The LCE server has a feature that is designed to track users. User tracking can be applied to any event coming into the LCE server, regardless of the source of the event. Events correlated from Windows, Linux, Unix, or other network devices can be monitored.
When LCE encounters a log that has no username field, it will assign the username of the user most recently associated with the source IP of the incoming log, or associated with the destination IP of the log if a destination IP (dstip) is provided but a source IP (srcip) is not. If no user was previously tracked at either of the IPs, or if no IP is provided, an “(unknown)” entry is assigned.
When a user changes IP addresses (i.e., a LCE receives a log where the user’s srcip differs from the srcip in the previous log tagged with the username), the new IP address is also associated with the user. The last three IP addresses per user are stored for the user, allowing for cases where a single user logs into multiple systems at the same time. For example, the following event shows a user becoming active at a new IP address:
Network user IP address change: user someguy94 became active at 169.254.96.232 with event login (169.254.96.232:0)
The data used to track usernames is stored in the files
user_ip.dat in the LCE database directory. The .dat files are written when the LCE service is shut down gracefully. In case of a server crash, the data is automatically backed up every 10 minutes.
A maximum of 65,534 unique usernames can be stored. If the maximum is reached, incoming logs with new users will have the user fields marked with the “(unknown)” entry.
User tracking in LCE will function if the following conditions are met:
The LCE server has plugins that can match the events and pull usernames from the events. For example, plugin 3209 in os_win2k_sec.prm has the following line:
log=event:Windows-Account_Used_For_Login sensor:$1 dstip:$2 type:login user:$4 event2:WindowsEvent-680
user:$4directive tells the plugin to add the username to the available event searchable fields. As a result, searches that query this event based on the username will return results.
The plugin IDs have been added to the User Tracking Plugins in the User Tracking section in the configuration section of the LCE interface (one plugin ID per line).
Note: A list of the plugins provided by Tenable that include user information is found at the end of /opt/lce/daemons/plugins/prm_map.prm.
The user tracking settings have been properly configured in the LCE interface under “User Tracking”. Please refer to the Advanced Configuration Options section of this document for a description of the following applicable keywords:
If these conditions are not met, usernames may still be stored in normalized events; however, they cannot be searched using the event filter username parameter. Another way to search for usernames in logs is through the raw log search feature of Tenable.sc.