User Tracking

The Tenable Log Correlation Engine server has a feature that is designed to track users. User tracking can be applied to any event coming into the Tenable Log Correlation Engine server, regardless of the source of the event. Events correlated from Windows, Linux, Unix, or other network devices can be monitored.

When Tenable Log Correlation Engine encounters a log that has no username field, it will assign the username of the user most recently associated with the source IP of the incoming log, or associated with the destination IP of the log if a destination IP (dstip) is provided but a source IP (srcip) is not. If no user was previously tracked at either of the IPs, or if no IP is provided, an “(unknown)” entry is assigned.

When a user changes IP addresses (i.e., a Tenable Log Correlation Engine receives a log where the user’s srcip differs from the srcip in the previous log tagged with the username), the new IP address is also associated with the user. The last three IP addresses per user are stored for the user, allowing for cases where a single user logs into multiple systems at the same time. For example, the following event shows a user becoming active at a new IP address:

Network user IP address change: user someguy94 became active at 169.254.96.232 with event login (169.254.96.232:0)

The data used to track usernames is stored in the files usernames.txt, ip_user.dat, and user_ip.dat in the Tenable Log Correlation Engine database directory. The .dat files are written when the Tenable Log Correlation Engine service is shut down gracefully. In case of a server crash, the data is automatically backed up every 10 minutes.

A maximum of 65,534 unique usernames can be stored. If the maximum is reached, incoming logs with new users will have the user fields marked with the “(unknown)” entry.

User tracking in Tenable Log Correlation Engine will function if the following conditions are met:

  • The Tenable Log Correlation Engine server has plugins that can match the events and pull usernames from the events. For example, plugin 3209 in os_win2k_sec.prm has the following line:

    log=event:Windows-Account_Used_For_Login sensor:$1 dstip:$2 type:login user:$4 event2:WindowsEvent-680

    The user:$4 directive tells the plugin to add the username to the available event searchable fields. As a result, searches that query this event based on the username will return results.

  • The plugin IDs have been added to the User Tracking Plugins in the User Tracking section in the configuration section of the Tenable Log Correlation Engine interface (one plugin ID per line).

    Note: A list of the plugins provided by Tenable that include user information is found at the end of /opt/lce/daemons/plugins/prm_map.prm.

  • The user tracking settings have been properly configured in the Tenable Log Correlation Engine interface under “User Tracking”. Please refer to the Advanced Configuration Options section of this document for a description of the following applicable keywords:

    • accept-letters

    • accept-numbers

    • additional-valid-characters

    • max-username-characters

If these conditions are not met, usernames may still be stored in normalized events; however, they cannot be searched using the event filter username parameter. Another way to search for usernames in logs is through the raw log search feature of Tenable Security Center.