Tools

When LCE is installed, it includes a number of tools and utilities. All tools are installed in the /opt/lce/tools/ directory.

General Tools

The following table lists in alphabetical order each tool and describes its function.

Tool Description Usage
archival-manager

Performs tasks relating to archiveDb.

For more information, see Silo Archiving.

--list-snapshots [<siloName>]

--archive <siloName>

--restore <snapshotId> [<into_siloName>]

--remove-active <siloName>

--remove-archived <snapshotId>

--archive--range [--dry-run] <from_date> <to_date>

--restore--range [--dry-run] <from_date> <to_date>

--remove-active--range [--dry-run] <from_date> <to_date>

--remove-archived--range [--dry-run] <from_date> <to_date>

--identify-currsilo --roll-currsilo-now

Note: Each date must be given in YYYYMmmDD format. A range includes both "to" and "from" dates. Dates refer to tOrigin of contained events.

cfg-utils Used to manipulate LCE Server configuration attributes that do not appear in the web UI. Tenable Support may ask you to perform administrative tasks with this utility.

The most commonly used actions are:

--help --list-all --like <case-ignored substring of K> --describe <K> --get <K> --vlike <case-ignored substring of K> --set-sv <K> <V>

To see the complete list of available actions, run:

cfg-utils --help

For information about configuring site policies related to user activity, see Site Policies.

Tip: You can use cfg-utils to configure certificate-authenticated web UI logins. For more information, see Certificate-Authenticated Web UI Logins.

change-activeDb-location Changes the root directory of the operational LCE datastore from the default.

<absolute path of new location>

change-tracelogs-location Changes the root directory of the LCE tracelogs from the default.

<absolute path of new location>

create--make-current--silo If silo rolling is inoperable, this utility can be used (with all LCE daemons stopped) to switch to a new silo.

<siloNumber> | --take-next

check_fix-file_accessibility

Detects and fixes file accessibility problems like wrong ownership, wrong permissions, and inadvertently set immutable (“i”) extended file attribute.

Normally, invoke with --normal.

--check-only | --normal

ha-manager

Configures, manages, or disables high availability.

For more information about high availability configurations, see High Availability.

--initialize-as-master <standbyIP> <i/f> <virtualIP>

--initialize-as-standby <masterIP> <i/f> <virtualIP>

--copy-SSH-keys-to-peer

--status

--disconnect

--de-configure

For more information, see:

import_logs

Imports a directory of log files or a list of one or more logs on disk into the active database on the LCE server. You must specify whether the logs you are importing are encoded as ASCII (--ASCII) or UTF-8 (--UTF8).

--ASCII | --UTF8

[--now-as-timestamp | --may-guess-timestamps]

[--minimum-timestamp-epoch <N>]

[--maximum-timestamp-epoch <N>]

[--no-eval-event-rules]

<inputFileAbsolutePath>

For more information about import_logs usage, see Import LCE Data Manually.

install-PostgreSQL-man-pages   For the description and usage, see install-PostgreSQL-man-pages.
lce_crypto_utils

Used to generate and manipulate SSL credential files in the /opt/lce/credentials/syslog and /opt/lce/credentials/web_UI directories.

--generate-LCE-Server-creds <into_dir> [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--is-signed-by <endEntity_cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <endEntity_cert_path>>.pem <CRL_path>.pem

--save-as-PKCS12 <endEntity_cert_path>.pem <endEntity_privkey>.pem <into_path>.pfx

(Will prompt for password, and again to confirm.)

--print-cert <endEntity_cert_path>.pem

--print-CRL <CRL_path>.pem

--print-privkey <privkey_path>.pem

--print-PKCS12 <PKCS12_path>.pfx

(Will prompt for password.)

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

Tip: To rotate your web UI credentials using lce_crypto_utils, see Rotate Web UI Credentials.

list-clients Used to list clients since LCE 5.0.3.

# /opt/lce/tools/list-clients


Note: The --brief option can be used for brief output. The default output is verbose.
list-policies Used to list policies since LCE 5.0.4.

# /opt/lce/tools/list-policies

make_cert Creates an SSL certificate for LCE Proxy.

# /opt/lce/tools/make_cert

 

-------------------------------------------------------------------------------

Creation of the LCE Proxy SSL Certificate

-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL

certificate for LCE Proxy. Note that this information will *NOT* be sent to

anybody (everything stays local), but anyone with the ability to connect to your

LCE Proxy will be able to retrieve this information.

 

CA certificate life time in days [1460]:

Server certificate life time in days [365]:

Your country (two letter code) [US]:

Your state or province name [NY]:

Your location (e.g. town) [New York]:

Your organization [LCE Users]:

This host name [-----------]:


Note: The -q (quiet option) prevents the user from being prompted.
msmtp An SMTP client with a sendmail compatible interface.

To configure msmtp, update msmtp.conf and provide an smtp host, username, password, and port.

