TOC & Recently Viewed

Recently Viewed Topics

Advanced Configuration

The Advanced configuration section is used to fine tune your LCE server configuration. Each section that is changed in the Advanced section will require that the Update button is selected before the updates are completed. Select Cancel to clear any unwanted updates.

The Advanced configuration section includes the following groups of settings:

Storage

The options available under the Storage subsection are Store Unnormalized Logs and Disk Alert Percentage. These options are described in the table below.

Option Description

Store Unnormalized Logs

If enabled, then LCE will store logs that cannot be normalized by existing LCE plugins. These logs will have the type and event set to unnormalized and will still be available for text, IP, and sensor-based searches.

Disk Alert Percentage

When filesystem usage exceeds the specified percentage (from 1 to 99 percent), an alert is generated so that you can take action to ensure the LCE server does not exhaust disk space for log storage. The default value is 75 percent.

LCE Web Server

The LCE Web Server section allows you to specify parameters governing login parameters for user access. These options are described in the table below.

Option Description

Login Banner

Banner to display prior to login, requiring users to positively acknowledge a customized statement or warning. Up to 1300 characters.

Enforce Complex Passwords

Require web server user passwords to have at least 1 uppercase, 1 lowercase, 1 number, and 1 special character.

Min Password Length

Minimum length of a password for a web server user login. This limit only applies to passwords that are created after this option is modified.

Idle Session Timeout

Idle login sessions will be logged out after the amount of time specified in minutes. To disable the timeout, set the value to 0.

Web Server Port

Specifies the port used to access the LCE interface. By default, port 8836.

Enable SSL for Web Server

When enabled, the engine will require SSL protection for connections to the web server. If this setting is changed, users are disconnected and must log back into the server again.

Enable SSL Client Certificate Authentication

When enabled, the web server will only accept SSL client certificates for user authentication. By default, this option is disabled and the web server allows login only with a username and password.

Sensor Names

This option allows you to override the discovered name of a syslog sensor with a name that is more identifiable in the environment. For example if the host is syslogserver06.example.com but that server resides in the research area of the environment, you can set a name that is more identifiable, such as research_syslog.

Normally, the sensor name is set to one of the following:

  • The source of the log
  • The sensor name set on the client itself
  • The syslog source
  • The plugin that normalizes the log

If you specify a sensor name using the LCE interface, that name will always be applied to the sensor that corresponds to the IP address. When creating new sensor names, values must be set for both the Sensor Name and IP Address.

Option Description

Sensor Name

Sensor name to be used within the SecurityCenter logs.

Note: The sensor name can be a maximum of 128 characters.

IP Address

The IP address of the configured client or syslog source.

Clients

This section of the Advanced Configuration is used to further define how clients are able to connect to the LCE, and how they are named when viewed in the “Event” section of SecurityCenter. The configurations are Public Server Address, Auto Authorize Clients, Use Client Network Address, and Override Sensor Name, described in the table below.

Option Description

Public Server Address

If the server is run from behind a device performing Network Address Translation (NAT), and the LCE clients that the server manages are on the public side of the device, the Public Server Address box must be set to the NAT address so that the managed clients can communicate with the server. The LCE server will listen for clients based on, in order of preference, the Public Server Address setting, the Server Address setting, or the first IP that it finds LCE using that is not 127.0.0.1.

Caution: When a Public Server Address is specified, all clients on either side of the NAT device must use this address to connect.

Auto Authorize Clients

Specifies the number of minutes after the LCE server starts that clients will be automatically authorized. For example, if the value is set to 10, any clients that attempt to connect to the server within ten minutes of it starting will be automatically authorized.

Use Client Network Address

Override private client IP in events with the NAT / public network peer IP.

Override Sensor Name

Prefer configured name over discovered name.

The Client Assignment Rules section allows for specific policies to be applied to specific client ranges. When a client assignment rule is created, a text box appears in the Policies column. In the text box, specify the filenames of the policies that you want applied to clients that fall in the range defined by the rule.

Polices are matched by operating system. If there are multiple policies for a particular operating system, the first applicable policy that is specified for that operating system will be assigned. If none of the specified policies are applicable to a client in the network, the default policy for that operating system will be used.

If Auto Authorize is enabled, clients that are discovered in the range defined by the rule will be automatically authorized.

Option Description

Client Network

A network range in CIDR notation

LCE IP:port

The LCE server IP address and port that you want the clients to communicate with.

Auto Authorize

If enabled, clients discovered in the network range are automatically authorized.

User Tracking

Users of the LCE server are tracked by their username. These options set restrictions on which usernames are considered valid. Any usernames failing to match the specified criteria are disregarded and the user is reported as invalid for the associated log entries.

