TOC & Recently Viewed

Recently Viewed Topics

Tools

When LCE is installed, it includes a number of tools and utilities. By default, the tools are all installed in the /opt/lce/tools/ directory.

General Tools

The following table lists in alphabetical order each tool and describes its function.

Tool Description Usage
archival-manager Script that allows executing certain tasks relating to archive snapshots, and also allows forcefully rolling the current silo to start a fresh one.

--list-snapshots [<siloName>]

--archive <siloName>

--summarize <snapshotId>

--restore <snapshotId> [<into_siloName>] [--same-datastore-instance]

--remove-active <siloName> --remove-archived <snapshotId> --roll-currsilo-now

cache-filter-pointers The /opt/lce/tools/cache-filter-pointers utility can aid performance of certain drilldown queries; Tenable Support may instruct you to run it on as-needed basis, or perhaps to keep it running with aid of xinetd(8).

--filter <M> | --silo <N> | --ongoing

change-activeDb-location Changes the root directory of the operational LCE datastore from the default, which is /opt/lce/db/.

./change-activeDb-location <absolute path of new_dbDir>

change-tracelogs-location Changes the root directory of the LCE tracelogs from the default, which is /opt/lce/admin/log/.

./change-tracelogs-location <absolute path of new_tracelogsDir>

create--make-current--silo If silo rolling is inoperable, this utility can be used (with all LCE daemons stopped) to switch to a new silo.

<siloNumber> | --take-next

import_logs

Imports a directory of log files or a list of one or more logs on disk into the active database on the LCE server. You must specify whether the logs you are importing are encoded as ASCII (--ASCII) or UTF-8 (--UTF8).

Caution: import_logs will only accept the following arguments.

 

--ASCII | --UTF8

[--now-as-timestamp | --may-guess-timestamps]

[--minimum-timestamp-epoch <N>]

[--maximum-timestamp-epoch <N>]

[--no-eval-event-rules]

<inputFileAbsolutePath>

install-PostgreSQL-man-pages   For the description and usage, please click here.
lce_crypto_utils

Used to generate, and view, self signed CA certificates in .pem format.

# /opt/lce/tools/lce_crypto_utils

--generate-LCE-Server-creds <into_dir> [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <cert_path>.pem <CRL_path>.pem

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

list-clients Used to list clients since LCE 5.0.3.

# /opt/lce/tools/list-clients


Note: The --brief option can be used for brief output. The default output is verbose.
make_cert Creates an SSL certificate for LCE Proxy.

# /opt/lce/tools/make_cert

 

-------------------------------------------------------------------------------

Creation of the LCE Proxy SSL Certificate

-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL

certificate for LCE Proxy. Note that this information will *NOT* be sent to

anybody (everything stays local), but anyone with the ability to connect to your

LCE Proxy will be able to retrieve this information.

 

CA certificate life time in days [1460]:

Server certificate life time in days [365]:

Your country (two letter code) [US]:

Your state or province name [NY]:

Your location (e.g. town) [New York]:

Your organization [LCE Users]:

This host name [-----------]:


Note: The -q (quiet option) prevents the user from being prompted.
msmtp An SMTP client with a sendmail compatible interface.

To configure msmtp, update msmtp.conf and provide an smtp host, username, password, and port.

# msmtp recipent@domain.com

openssl-utils.sh Used to generate, and view, self signed CA certificates in .pem format

# /opt/lce/tools/openssl-utils.sh

--generate-LCE-Server-creds <into_dir> [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <cert_path>.pem <CRL_path>.pem

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

optimize-datastore The PostgreSQL maintenance commands requisite for best query performance have been collected into the /opt/lce/tools/optimize-datastore script. It is suggested that you run this script during off-peak (low-load) hours, preferably every day, perhaps triggered by a cron(1) job. The contained commands are very resource-intensive, and query performance will be poor while optimize-datastore is being run.

[--also-cluster]

plugin_manager.sh

The Log Correlation Engine Disabled Plugins Management Tool is a script that generates a list of plugin libraries that contain no plugins that have ever matched an event processed by the system. You are prompted to automatically disable all of the unused plugin libraries. If this option is not chosen, the unused PRM files are simply listed for reference.

# /opt/lce/tools/plugin_manager.sh

query-plan-explainer A convenient wrapper around the PostgreSQL EXPLAIN command, making its output both more concise and better readable.  
regenerate-lookup-aids LCE datastore contains events data proper + cached summaries of several kinds; the latter are collectively called lookup-aid tables. Unlike event data proper, integrity of the lookup-aid tables is not guaranteed in case of abnormal termination of PostgreSQL process. This ensures the best possible performance during normal operation, but after a cold host reboot or similar event, you will need to run /opt/lce/tools/regenerate-lookup-aids; query performance will be poor until this has been done.

--all | --one <siloId>

send_syslog Sends syslog messages to one or more servers.

# /opt/lce/tools/send_syslog (server address 1) [...] [server address N] -message "(message)"

[-port <port num>]

[-priority #]

[-facility <facility>]

[-severity <severity>]

start-all Starts PostgreSQL daemon and all LCE daemons.

# /opt/lce/tools/start-all

restart-all Restarts PostgreSQL daemon and all LCE daemons.

# /opt/lce/tools/restart-all

stop-all Stops PostgreSQL daemon and all LCE daemons.

# /opt/lce/tools/stop-all

timestamp_formats.txt

Used to identify the timestamp formats that appear for event timestamps in logs imported by import_logs. By default, this file includes a list of date formats.

If you are importing logs with timestamps in formats that are not included in this file, you can append the new formats to the list.
ts-test Used to check how a particular log would be tokenized for the purpose of text search indexing, and whether a particular text search phrase would match it.

<rawDocument> [<tsQuery_inclStopwords>]

 

or

 

<path to file with rawDocument> [<tsQuery_inclStopwords>]

validate-PRM-regex For checking whether a regex line from a custom .prm definition (a) is legal, and (b) would match a particular log.

<PRM_reg.ex._line> <sample_log>

Troubleshooting and Performance Tuning

See the Shortcuts for Running SQL Commands and Scripts section to easily invoke these SQL scripts.

Tool Description
pg-helper-sql/ locks.sql

Displays which objects the current transactions are waiting to lock.

  planner-estimate-basis.sql Displays the estimates that PostgreSQL's optimizer currently has collected, for the columns of a given table.
  cardinalities.sql <siloTableName> Computes and shows the actual cardinality of each column in the specified silo table. You can use this information to accurately inform PostgreSQL's optimizer.
  table-access-stats.sql--nonsilo.sql Tracks the accesses to each table, and respective access path distribution.
  table-access-stats.sql-silo.sql Tracks the accesses to each table, and respective access path distribution.

 

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.