# msmtp

online-pg-backup

Allows you to take an online backup of the PostgreSQL database that contains LCE events and part of the LCE control state. 

For more information about online-pg-backup, see:

openssl-utils.sh

Used to generate and view self signed CA certificates in .pem format when troubleshooting issues with Tenable Support.

Note: This tool relies on the external openssl binary, not distributed with LCE but available as part of the OpenSSL RPM.

Tip: This tool is intended for troubleshooting with Tenable Support. Otherwise, use the lce_crypto_utils tool.

--generate-CA-creds <CA_dnSpec> <into_dir> [<certSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--generate-creds <hostSpec> <dnSpec> <into_dir> <CA_creds_dir> [<certSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--revoke <cert_path>.pem <CA_creds_dir> <CRL_path>.pem

--save-as-PKCS12 <endEntity_cert_path>.pem <endEntity_privkey>.pem <into_path>.pfx

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem [<CA_cert_path>.pem]

--print-PKCS12 <PKCS12_path>.pfx

A <hostSpec> is: <host_DNS_name> <host_IP>; IP can be IPv4 or IPv6

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

A <certSpec> is: <days_to_expiry> --rsa|--dsa <bits>; defaults to: 366 --rsa 1024

optimize-datastore The PostgreSQL maintenance commands requisite for best query performance have been collected into the /opt/lce/tools/optimize-datastore script. It is suggested that you run this script during off-peak (low-load) hours, triggered by a cron(1) job. The contained commands are resource-intensive and query performance will be poor while optimize-datastore is being run.

( --only-silo <N> | --all ) [--also-cluster | --also-reindex] [--max-runtime-hours <M>]

port-controlfiles

Allows you to save and restore all of an LCE server installation's control files, including:

  • policies
  • plugins
  • IDS signatures
  • cronjob definitions
  • SSH keys
  • daemon initscripts
  • Text search stopword lists

port-controlfiles can be used to assist in moving an LCE instance from one host to another.

--export

--import <full path of previously exported .tar.gz>

query-plan-explainer A convenient wrapper around the PostgreSQL EXPLAIN command, making its output both more concise and better readable.

[--estimate-only] <sqlFile> | "SQL query"

send_syslog Sends syslog messages to one or more servers.

# /opt/lce/tools/send_syslog (server address 1) [...] [server address N] -message "(message)"

[-port <port num>]

[-priority #]

[-facility <facility>]

[-severity <severity>]

start-all

Starts PostgreSQL daemon and all LCE daemons.

# /opt/lce/tools/start-all

restart-all

Without bar-pg, restarts the LCE daemons and PostgreSQL.

With bar-pg, only restarts the LCE daemons.

# /opt/lce/tools/restart-all [bar-pg]

stop-all

Without bar-pg, stops the LCE daemons and PostgreSQL.

With bar-pg, only stops the LCE daemons.

# /opt/lce/tools/stop-all [bar-pg]

timestamp_formats.txt

Used to identify the timestamp formats that appear for event timestamps in logs imported by import_logs. By default, this file includes a list of date formats.

If you are importing logs with timestamps in formats that are not included in this file, you can append the new formats to the list.
toggle-augmented-event-lookups

LCE Server maintains several special database lookups to improve query performance.  These lookups incur a cost in [a] computing resources to build, and [b] disk space once built.  If your queries involve the database column(s) to which a particular lookup is devoted, the benefit is well worth the cost; if not, disabling that lookup will save disk space.

Note: Use only at direction of Tenable Support.

--add-lookup | --zap-lookup

( rollup_table__ip

| rollup_table__port

| rollup_table__sensor

| rollup_table__user

| siloN_tables__event2

| siloN_tables__ip

| siloN_tables__sensor

| siloN_tables__user )

ts-test Used to check how a particular log would be tokenized for the purpose of text search indexing and whether a particular text search phrase would match it.

<rawDocument> [<tsQuery_inclStopwords>]

 

or

 

<path to file with rawDocument> [<tsQuery_inclStopwords>]

For more information, see ts-test.

validate-PRM-regex To test matching, using exactly the same regex matching package, version, and settings, as used by the LCE engine.

<PRM_reg.ex._line> <sample_log>

For more information, see validate-prm-regex.

user-utils

Reset the password for one of the secured accounts used to login to an LCE Server instance from outside the instance's host, if the LCE UI is for some reason unavailable or an operator simply prefers a console interaction for the purpose.

--list-all

 

--lock--WebUI-acct <username>

--unlock--WebUI-acct <username>

 

--set-password--WebUI-acct <username>

 

--replace--vuln_reporter-acct <username>

Note: --set-password--WebUI-acct sets a temporary password and, if the user account was locked, unlocks the account.

For more information about changing user passwords, see Change a User's Password. For more information about locked user accounts, see Locked User Accounts.

Note: --replace--vuln_reporter-acct removes an existing account and sets a temporary password for the user. For more information about changing user passwords, see Change a User's Password.