Get Started with the LCE Splunk Client

This document describes the LCE Splunk Client version 4.6 that is available for Tenable Network Security’s Log Correlation Engine (LCE).

A working knowledge of Splunk, Tenable.sc, and LCE operation and architecture is assumed. Familiarity with general log formats from various operating systems, network devices, and applications, as well as a basic understanding of Linux/Unix, is also assumed.

Overview

LCE unifies vulnerability collection and event analysis data through Tenable.sc, which provides easy-to-use dashboards to display multiple data points in a centralized view. Organizations that choose to send Splunk logs to the LCE have a unique advantage in that Splunk data is normalized by LCE and can be included for automatic anomaly detection, discovering assets, and additional vulnerability information including botnet and malware detection.

The LCE Splunk Client forwards data that Splunk collects to the LCE server. Once the data reaches the LCE server, the data is reviewed and normalized so it can be queried in Tenable.sc. The scope of this client can vary depending on what data is being forwarded from Splunk to the LCE Splunk Client.

Caution: The LCE Splunk Client can process a maximum of 500 logs per second. Processing more than 500 logs per second can result in a loss of data. This is an absolute limit and cannot be increased by improving the system hardware.