Import LCE Data Manually

LCE data can be collected both via real-time logging and manually in batch mode using the import_logs tool. These events will show up in the normalized event view along with events collected in real-time. This command-line tool allows data to be imported into the LCE that may not be available in real-time, but is still important for correlation of vulnerability data and for analysis of security posture and events.

Log files must be in ASCII format or UTF8, not binary, and each log must be delimited by a single newline.

Usage:

# /opt/lce/tools/import_logs

--ASCII | --UTF8

[--now-as-timestamp | --may-guess-timestamps]

[--minimum-timestamp-epoch <N>]

[--maximum-timestamp-epoch <N>]

[--no-eval-event-rules]

<inputFileAbsolutePath>

The following table describes the options available for import_logs:

Option Description

--no-eval-event-rules

Do not apply LCE event rules to imported logs.

--may-guess-timestamps

If no timestamp can be determined for an event, assign the most recent known timestamp.

--now-as-timestamp

Use the current system time for all imported logs rather than the timestamps contained within the event text.