Alerts

The Alerts section is a simple way to see when a condition on the Tenable Log Correlation Engine server requires attention from the Tenable Log Correlation Engine administrator. It includes informational alerts, such as when a new Tenable Log Correlation Engine client requests authorization to send events to Tenable Log Correlation Engine. It also includes warnings, such as login failures to the Tenable Log Correlation Engine interface, or license expiration warnings. Finally, it includes error conditions that could prevent Tenable Log Correlation Engine from working properly.

Alert Occasions

For every alert created, Tenable Log Correlation Engine Server stores a corresponding occasion code, such as cannot_DNS_resolveclient__too_long_inactive, license_expired, or silo_archival_error.  These codes summarize recent Tenable Log Correlation Engine activity, with help of the following scripts under /opt/lce/tools/pg-helper-sql:

File Description
recent-alerts-24hours.sql Shows alert counts by occasion grouped by hour for the past 24 hours. Hours without alerts are omitted, and alert occasions with zero occurrences are omitted.
alerts-by-day.sql
  • Shows alert counts by occasion grouped by day for the past 14 days. Days without alerts are shown, and occasions with zero occurrences are shown.  This script can be used for comparing the behavior of multiple Tenable Log Correlation Engine instances monitoring the same Tenable Log Correlation Engine instance over successive weeks.
  • alerts-by-month.sql Shows alert counts by occasion grouped by month for the past 12 months.

    Example alerts-by-day.sql output: