Import Log Correlation Engine Data Manually

Log Correlation Engine data can be collected both via real-time logging and manually in batch mode using the import_logs tool. These events will show up in the normalized event view along with events collected in real-time. This command-line tool allows data to be imported into the Log Correlation Engine that may not be available in real-time, but is still important for correlation of vulnerability data and for analysis of security posture and events.

Log files must be in ASCII format or UTF8, not binary, and each log must be delimited by a single newline.

Note: Event silos in the Log Correlation Engine activeDb may not overlap in respective time spans of contained events.

Usage:

# /opt/lce/tools/import_logs

--ASCII | --UTF8

[--now-as-timestamp | --may-guess-timestamps]

[--minimum-timestamp-epoch <N>]

[--maximum-timestamp-epoch <N>]

[--no-eval-event-rules]

<inputFileAbsolutePath>

The following table describes the options available for import_logs:

Option Description

--no-eval-event-rules

Do not apply Log Correlation Engine event rules to imported logs.

--may-guess-timestamps

If no timestamp can be determined for an event, assign the most recent known timestamp.

--now-as-timestamp

Use the current system time for all imported logs rather than the timestamps contained within the event text.