Components of the Log Correlation Engine
The Log Correlation Engine (LCE) has three main components:
The LCE server
The LCE server is a set of cooperating daemons for Red Hat Enterprise Linux and CentOS that collects data from the LCE clients, and then normalizes that data. The normalized data is then analyzed using Tenable.sc. Tenable.sc makes both the raw and normalized event data available to the user for event analysis and mitigation. Depending on the scale and requirements of your organization, you may utilize multiple LCE server instances to collect and normalize data.
The LCE interface
Each LCE server provides a web-based application interface, referred to throughout this documentation as the LCE interface. Using the LCE interface, you can monitor the health and status of the LCE server and clients, configure the LCE server, manage clients, create and assign policies, and manage users.
LCE clients are installed on hosts to monitor and collect events. The event data is then communicated to the LCE server. Events are both stored as raw logs and normalized and correlated with vulnerabilities (if applicable).
LCE users work with log data from a wide variety of sources. Each organization can make queries to one or more LCE servers that process events from devices including firewalls, servers, routers, honeypots, mobile device managers, applications, and many other sources. LCE can collect event data from many sources, including:
Windows Event Logs (collected locally or remotely via a WMI client)
Windows, Linux, and Unix system and application logs
Check Point OPSEC events
Cisco RDEP events
Cisco SDEE events
Sniffed TCP and UDP network traffic (Tenable Network Monitor)
Sniffed syslog messages in motion
- Encrypted syslog
File monitoring for the following operating systems:
- Tenable Appliance
- OS X
- Amazon Web Services, via CloudTrail
- Google Cloud Platform
Intrusion Detection and Prevention Systems
LCE has many signature processing libraries to parse logs and can normalize and correlate most network intrusion detection (IDS) and intrusion protection systems (IPS), as well as messages from Tenable.sc.
LCE supports event collection and vulnerability correlation for the following systems:
IBM Proventia (SNMP)
Juniper NetScreen IDP
Fortinet IDS events
- Snort (and Snort-based products)
syslogevent format must be modified to use a comma delimiter rather than a tab delimiter before it can be processed by the LCE.
LCE supports only event collection for the following systems:
- Check Point (Network Flight Recorder)
- Toplayer IPS
There are thousands of normalization rules that support most operating systems, firewalls, network routers, intrusion detection systems, honeypots, and other network devices. The list of officially supported log sources is frequently updated on the Tenable website.