Tenable Log Correlation Engine Windows Client Features
The Tenable Log Correlation Engine Windows Client is used to monitor events from many different channels on supported Windows platforms, including logs created by applications, and any Windows event logs. Additionally, the client can be configured to monitor text and binary files on a host, report on MD5 hash changes, monitor unknown processes, and scan for malware. Remote hosts can also be monitored.
Event and Text File Monitoring
Whenever a new event appears in a monitored Windows event log, the event is transmitted to the Tenable Log Correlation Engine server for normalization. In the case of monitored text files, each new line is transmitted. After the Tenable Log Correlation Engine server normalizes the event data, the data can be visualized using Tenable Security Center. The Tenable Log Correlation Engine Windows Client can process files of all common encoding types, including UTF-8 and UTF-16.
Binary File and Unknown Process Monitoring
When a binary or executable file is monitored, if the MD5 checksum of the file changes, the old and new MD5 hashes are transmitted to the Tenable Log Correlation Engine server as an event. When unknown processes are monitored, you can configure the Tenable Log Correlation Engine Windows Client to report all unknown processes that are detected every time the client is restarted, or to report only newly-identified unknown processes.
Malware Scan
When the Tenable Log Correlation Engine Windows Client is configured to scan for malware, it will check the MD5 checksums of all running processes, as well as any binary file that the Tenable Log Correlation Engine Windows Client is monitoring, and compare the checksums to the Tenable database of known malware. Any processes or files that are identified as malware will be reported to the Tenable Log Correlation Engine server as events. When malware scanning is enabled, the Tenable Log Correlation Engine Windows Client will use DNS queries to compare the MD5 checksums.