Hardware and Software Requirements
Before deploying Log Correlation Engine, confirm that the prerequisite software and hardware requirements have been met and that you have an operational instance of Tenable Security Center. Depending on the size of your organization and the way you deploy Log Correlation Engine, the hardware requirements for Log Correlation Engine change. All deployments have a common set of minimum software requirements.
This section contains the following:
- Software Requirements
- Hardware Requirements
- System Specifications
- Licenses
- File System Recommendations
Software Requirements
All deployments of Log Correlation Engine require the following:
- An active Log Correlation Engine license
-
One of the following operating systems:
-
RHEL/CentOS/OEL 6.x, 64-bit
-
RHEL/CentOS/OEL 7.x, 64-bit
-
RHEL/CentOS/OEL 8.x, 64-bit
-
Additionally, while Log Correlation Engine is active, it requires exclusive access to certain ports. The only services that are required to support remote users are SSH and the Log Correlation Engine interface (lce_wwwd). If other services are active on the system, conflicts should be avoided on the following default ports:
| Ports Tenable Log Correlation Engine Receives (Listens) On | |
|---|---|
| Port | Description |
| 162/UDP | SNMP |
| 514/UDP | Syslog |
| 22/TCP | SSH, for requests from Tenable Security Center |
| 601/TCP | Syslog |
| 1243/TCP | Vulnerability detection, if enabled in Tenable Security Center |
| 6514/TCP | Encrypted syslog |
| 8836/TCP | Log Correlation Engine Administrative Web UI |
| 31300/TCP | Events from Log Correlation Engine Clients |
| 5432/TCP | PostgreSQL replication from the master node or the standby node in a high availability configuration. For more information, see High Availability. |
| 7091/TCP | showids commands forwarded from the master node to the standby node in a high availability configuration. For more information, see High Availability. |
| VRRP | Keepalived virtual IP management in a high availability configuration. For more information, see High Availability. |
| Ports Tenable Log Correlation Engine Sends On | |
|---|---|
| Port | Description |
| 514/UDP | Syslog (forwarded) |
| 443/TCP | Pull requests to the plugins feed at plugins.nessus.org |
| 601/TCP | Syslog (forwarded) |
| 5432/TCP | PostgreSQL replication to the master node or the standby node in a high availability configuration. For more information, see High Availability. |
| 7091/TCP | showids commands forwarded from the master node to the standby node in a high availability configuration. For more information, see High Availability. |
| VRRP | Keepalived virtual IP management in a high availability configuration. For more information, see High Availability. |
| Ports Log Correlation Engine Uses Over Loopback Interface | |
|---|---|
| Port | Description |
| 7091/TCP | Internal communication, showids to lce_queryd |
| 7092/TCP | Internal communication, lce_tasld to lced |
| 7093/TCP | Internal communication, showids to lce_queryd |
Caution: The system running the Log Correlation Engine can operate a syslog daemon, but the syslog daemon must not be listening on the same port(s) that the Log Correlation Engine server is listening on.
Hardware Requirements
The hardware requirements for Log Correlation Engine change based on the number of events being processed.
Estimating Events
The following table provides the estimated average number of events from various sources.
Devices | Number of Estimated Events |
|---|---|
1 workstation/laptop | 0.5 events/sec |
1 web-facing app server | 20 events/sec |
1 web-facing firewall/IDS/IPS | 75 events/sec |
1 internal application server (low volume) | 5 events/sec |
1 internal application server (high volume: IIS, Exchange, AD) | 20 events/sec |
1 internal network device | 2 events/sec |
To convert your event rate to bytes per day, it is recommended that you multiply your total events/second by 250 bytes/event and multiply by 86,400 seconds/day.
Tip:You can use the following calculator to determine the total number of events per second as well as the bytes per day.
The following table specifies the system requirements based on the number of events the Log Correlation Engine server is processing.
| Installation scenario | RAM | Processor | Hard disk | Hard disk space |
|---|---|---|---|---|
One Log Correlation Engine server with PostgreSQL processing less than 5,000 events per seconds | | 8 cores | 10,000 RPM HD, or SSD of equiv. IOPS capability; RAID 0/10 configuration | |
One Log Correlation Engine server with PostgreSQL processing between 5,000 and 20,000 events per second | | 16 cores | 15,000 RPM HD, or SSD of equiv. IOPS capability; RAID 0/10 configuration | |
One Log Correlation Engine server with PostgreSQL process greater than 20,000 events per second | | 24 cores or more | SSD of IOPS capability at least equiv. to a 15,000 RPM HD; RAID 0/10 configuration |
The Log Correlation Engine server requires a minimum of 20 GB of storage space to continue running and storing logs. The current system disk space is visible on the Health and Status page of the Log Correlation Engine interface.
To ensure Log Correlation Engine can take full advantage of the host's RAM and CPU resources, Tenable recommends configuring a dedicated swap partition. If the host has N GB of RAM, you will need at least 1.6 x N GB of swap space for best performance.
High Availability Requirements
Tenable strongly recommends using the same system specifications on the master and standby nodes in your high availability configuration, including the following:
- Operating system version, to the patch level
- Layout and size of disk partitions
- File system choice and mount options
- RAM size
- Swap size
For optimal stability and performance, the master and standby nodes should be connected by a fast and reliable network link. For more information about high availability configurations, see High Availability.
Placing your activeDb on a networked file system (e.g. NFS) results in inadequate system performance. Tenable recommends that you use EXT3, EXT4, XFS, or ZFS and that you pay close attention to the mount options.
Placing your archiveDb on a networked file system does not impact system performance.
| If your file system is: | Tenable recommends: | Tenable does not recommend: |
|---|---|---|
| EXT3, EXT4, XFS | noatime | atime or strictatime or relatime or diratime or No *atime at all. |
| EXT3 | barrier=0 | barrier=1 |
| EXT4 | barrier=0 or nobarrier | barrier=1 or barrier |
| XFS | nobarrier | barrier |
| EXT3, EXT4 | data=writeback | data=journal or data=ordered or No data=* at all. |
| ZFS | atime=off | atime=on or relatime=on or No *atime at all. |
| ZFS | Hardware-dependent |
|
| ZFS | logbias=throughput | logbias=latency or No logbias at all. |
| ZFS | primarycache=metadata | primarycache=all or primarycache=none or No primarycache=* at all. |
| ZFS | Hardware-dependent | recordsize=512 or recordsize=1024 or recordsize=2048 or recordsize=4096 |
Licenses
There is no licensed limit to the number of events or IPs that the Log Correlation Engine can be configured to monitor.
There are different licenses available for Log Correlation Engine based on the total amount of storage used by Log Correlation Engine. The licenses are based on 1 TB, 5 TB, and 10 TB storage sizes. A license for Log Correlation Engine is provided as a part of Tenable Security Center Continuous View. There is no difference in the Log Correlation Engine software that is installed, just the maximum storage size that can be used by Log Correlation Engine. Data that exceeds your license limit will be