Files and Layout

Log Correlation Engine resides in the /opt/lce directory, and contains various sub-directories. The contents of each subdirectory are summarized in the table below.

Directory

Description

admin/log

This directory contains all of the Log Correlation Engine tracelog files. Tracelogs with expected higher volume are broken up into monthly files, with names in YYYYMon.log format (e.g. 2019Jan.log). Tracelog files for some Log Correlation Engine components are stored in eponymous subdirectories.

Note: Directory /opt/lce/admin/log is the default location of Log Correlation Engine tracelogs. Use change-tracelogs-location to change the tracelogs directory location. For more information, see change-tracelogs-location.

credentials

This directory contains certificates and keys for Log Correlation Engine modules to authenticate remote connections. For example, the syslog sub-directory contains the default keys and certs to authenticate encrypted TCP syslog senders.

daemons

This directory contains the lced binary (the log engine) and all other helper daemons in Log Correlation Engine. The Log Correlation Engine Client Manager is also located here. The daemons directory also contains sub-directories for plugins, policies, and other items updated automatically via the Log Correlation Engine plugin feed.

When Log Correlation Engine starts, it will load all files in the plugins sub-directory unless they are disabled via the configuration.

Tip: To verify which version of Log Correlation Engine you are running, run the following command:

lced -v

db

Log Correlation Engine stores all event data in the db directory.

Note: Directory /opt/lce/db is the default location of Log Correlation Engine activeDb. Use change-activeDb-location to change the activeDb directory location. For more information, see change-activeDb-location.

docs

This directory contains the Log Correlation Engine Software License Agreement.

ids

IDS signature mappings and host vulnerability information from Tenable Security Center is stored here for correlation.

postgresql Bundled with Log Correlation Engine. For more information, see Location of PostgreSQL Files in an Log Correlation Engine Installation.

reporter

This directory and its sub-directories contain certs and keys for the Nessus Transport Protocol interface for Tenable Security Center to retrieve report information.

reports

This directory contains host vulnerability information Log Correlation Engine has discovered by scanning logs.

tmp

Directory used for temporary data that is utilized by Log Correlation Engine.

tools

This directory contains various tools that are utilized by Tenable Log Correlation Engine, and some can be utilized via the command line if required.

var

The www directory contains the web client, and web server information. The users subdirectory contains a directory for each user configured in the Log Correlation Engine interface.