services and values.

The following functions are included:

am_i_root()

is_lce_running()

kill_running_lce()

restart_lce_services()

get_config_value()

update_config_value()

write_lce_log()

make_lce_timestamp()

pretty_print_time()

pretty_print_kbytes()

lce-reload-conf.sh Contains functions to reload the configuration for various LCE daemons.

The following LCE daemons can be commanded to reload configuration:

lced

lce_queryd

lce_report_proxy

stats

lce_tasl

lce_www

lce_crypto_utils

Used to generate, and view, self signed CA certificates in .pem format.

# /opt/lce/tools/lce_crypto_utils

--generate-LCE-Server-creds <into_dir> [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <cert_path>.pem <CRL_path>.pem

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

list-clients Used to list clients in LCE 5.0.3.

# /opt/lce/tools/list-clients


Note: The --brief option can be used for brief output. The default option is verbose.
make_cert Creates an SSL certificate for LCE Proxy.

# /opt/lce/tools/make_cert

 

-------------------------------------------------------------------------------

Creation of the LCE Proxy SSL Certificate

-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL

certificate for LCE Proxy. Note that this information will *NOT* be sent to

anybody (everything stays local), but anyone with the ability to connect to your

LCE Proxy will be able to retrieve this information.

 

CA certificate life time in days [1460]:

Server certificate life time in days [365]:

Your country (two letter code) [US]:

Your state or province name [NY]:

Your location (e.g. town) [New York]:

Your organization [LCE Users]:

This host name [-----------]:


Note: The -q (quiet option) prevents the user from being prompted.
msmtp An SMTP client with a sendmail compatible interface.

To configure msmtp, update msmtp.conf and provide an smtp host, username, password, and port.

# msmtp recipent@domain.com

openssl-utils.sh Used to generate, and view, self signed CA certificates in .pem format

# /opt/lce/tools/openssl-utils.sh

--generate-LCE-Server-creds <into_dir> [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <cert_path>.pem <CRL_path>.pem

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

plugin_manager.sh

The Log Correlation Engine Disabled Plugins Management Tool is a script that generates a list of plugin libraries that contain no plugins that have ever matched an event processed by the system. You are prompted to automatically disable all of the unused plugin libraries. If this option is not chosen, the unused PRM files are simply listed for reference.

# /opt/lce/tools/plugin_manager.sh

send_syslog Sends syslog messages to one or more servers.

# /opt/lce/tools/send_syslog (server address 1) [...] [server address N] -message "(message)"

[-port <port num>]

[-priority #]

[-facility <facility>]

[-severity <severity>]

setup-single-node.sh

Configures Elasticsearch in a single node configuration. An ES index is created. Ensure ES analysis-icu is installed. The appropriate user level credentials are checked.

Caution: Do not use this tool unless directed by Tenable, Inc. or the product itself to do so.

start_lce Starts all LCE daemons (except the stats daemon).

# /opt/lce/tools/start_lce

stop_lce Stops all LCE daemons (except the stats daemon).

# /opt/lce/tools/stop_lce

timestamp_formats.txt

Used to identify the timestamp formats that appear for event timestamps in logs imported by import_logs. By default, this file includes a list of date formats.

If you are importing logs with timestamps in formats that are not included in this file, you can append the new formats to the list.
utilities.sh Internal

Caution: This script is used by the tools that are installed with LCE, and should not be interacted with directly.

Elasticsearch Administration and Troubleshooting Utilities

The following table lists in alphabetical order each helper script and describes its function.

Caution: Exercise caution when invoking these scripts to avoid unintended changes.

Tool Description Usage
admin

Contains indicators of JVM heap memory utilization, operations related to Lucene datafiles underlying the Elasticsearch datastore, selected indicators of activity of Elasticsearch itself, and a various Elasticsearch configuration display conveniences.

# /opt/lce/tools/es-helper-scripts/admin

USAGE: ./admin

--coalesce [<indexName>,=*]

--sync [<indexName>,=*]

--stats [<indexName>,=*]

--datafiles [<indexName>,=*]

--indices-health

--config-index [<indexName>,=*]

--config-global [<attribute>, e.g. 'path.repo' | <section>, e.g. 'jvm']

--show-shards

--resource-utilization

--jvm-stats

--heap-use--breakers

--heap-use--buffers-caches

--write-activity

--discrete-operations

--queued-tasks

--running-tasks

--threadpools

--get-config-global--es-offline <attribute>

archival Used for viewing and managing snapshots (silos archived from activeDb to archiveDb), for restoring snapshots back into activeDb, and for triggering out-of-sequence archive jobs.

# /opt/lce/tools/es-helper-scripts/archival

USAGE: ./archival

--show [<snapshotId>]

--list--range <YYYY-MM-DD,begin> <YYYY-MM-DD,end> // NB: bounds inclusive.

--list--of-silo <indexName>

 

--archive-silo <indexName>

 

--restore <from_snapshotId> [<into_indexName>]

--restore--range <YYYY-MM-DD,begin> <YYYY-MM-DD,end> // NB: bounds inclusive.

 

--archive-job-progress

--restore-job-progress [<snapshotId>]

--cancel-job <snapshotId> // NB: Can be archive job or restore job.

 

--delete <snapshotId>

--delete--range <YYYY-MM-DD,begin> <YYYY-MM-DD,end> // NB: bounds inclusive.

--delete--of-silo <indexName>

data Used for fetching per-silo event counts and periods of coverage, and for ad-hoc queries of event data.

# /opt/lce/tools/es-helper-scripts/data

USAGE: ./data

--counts [<indexName>,=*] // NB: subtract 1 to get count of events.

--latest [<indexName>,=*] [<maxN>,=1]

--search [<indexName>,=*] [<maxN>,=1] [<fieldName>,=rawLog] <regex>

--equals [<indexName>,=*] [<maxN>,=1] <fieldName> <fieldValue>

 

--silo-status [<indexName>,=*]

harmonize-datastore

Best-effort repair and recovery tool for corrupt datastores.

# /opt/lce/tools/es-helper-scripts/harmonize-datastore

USAGE: ./harmonize-datastore

--enumerate-unrepaired

move-activeDb Moves activeDb from its current location (usually /opt/lce/db/) to another location.

USAGE: ./move-activeDb <absolute path of new activeDb directory

register-archiveDb Used to configure archiving, by directing the creation of archiveDb at any location the user chooses. Can also be used to disable archiving.

USAGE: ./register-archiveDb <absolute path of archiveDb directory> | --deregister

schema

Used to roll silos (make the next silo be the current silo) on-demand, and contains various operations pertaining to the data schema definition.

# /opt/lce/tools/es-helper-scripts/schema

USAGE: ./schema

--current-recordLive-silo

--roll-to-next-recordLive-silo

--exists <indexName> [<typeName>]

--list-indices

--show-mappings [<indexName>,=silo0]

--alias-binding-subtotals

--show-aliases [<indexName>,=*]

--list-aliased-indices <aliasName>

--get-index-template--mappings

--get-index-template--settings

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.