Web Query Client Policy Configuration Items
The interaction of the Web Query Client with AWS, Salesforce, and GCP is configured by modifying a Web Query Client policy via the Client Policy Builder. The policy is separated into configurable items, represented in the Advanced pane of the Client Policy Builder by XML elements of the same name. Certain parameters are common to all Tenable Log Correlation Engine clients and are generally the parameters listed first in a policy.
The usage and application parameters that follow the common client parameters vary based on the client. In the case of the Web Query Client policy, parameters are provided that allow you to limit the bandwidth the Web Query Client will use, as well as specify the credentials required for connecting to AWS, Salesforce, and GCP.
Example: default_rhel_web Policy
The following is an example of the contents of a Web Query Client policy file.
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<options xmlns:xi="http://www.w3.org/2003/XInclude">
<log-directory>/opt/lce_webquery/logs</log-directory>
<debug-level>INFO</debug-level>
<!--<local-ip-net>192.0.2.0/24</local-ip-net>-->
<!-- client-debug / -->
<heartbeat-period>300</heartbeat-period>
<statistics-period>60</statistics-period>
<compress-events>1</compress-events>
<group>
</group>
<!-- Group Setup Example
<group>
<name>ByteRestrictedGroup</name>
<usage-limit>
<type>BYTES</type>
<value>35M</value>
<time>MONTH</time>
<start-day>5</start-day>
</usage-limit>
<cloudtrail>
<name>CloudTrail1</name>
<active>yes</active>
<query-interval-seconds>600</query-interval-seconds>
<region>us-east-1</region>
<id>AWSId</id>
<key>MySecretKey</key>
</cloudtrail>
</group>
<group>
<name>CallRestrictedGroup</name>
<usage-limit>
<type>CALLS</type>
<value>10000</value>
<time>DAY</time>
</usage-limit>
<salesforce>
<name>Salesforce_1</name>
<active>no</active>
<query-interval-seconds>300</query-interval-seconds>
<username>MyUsername</username>
<password>MyPassword</password>
<consumer-key>MyKey</consumer-key>
<consumer-secret>MySecret</consumer-secret>
</salesforce>
<salesforce>
<name>Salesforce_2</name>
<active>yes</active>
<query-interval-seconds>450</query-interval-seconds>
<username>MyUsername</username>
<password>MyPassword</password>
<consumer-key>MyKey</consumer-key>
<consumer-secret>MySecret</consumer-secret>
</salesforce>
</group>
-->
</options>
Common Configuration Items
The following table lists the policy configuration items in the order they appear in the default Web Query Client policy. These parameters are defined when configuring the Web Query Client policy for AWS, Salesforce, and GCP.
| Configuration Item | Description | Example |
|---|---|---|
|
log-directory |
The path to which to write the Web Query Client operational logs. |
/opt/lce_webquery/logs |
|
debug-level |
Minimum debugging level that is printed to the log. The options supported are as follows:
|
INFO |
|
local-ip-net |
If a host has multiple network connections, allows you to specify which network to use. If not set or if the CIDR does not match any networks, the client will use the first network connection detected. |
192.0.2.0/24 |
|
heartbeat-frequency |
The number of seconds between each client heartbeat message to the Tenable Log Correlation Engine server. If set to 0, the client will not send heartbeats. |
A positive integer. 300 |
|
statistics-frequency |
The number of minutes between each client host performance statistics report (CPU, Disk Space, and Physical Memory) to the Tenable Log Correlation Engine server. If set to 0, client statistics will not be sent. |
A positive integer. 60 |
|
compress-events |
Defines whether to compress events before transmitting them to the Tenable Log Correlation Engine server. If set to 1, provides a marginal savings for bandwidth in exchange for a marginal increase in CPU usage. |
0 (off) or 1 (on) |
| Write events to standard output | Whether to write events to standard output (stdout). Any event picked up by the Tenable Log Correlation Engine Splunk Client will have the raw log printed to the stdout of the client, the default being a terminal session, before the client sends it to the Tenable Log Correlation Engine server to be processed. This configuration item is useful for debugging and troubleshooting. | 0 (off) or 1 (on) |
Usage-Limit Configuration Items
The configuration of the usage-limit items is usually based on the API being queried. The AWS CloudTrail API measures the amount of bandwidth utilized by the queries made to the API. The Salesforce API measures the number of calls. Because CloudTrail and Salesforce monitor usage differently, generally groups will be limited by bytes or calls based on the API. However, the Web Query Client can be configured to support many use cases, such as limiting usage of the Salesforce API by bytes. The usage limit parameters are in place to help control excess bandwidth charges, and respect call limitations that are applied by the API vendor.
