Components of the Tenable Log Correlation Engine

The Tenable Log Correlation Engine (Log Correlation Engine) has three main components:

  • The Log Correlation Engine server

    The Log Correlation Engine server is a set of cooperating daemons for Red Hat Enterprise Linux (RHEL) or CentOS Linux or Oracle Enterprise Linux (OEL) that collects data from the Log Correlation Engine clients, and then normalizes that data. The normalized data is then analyzed using Tenable Security Center. Tenable Security Center makes both the raw and normalized event data available to the user for event analysis and mitigation. Depending on the scale and requirements of your organization, you may utilize multiple Log Correlation Engine server instances to collect and normalize data.

  • The Log Correlation Engine interface

    Each Log Correlation Engine server provides a web-based application interface, referred to throughout this documentation as the Log Correlation Engine interface. Using the Log Correlation Engine interface, you can monitor the health and status of the Log Correlation Engine server and clients, configure the Log Correlation Engine server, manage clients, create and assign policies, and manage users.

  • Log Correlation Engine clients

    Log Correlation Engine clients are installed on hosts to monitor and collect events. The event data is then communicated to the Log Correlation Engine server. Events are both stored as raw logs and normalized and correlated with vulnerabilities (if applicable).

Log Correlation Engine users work with log data from a wide variety of sources. Each organization can make queries to one or more Log Correlation Engine servers that process events from devices including firewalls, servers, routers, honeypots, mobile device managers, applications, and many other sources. Log Correlation Engine can collect event data from many sources, including:

  • Windows Event Logs (collected locally or remotely via a WMI client)

  • Windows, Linux, and Unix system and application logs

  • Check Point OPSEC events

  • Cisco RDEP events

  • Cisco SDEE events

  • NetFlow

  • Splunk

  • Sniffed TCP and UDP network traffic (Tenable Network Monitor)

  • Sniffed syslog messages in motion

  • Encrypted syslog
  • File monitoring for the following operating systems:

    • RHEL
    • Tenable Core
    • FreeBSD
    • Debian
    • OS X
    • AIX
    • Solaris
    • HP-UX
    • Dragon
    • Fedora
    • Ubuntu
    • SuSE
    • Windows
  • Salesforce
  • Amazon Web Services, via CloudTrail
  • Google Cloud Platform

Intrusion Detection and Prevention Systems

Log Correlation Engine has many signature processing libraries to parse logs and can normalize and correlate most network intrusion detection (IDS) and intrusion protection systems (IPS), as well as messages from Tenable Security Center.

Log Correlation Engine supports event collection and vulnerability correlation for the following systems:

  • Bro

  • Cisco IDS

  • Enterasys Dragon

  • IBM Proventia (SNMP)

  • Juniper NetScreen IDP

  • McAfee IntruShield

  • Fortinet IDS events

  • Snort (and Snort-based products)
  • HP TippingPoint

  • Note: TippingPoint's syslog event format must be modified to use a comma delimiter rather than a tab delimiter before it can be processed by Tenable Log Correlation Engine.

Log Correlation Engine supports only event collection for the following systems:

  • AirMagnet
  • Check Point (Network Flight Recorder)
  • Portaledge
  • Toplayer IPS

There are thousands of normalization rules that support most operating systems, firewalls, network routers, intrusion detection systems, honeypots, and other network devices. The list of officially supported log sources is frequently updated on the Tenable website.