In the Statistics section the amount of events are displayed by each source of event data. The Tenable Log Correlation Engine source shows the number of internally generated events from the Tenable Log Correlation Engine being administered. The TCP Syslog, and UDP syslog source displays the number of events received on the configured TCP syslog or UDP syslog listening port. Likewise the Clients source is the total amount of event data that all Tenable Log Correlation Engine clients produce. The IDS event source type is the total amount of event data from all IDS sources. The TASL source type is all the event data created by the Tenable Log Correlation Engine TASL scripts.

Health & Status, Statistics

The source data is displayed in Average Events / Second and Average Bytes / Second since the LCE server was last started. The source data also displays the Total Events (today) for the day, and the Total Events (since startup) is the total number of events since the Tenable Log Correlation Engine server was last started.

Runtime statistics pertaining to logging and correlation are collected, including:

  • Logs/bytes per second
  • Number/percentage of logs matched/unmatched
  • Number of events correlating with vulnerabilities
  • Number/percentage of logs from clients, syslog, and IDS
  • Number of TASL alerts generated

This information is logged once per hour and is written both to the application log and to the normalized database under the event name LCE-Server_Statistics (type “lce”).

Example Correlation Statistics Output found in the Tenable Log Correlation Engine admin logs (e.g., /opt/lce/admin/log/2023Jul.log):

An average of 50 logs are being received each second.

A total of 5,778 logs (521,046 bytes) have been received.

2,232 logs have been matched by plugins (38.63%). 3,546 logs did not match (61.37%).

Log source breakdown: 5,774 from clients (99.93%), 2 via syslog (0.07%), 0 from IDS devices (0.00%).

No log events have correlated with vulnerabilities.

2 TASL alerts have been generated.