The following table lists the usage-limit parameters in the order they appear in the Client Policy Builder. These parameters are defined when configuring a Web Query Client policy for AWS, Salesforce, or GCP.
| Configuration Item | Description | Example Value |
|---|---|---|
|
name |
An alphanumeric name for the connection group. |
ByteRestrictedGroup |
|
type |
Groups can either be limited by BYTES or CALLS |
BYTES |
|
value |
This is the numeric value given to BYTES or CALLS. Note: Bytes can be represented by a number followed by K(Kilobyte), M(Megabyte) G(Gigabyte), or T(Terabyte). |
100M |
|
time |
The period of time by which usage is limited. For example, if a group is limited to 1000 calls, and this parameter is set to DAY, usage is limited to 1000 calls every 24 hours. |
MONTH, DAY, HOUR, MINUTE |
|
start-day |
Defines the starting day when the time parameter is set to MONTH. The value can be an integer from 1 to 28. |
14 |
CloudTrail Parameters
The following table lists the CloudTrail parameters in the order they appear in the Client Policy Builder. These parameters are defined when configuring a Web Query Client policy for AWS.
| Policy Parameter | Description | Example Value |
|---|---|---|
|
name |
An alphanumeric name for the CloudTrail connection. |
AWSgroup |
|
active |
Defines whether to query the instance. If set to yes, the Web Query Client will make queries using the parameters defined in that CloudTrail subsection. You can have multiple subsections that are configured to be active. |
yes |
|
query-interval-seconds |
The number of seconds between each query to the endpoint. |
300 |
|
region |
The region defined in the AWS account. |
us-east-1 |
|
id |
An IAM Access Key ID. |
IKADIY6VH42HTKTQI4OA |
|
key |
The IAM Secret Access Key that corresponds to the Access Key ID. |
koN/ByNBZB5S7/tOrT3WBrGD9dQjDvT98bU9qpyH |
Salesforce Parameters
The following table lists the Salesforce parameters in the order they appear in the Client Policy Builder. These parameters are defined when configuring a Web Query Client policy for Salesforce.
| Policy Parameter | Description | Example Value |
|---|---|---|
|
name |
An alphanumeric name for the Salesforce connection. |
SalesforceGroup |
|
active |
Defines whether to query the instance. If set to yes, the Web Query Client will make queries using the parameters defined in that Salesforce subsection. You can have one or more subsections in multiple groups that are configured to be active. |
yes |
|
query-interval-seconds |
The number of seconds between each query to the endpoint. |
300 |
|
username |
The username for the Salesforce account being queried. |
|
|
password |
The password that corresponds to the username, and that user’s security token appended to the end of the password. |
passwordsREvNGuKHvuIhLTrS |
|
consumer-key |
The Consumer Key for a connected app. |
1MVG7KI2HHAq08RzmvrJMfFaXELNe_Tbg1vJf.xUyRK7f5Hyso2bZrW.TobC9XQ.jqzNVP0ytuD_1XrKKFsku |
|
consumer-secret |
The Consumer Secret for a connected app. |
8675309731701479235 |
GCP Parameters
The following table lists the GCP parameters in the order they appear in the Client Policy Builder. These parameters are defined when configuring a Web Query Client policy for GCP.
| Policy Parameter | Description | Example Value |
|---|---|---|
|
name |
An alphanumeric name for the GCP group. |
GCP |
|
active |
Defines whether to query the instance. If set to yes, the Web Query Client will make queries using the parameters defined in that GCP subsection. You can have one or more subsections in multiple groups that are configured to be active. |
yes |
|
query-interval-seconds |
The number of seconds between each query to the endpoint. |
300 |
|
json-service-account-key |
The service account key for a GCP user. |
The contents of a .json file downloaded from GCP. |
|
Subscription |
The subscription name for the Google Pub/Sub service topic. |
projects/example-project080116/subscriptions/logging-feed-topic |