Components of the Log Correlation Engine
The Log Correlation Engine (Log Correlation Engine) has three main components:
The Log Correlation Engine server
The Log Correlation Engine server is a set of cooperating daemons for Red Hat Enterprise Linux (RHEL) or CentOS Linux or Oracle Enterprise Linux (OEL) that collects data from the Log Correlation Engine clients, and then normalizes that data. The normalized data is then analyzed using Tenable.sc. Tenable.sc makes both the raw and normalized event data available to the user for event analysis and mitigation. Depending on the scale and requirements of your organization, you may utilize multiple Log Correlation Engine server instances to collect and normalize data.
The Log Correlation Engine interface
Each Log Correlation Engine server provides a web-based application interface, referred to throughout this documentation as the Log Correlation Engine interface. Using the Log Correlation Engine interface, you can monitor the health and status of the Log Correlation Engine server and clients, configure the Log Correlation Engine server, manage clients, create and assign policies, and manage users.
Log Correlation Engine clients
Log Correlation Engine clients are installed on hosts to monitor and collect events. The event data is then communicated to the Log Correlation Engine server. Events are both stored as raw logs and normalized and correlated with vulnerabilities (if applicable).
Log Correlation Engine users work with log data from a wide variety of sources. Each organization can make queries to one or more Log Correlation Engine servers that process events from devices including firewalls, servers, routers, honeypots, mobile device managers, applications, and many other sources. Log Correlation Engine can collect event data from many sources, including:
Windows Event Logs (collected locally or remotely via a WMI client)
Windows, Linux, and Unix system and application logs
Check Point OPSEC events
Cisco RDEP events
Cisco SDEE events
Sniffed TCP and UDP network traffic (Tenable Network Monitor)
Sniffed syslog messages in motion
- Encrypted syslog
File monitoring for the following operating systems:
- Tenable Core
- OS X
- Amazon Web Services, via CloudTrail
- Google Cloud Platform
Intrusion Detection and Prevention Systems
Log Correlation Engine has many signature processing libraries to parse logs and can normalize and correlate most network intrusion detection (IDS) and intrusion protection systems (IPS), as well as messages from Tenable.sc.
Log Correlation Engine supports event collection and vulnerability correlation for the following systems:
IBM Proventia (SNMP)
Juniper NetScreen IDP
Fortinet IDS events
- Snort (and Snort-based products)
syslogevent format must be modified to use a comma delimiter rather than a tab delimiter before it can be processed by the LCE.
Log Correlation Engine supports only event collection for the following systems:
- Check Point (Network Flight Recorder)
- Toplayer IPS
There are thousands of normalization rules that support most operating systems, firewalls, network routers, intrusion detection systems, honeypots, and other network devices. The list of officially supported log sources is frequently updated on the Tenable website.