Files and Layout

LCE resides in the /opt/lce directory, and contains various sub-directories. The contents of each subdirectory are summarized in the table below.




This directory contains all of the LCE tracelog files. Tracelogs with expected higher volume are broken up into monthly files, with names in YYYYMon.log format (e.g. 2019Jan.log). Tracelog files for some LCE components are stored in eponymous subdirectories.

Note: Directory /opt/lce/admin/log is the default location of LCE tracelogs. Use change-tracelogs-location to change the tracelogs directory location. For more information, see change-tracelogs-location.


This directory contains certificates and keys for LCE modules to authenticate remote connections. For example, the syslog sub-directory contains the default keys and certs to authenticate encrypted TCP syslog senders.


This directory contains the lced binary (the log engine) and all other helper daemons in LCE. The LCE Client Manager is also located here. The daemons directory also contains sub-directories for plugins, policies, and other items updated automatically via the LCE plugin feed.

When LCE starts, it will load all files in the plugins sub-directory unless they are disabled via the configuration.

Tip: To verify which version of LCE you are running, run the following command:

lced -v


LCE stores all event data in the db directory.

Note: Directory /opt/lce/db is the default location of LCE activeDb. Use change-activeDb-location to change the activeDb directory location. For more information, see change-activeDb-location.


This directory contains the LCE Software License Agreement.


IDS signature mappings and host vulnerability information from is stored here for correlation.

postgresql Bundled with LCE. For more information, see Location of PostgreSQL Files in an LCE Installation.


This directory and its sub-directories contain certs and keys for the Nessus Transport Protocol interface for to retrieve report information.


This directory contains host vulnerability information LCE has discovered by scanning logs.


Directory used for temporary data that is utilized by LCE.


This directory contains various tools that are utilized by LCE, and some can be utilized via the command line if required.


The www directory contains the web client, and web server information. The users subdirectory contains a directory for each user configured in the LCE interface.