Components of the Log Correlation Engine

The Log Correlation Engine (LCE) has three main components:

  • The LCE server

    The LCE server is a set of cooperating daemons for Red Hat Enterprise Linux (RHEL) or CentOS Linux or Oracle Enterprise Linux (OEL) that collects data from the LCE clients, and then normalizes that data. The normalized data is then analyzed using makes both the raw and normalized event data available to the user for event analysis and mitigation. Depending on the scale and requirements of your organization, you may utilize multiple LCE server instances to collect and normalize data.

  • The LCE interface

    Each LCE server provides a web-based application interface, referred to throughout this documentation as the LCE interface. Using the LCE interface, you can monitor the health and status of the LCE server and clients, configure the LCE server, manage clients, create and assign policies, and manage users.

  • LCE clients

    LCE clients are installed on hosts to monitor and collect events. The event data is then communicated to the LCE server. Events are both stored as raw logs and normalized and correlated with vulnerabilities (if applicable).

LCE users work with log data from a wide variety of sources. Each organization can make queries to one or more LCE servers that process events from devices including firewalls, servers, routers, honeypots, mobile device managers, applications, and many other sources. LCE can collect event data from many sources, including:

  • Windows Event Logs (collected locally or remotely via a WMI client)

  • Windows, Linux, and Unix system and application logs

  • Check Point OPSEC events

  • Cisco RDEP events

  • Cisco SDEE events

  • NetFlow

  • Splunk

  • Sniffed TCP and UDP network traffic (Tenable Network Monitor)

  • Sniffed syslog messages in motion

  • Encrypted syslog
  • File monitoring for the following operating systems:

    • RHEL
    • Tenable Core
    • FreeBSD
    • Debian
    • OS X
    • AIX
    • Solaris
    • HP-UX
    • Dragon
    • Fedora
    • Ubuntu
    • SuSE
    • Windows
  • Salesforce
  • Amazon Web Services, via CloudTrail
  • Google Cloud Platform

Intrusion Detection and Prevention Systems

LCE has many signature processing libraries to parse logs and can normalize and correlate most network intrusion detection (IDS) and intrusion protection systems (IPS), as well as messages from

LCE supports event collection and vulnerability correlation for the following systems:

  • Bro

  • Cisco IDS

  • Enterasys Dragon

  • IBM Proventia (SNMP)

  • Juniper NetScreen IDP

  • McAfee IntruShield

  • Fortinet IDS events

  • Snort (and Snort-based products)
  • HP TippingPoint

  • Note: TippingPoint's syslog event format must be modified to use a comma delimiter rather than a tab delimiter before it can be processed by the LCE.

LCE supports only event collection for the following systems:

  • AirMagnet
  • Check Point (Network Flight Recorder)
  • Portaledge
  • Toplayer IPS

There are thousands of normalization rules that support most operating systems, firewalls, network routers, intrusion detection systems, honeypots, and other network devices. The list of officially supported log sources is frequently updated on the Tenable website.