Option Description

User Tracking Plugins

Only Plugin IDs in this list are used to apply user tracking. Other plugins will normalize usernames, but no tracking is performed based on the source and destination IP addresses. Only usernames normalized by these plugins are subject to the additional user tracking restrictions in this section. If a username is normalized by these plugins but does not meet the additional restrictions it will not be associated with the log and will not be associated with the subsequent logs from that IP address. Some IDs of plugins that can be specified for User Tracking Plugins are:

  • 4770 (tenable_pvs.prm)
  • 5450 (mail_imaps.prm)
  • 1708 (mail_wuimap.prm)
  • 7293 (os_win2008_sec.prm)
  • 3260, 3262, 3294 (os_win2k_sec.prm)

Note: LCE login-failure plugins do not normalize usernames because those logs are not assured to provide a valid username, and it would contaminate the username database. Additionally, it is advised never to add a login-failure plugin ID into the list of User Tracking Plugins. Doing so would invalidate user tracking for hosts that triggered the plugin.

Accept Letters

If enabled, the LCE server will allow usernames to contain letters.

Accept Numbers

If enabled, the LCE server will allow usernames to contain numbers.

Valid Username Characters

Specifies which special characters are considered valid for usernames. By default, the following characters are considered valid: -_.@$.

For example, the following username would be considered valid based on the default value:

b.j-smith@a_b.com

Note: You cannot specify the semicolon character, “;” for this option.

Max Username Length

The maximum number of characters considered valid for usernames normalized by the server.

Untracked Usernames

These users are not tracked. The usernames are normalized and will appear with their associated logs, but no alert is generated when the username switches from one IP to another.

Example:

  • root
  • lce
  • admin
  • administrator
  • Administrator
  • SYSTEM
  • INTERACTIVE
  • NETWORKSERVICE
  • LOCALSERVICE
  • ANONYMOUSLOGON
  • Nobody
  • NTAUTHORITY
  • DIALUP
  • NETWORK
  • BATCH
  • NO_USER_NAME

Host Discovery and Vulnerabilities

This section defines the parameters used by LCE to send vulnerability information to SecurityCenter, as described in the table below.

Option Description

Enable Host Discovery

This option enables or disables host discovery. When set to yes, new hosts on the network will be discovered and reported based on log data.

Report Frequency

The frequency, in minutes, in which the report file will be generated and updated on disk. The default is 60 minutes.

Report Lifetime

The lifetime of a report in days. The report will be cleared after this amount of time. The default is 7 days.

Learning Period

This option determines how many days a host has not been seen before an alert will be generated. A setting of at least 1 or 2 days is recommended. After that, any host that was not discovered during the period will be alerted on as new. Without this setting, LCE will repeatedly discover all of your hosts that are currently running, and not accurately identify hosts that are actually new.

Reporter Port

The port used by SecurityCenter to retrieve host and vulnerability reports from LCE.

Reporter Username

The username used by both SecurityCenter, and LCE to exchange vulnerability information.

Reporter Password

The password used by SecurityCenter and LCE to exchange vulnerability information.

Verify Reporter Password

This field is used for password verification.

Report SSL Key File

The name of the LCE server reporter key file as it appears in /opt/lce/reporter/ssl/. By default, the file is serverkey.pem.

Report SSL CA File

The name of the LCE server certificate authority file as it appears in /opt/lce/reporter/ssl/. By default, the file is cacert.pem.

Report SSL Cert File

The name of the LCE server certificate file as it appears in /opt/lce/reporter/ssl/. By default, the file is servercert.pem.

Statistical Alerts

There are multiple statistical anomalies that can occur on a network. Some examples are Social Network, Login Failure, DNS, Virus, and Database anomalies. The LCE stats daemon can track these anomalies, and provide feedback when a specific threshold is reached.

Each statistical anomaly is triggered based on a number of deviations. The table below shows what number of standard deviations needs to occur before a statistical anomaly is triggered along with an example event name as it would be seen in the There are multiple Statistical anomalies that can occur on a network. Some examples are Social Network, Login Failure, DNS, Virus, and Database anomalies. The LCE stats daemon can track these anomalies, and provide feedback when a specific threshold is reached.

Each statistical anomaly is triggered based on a number of deviations. The table below shows what number of standard deviations needs to occur before a statistical anomaly is triggered along with an example event name as it would be seen in the Events section of SecurityCenter.

