Hardware and Software Requirements

Before deploying LCE, confirm that the prerequisite software and hardware requirements have been met and that you have an operational instance of Tenable.sc. Depending on the size of your organization and the way you deploy LCE, the hardware requirements for LCE change. All deployments have a common set of minimum software requirements.

This section contains the following:

Software Requirements

All deployments of LCE require the following:

  • An active LCE license
  • RHEL/CentOS 7.x, 64-bit

Additionally, while LCE is active, it requires exclusive access to certain ports. The only services that are required to support remote users are SSH and the LCE interface (lce_wwd). If other services are active on the system, conflicts should be avoided on the following default ports:

Ports LCE Receives (Listens) On
Port Description
162/UDP SNMP
514/UDP  Syslog
22/TCP SSH, for requests from Tenable.SC
601/TCP Syslog
1243/TCP Vulnerability detection, if enabled in Tenable.SC
6514/TCP Encrypted syslog
8836/TCP LCE Administrative Web UI
31300/TCP Events from LCE Clients
5432/TCP PostgreSQL replication from the master node or the standby node in a high availability configuration. For more information, see High Availability.
7091/TCP showids commands forwarded from the master node to the standby node in a high availability configuration. For more information, see High Availability.
VRRP Keepalived virtual IP management in a high availability configuration. For more information, see High Availability.
 
Ports LCE Sends On
PortDescription
514/UDPSyslog (forwarded)
443/TCPPull requests to the plugins feed at plugins.nessus.org
601/TCPSyslog (forwarded)
5432/TCPPostgreSQL replication to the master node or the standby node in a high availability configuration. For more information, see High Availability.
7091/TCPshowids commands forwarded from the master node to the standby node in a high availability configuration. For more information, see High Availability.
VRRPKeepalived virtual IP management in a high availability configuration. For more information, see High Availability.
 
Ports LCE Uses Over Loopback Interface
PortDescription
7091/TCPInternal communication, showids to lce_queryd
7092/TCPInternal communication, lce_tasld to lced
7093/TCPInternal communication, showids to lce_queryd 
 

Caution: The system running the LCE can operate a syslog daemon, but the syslog daemon must not be listening on the same port(s) that the LCE server is listening on.

Hardware Requirements

The hardware requirements for LCE change based on the number of events being processed.

Estimating Events

The following table provides the estimated average number of events from various sources.

Devices

Number of Estimated Events

1 workstation/laptop

0.5 events/sec

1 web-facing app server

20 events/sec

1 web-facing firewall/IDS/IPS

75 events/sec

1 internal application server (low volume)

5 events/sec

1 internal application server (high volume: IIS, Exchange, AD)

20 events/sec

1 internal network device

2 events/sec

To convert your event rate to bytes per day, it is recommended that you multiply your total events/second by 250 bytes/event and multiply by 86,400 seconds/day.

Tip:You can use the following calculator to determine the total number of events per second as well as the bytes per day.

Workstations

Web-facing Application Servers

Web-facing Firewalls/IDS/IPS

Internal Application Servers (low volume)

Internal Application Servers (high volume: IIS, Exchange, AD)

Internal Network Devices

events/second * 250 bytes/event * 86,400 second/day = 0 bytes/day

System Specification

The following table specifies the system requirements based on the number of events the LCE server is processing.

Installation scenarioRAMProcessorHard diskHard disk space

One LCE server with PostgreSQL processing less than 5,000 events per seconds

22 GB 8 cores10,000 RPM HD, or SSD of equiv. IOPS capability; RAID 0/10 configuration 2.4x Licensed storage size

One LCE server with PostgreSQL processing between 5,000 and 20,000 events per second

30 GB 16 cores15,000 RPM HD, or SSD of equiv. IOPS capability; RAID 0/10 configuration

One LCE server with PostgreSQL process greater than 20,000 events per second

58 GB or more 24 cores or moreSSD of IOPS capability at least equiv. to a 15,000 RPM HD; RAID 0/10 configuration

The LCE server requires a minimum of 20 GB of storage space to continue running and storing logs. The current system disk space is visible on the Health and Status page of the LCE interface.

To ensure LCE can take full advantage of the host's RAM and CPU resources, Tenable recommends configuring a dedicated swap partition. If the host has N GB of RAM, you will need at least 1.6 x N GB of swap space for best performance.

High Availability Requirements

Tenable strongly recommends using the same system specifications on the master and standby nodes in your high availability configuration, including the following:

  • Operating system version, to the patch level
  • Layout and size of disk partitions
  • File system choice and mount options
  • RAM size
  • Swap size

For optimal stability and performance, the master and standby nodes should be connected by a fast and reliable network link. For more information about high availability configurations, see High Availability.

File System Recommendations

Placing your activeDb on a networked file system (e.g. NFS) results in inadequate system performance. Tenable recommends that you use EXT3, EXT4, XFS, or ZFS and that you pay close attention to the mount options.

Placing your archiveDb on a networked file system does not impact system performance.

If your file system is: Tenable recommends:Tenable does not recommend:
EXT3, EXT4, XFSnoatimeatime or strictatime or relatime or diratime or No *atime at all.
EXT3 barrier=0barrier=1
EXT4barrier=0 or nobarrierbarrier=1 or barrier
XFSnobarrierbarrier
EXT3, EXT4data=writebackdata=journal or data=ordered or No data=* at all.
ZFSatime=offatime=on or relatime=on or No *atime at all.
ZFSHardware-dependent

compression=gzip or compression=gzip-N or compression=zle

compress=gzip or compress=gzip-N or compress=zle

ZFSlogbias=throughputlogbias=latency or No logbias at all.
ZFSprimarycache=metadataprimarycache=all or primarycache=none or No primarycache=* at all.
ZFSHardware-dependentrecordsize=512 or recordsize=1024 or recordsize=2048 or recordsize=4096

Licenses

There is no licensed limit to the number of events or IPs that the LCE can be configured to monitor.

There are different licenses available for LCE based on the total amount of storage used by LCE. The licenses are based on 1 TB, 5 TB, and 10 TB storage sizes. A license for LCE is provided as a part of Tenable.sc Continuous View. There is no difference in the LCE software that is installed, just the maximum storage size that can be used by LCE. Data that exceeds your license limit will be off-lined.