Type Minimum number of standard deviations from the mean Maximum number of standard deviations from the mean Example

Minor Anomaly

1.0

5.99

Statistics-Login_Minor_Anomaly

Anomaly

6.0

9.99

Statistics-USB_Anomaly

Medium Anomaly

10.0

99.99

Statistics-SPAM_Medium_Anomaly

Large Anomaly

100.00

999999.99

Statistics-Intrusion_Large_Anomaly

Option Description

Min Standard Deviation

This specifies the minimum standard deviation that must occur for an event before an alert will be generated for it. The higher this number, the more statistically significant a sequence of events needs to be before an alert is raised.

Min Number of Standard Deviations

If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation.

Min Statistical History

This specifies the number of iterations (days) per-event are required before alerts will be generated. If a large amount of LCE data is already present, set this number to a low value or even to zero. The stats daemon can be started to read in all or just part of the existing LCE data. If you have no LCE data, leave this value around 7 so the stats daemon will not alert on anything until it has 7 days of event data.

Max Occurrence Frequency

If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation.

Syslog Alerts

The statistics engine will send anomaly alerts to the syslog servers in this list. It is recommended to include 127.0.0.1 for the local LCE service.

Resource Usage and Performance

This section of the LCE Advanced Configuration is used to tune the performance of the LCE server.

Option Description

Additional Query Memory

By default, 100 megabytes of memory is used for text queries. For systems with large amounts of available memory, the Additional Query Memory option can be used to allocate additional memory for the text string search functionality of the query daemon. This will improve response time during event analysis in SecurityCenter. The option can be specified in megabytes or gigabytes by selecting an M or G from the Additional Query Memory drop-down menu.

Max TASL Memory Queue

To maximize performance on multi-processor and multi-core systems, correlated TASL events are processed in parallel to receive regular incoming events. Since some TASL scripts can run for an extended period of time, the primary event processor can potentially receive many TASL-triggering events while a TASL script is still being executed. In this case, the TASL job is stored in a queue for later processing. This option defines the maximum size of this queue. On systems with extremely large volumes of data, setting the maximum queue size higher results in increased performance. If a TASL script that can be sampled is triggered while the queue is full, its callback functions will not be executed.

Log-Processors

This option leverages multicore processors and determines how many threads will be dedicated to log processing.

 

It is recommended that this setting be no higher than the number of CPU cores in the LCE host system. This is an upper-limit, and should not be changed unless you have greater than 8 total cores (e.g., a dual quad-core CPU system).

 

For systems with hyper-threading technology, the value may be scaled accordingly.

Sampleable TASLs

Sampleable TASL scripts may be skipped to alleviate processor load when the TASL queue is full.

DNS Caching

When a log message is defined in a plugin, LCE provides the option to specify a hostname instead of an IP address for the srcip and dstip fields. In this case, LCE automatically attempts to resolve the provided hostname to an IP address using DNS. Since the same hostname is typically encountered multiple times, caching the results of lookups can greatly increase performance. These options configure DNS caching in LCE.

A particular hostname or all domain names with a certain extension can be excluded using the Always Resolve section. In this case, the matching hosts are looked up at every occurrence. The Always Resolve section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. These host contained in the Always Resolve section of DNS Caching is read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the Update button at the bottom of the Advanced Configuration section of the LCE interface will need to be selected.

Option Description

Max Memory for DNS Cache

LCE will maintain a cache of hostname-to-IP addresses rather than performing the lookup repeatedly, limited to this amount of memory [MB]. The Max Memory for DNS Cache option can go up to 360K domain names.

DNS Cache Period

The DNS Cache Period option specifies the number of days to cache a hostname-to-IP mapping before updating the result with a new lookup. This value can be set between 1 and 30 days.

Always Resolve

If a host ends with an extension listed here, it will be resolved each time it is encountered rather than being cached. List each host or extension on a new line. A particular hostname or all domain names with a certain extension can be excluded using the Always Resolve section. In this case, the matching hosts are looked up at every occurrence. The Always Resolve section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. The hosts contained in the Always Resolve section of DNS Caching are read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the Update button at the bottom of the Advanced Configuration section of the LCE interface will need to be selected.

Cache at Startup

Hosts listed in the Cache at Startup are resolved at startup and cached immediately to reduce runtime DNS resolutions and improve performance. The format for these entries is one hostname per line.

Data Forwarding

See Data Forwarding.

TCP Syslog and Encrypted TCP Syslog

See Receiving Encrypted Syslog.

Correlation

LCE normally matches the vulnerability port with the port given in the normalized event to correlate an event with vulnerability. If this option is disabled, LCE will ignore this requirement if the vulnerability port is 0, 22, or 445.

TASL and Plugins

See TASL and Plugins.

Event Rules

See Event Rules.

SSH Keys

See SSH Keys.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.