Windows Client Policy Configuration Items

The following table lists the configuration items that are valid for the Log Correlation Engine Windows Client policy, and provides a brief description of each item. These configuration items appear in the Client Policy Builder when you create or modify a policy for the Log Correlation Engine Windows Client.

Configuration Item	Description	Valid Values
event-log	The name of a Windows event log to monitor. Each event that appears in event logs monitored by the Log Correlation Engine Windows Client are sent to the Log Correlation Engine server individually. You can specify one or more event logs to monitor. XML Examples: <event-log>Microsoft-Windows-Diagnostics-Performance/Operational</event-log> <event-log>all</event-log> Tip: To locate event providers that you want to include in your policy, use the Windows Event Viewer.	The name of the Windows event log (for example, Application) that you want to monitor, or the value all. If you specify all, in addition to Windows logs, events from Applications and Services logs will also be monitored.
Events to ignore	A provider name that you want the Log Correlation Engine Windows Client to ignore. Additionally, if you do not want to ignore all events from a log provider, you can add specific event IDs for that provider. XML Example: <event-log-filter> <ignore> <provider-name>Microsoft-Windows-Windows Defender</provider-name> </ignore> <ignore> <provider-name>Microsoft-Windows-TaskScheduler</provider-name> <event-id>318</event-id> </ignore> <ignore> <provider-name>Microsoft-Windows-WindowsUpdateClient</provider-name> <event-id>41</event-id> <event-id>40</event-id> <event-id>26</event-id> </ignore> </event-log-filter> Tip: To locate event providers that you want the Log Correlation Engine Windows Client to ignore, use the Windows Event Viewer.	The provider name must be a valid log provider. The event ID must be an integer. It cannot include any letters or symbols.
Monitor text files	The full path and file name of a text file to monitor. Each new line is sent to Log Correlation Engine as a new log. If you want to monitor multiple text files in the same folder, you can specify the following parameters to refine which text files are monitored by the client: Location: The full path that contains text files you want to monitor. Each new line in each file is sent to Log Correlation Engine as a new log. Include: Files in the folder specified for Location will only be monitored if they match the Include pattern. Wildcards are allowed. Exclude: Files in the folder specified for Location will NOT be monitored if they match the Exclude pattern. Wildcards are allowed. Maximum file size: Files in the folder specified for Location will be deleted once they reach the size specified in this key (in bytes). Optional letters can be post-fixed to change the multiplier (K for kilobytes, M for megabytes, or G for gigabytes). This option was added specifically for Exchange log files, which can grow unbounded. Caution: If you specify a maximum file size, the Tenable Log Correlation Engine Windows Client will attempt to delete files in the folder specified for Location when they go above the maximum file size. Do not use this option if you want to retain the files. XML Examples: <flat-file>C:\\Windows\\WindowsUpdate.log</flat-file> <flat-file> <location>C:\\Windows\\</location> <include>*.log</include> <exclude>iis7.log</exclude> <delete-on-size-bytes>4096K</delete-on-size-bytes> </flat-file>	Any fully qualified path and file name, including the file extension. It is best practice to escape folder separators with a backslash. For example, C:\\Windows.
Monitor binary files	The full path and file name of a non-text file to monitor. If the file changes, the old and new SHA256 checksums are sent as an event to the Log Correlation Engine server. The maximum number of files that can be specified is 63. If multiple files in the same folder are being monitored, you should monitor the folder itself. If you want to monitor multiple files in the same folder, you can specify optional parameters to refine which files are monitored by the client: Location: The full path that contains files you want to monitor. Include: Files in the folder specified for Location will only be monitored if they match the Include pattern. Wildcards are allowed. Exclude: Files in the folder specified for Location will NOT be monitored if they match the Exclude pattern. Wildcards are allowed. If you want to include or exclude directories in the same folder, you can specify optional parameters to refine which files are monitored by the client: Include-dir: Included directory path for monitoring files. Wildcards are allowed. Exclude-dir: Excluded directory path for monitoring files. Wildcards are allowed. XML Example: <monitor-file>C:\\Windows\\notepad.exe</monitor-file> <monitor-file> <location>C:\\Windows\\</location> <include>*.exe</include> <exclude>explorer.exe</exclude> <include-dir>C:\\Windows\\System32\\</include-dir> <exclude-dir>C:\\Windows\\debug\\</exclude-dir> </monitor-file>	Any absolute path and file name, including the file extension. It is best practice to escape folder separators with a backslash. For example, C:\\Windows.
monitor-subdirectories	Whether to monitor files in subdirectories of the folder specified for Location for Monitor binary files, if those files match the specified pattern. If set to 1, monitoring an extensive folder structure (such as C:\\Windows) with no include or exclude filters may impact performance. XML Example: <monitor-subdirectories>1</monitor-subdirectories>	0 (off) or 1 (on)
Monitor wait seconds	The number of seconds to wait before monitoring files. The default is 5 seconds. XML Example: <monitor-wait-seconds>10</monitor-wait-seconds>	An integer greater than 0.
Tail subdirectories	Whether to monitor files in subdirectories of the folder specified for Location for Monitor text files, if those files match the specified pattern. If set to 1, monitoring an extensive folder structure (such as C:\\Windows) with no include or exclude filters may impact performance. XML Example: <tail-subdirectories>1</tail-subdirectories>	0 (off) or 1 (on)
Seconds between scans of logs and text files	The number of seconds between scanning logs monitored by the Log Correlation Engine Windows Client. XML Example: <interval-log-seconds>30</interval-log-seconds>	An integer greater than 0.
monitor-wait-seconds	Caution: This option is not available for the Log Correlation Engine Windows Client versions 4.4 and later.	No valid values
Send new events only	Whether to only send new events. If set to 0, all data in all monitored logs will be sent to the Log Correlation Engine server every time the client is restarted or when the policy changes. XML Example: <send-new-events-only>1</send-new-events-only>	0 (off) or 1 (on)
Monitor config	Caution: This option is not available for the Log Correlation Engine Windows Client versions 4.4 and later.	No valid values
Report unknown processes	If enabled, the Log Correlation Engine Windows Client will send an LCE_Client_Detected_ Unknown_Process event for each unknown process on the monitored host. This event is sent once for each unknown process detected. XML Example: <report-unknown-processes>2</report-unknown-processes>	0 (off), 1, or 2 1: A list of LCE_Client_Detected_Unknown_Process events will be sent only once, and subsequently only newly-encountered unknown DLLs and EXEs will be reported. 2: The list of reported unknown processes will be cleared every time the client is restarted or a new policy is received. All existing unknown DLLs and EXEs will be sent to the Tenable Log Correlation Engine server again.
Remote host to monitor	Using the following parameters, specifies a remote host to monitor: IP address: The IP address of the host that you want to monitor. Namespace: The namespace of the WMI classes being monitored, usually root\cimv2. Domain: The domain of the remote host to monitor. Username: The user name of the account on the remote machine that should be used for monitoring. Password: The corresponding password for the specified user name. File paths to monitor: One or more fully qualified paths with file name and extension that you want to monitor on the remote host. XML Example: <Host> <ip>192.0.2.10</ip> <namespace>root\cimv2</namespace> <domain>?</domain> <username>corpnetAdmin</username> <password>argus$12</password> <logfilename>C:\\Windows\\WindowsUpdate.log</logfilename> </Host>	All parameters require values.
Info	Enable or disable info-level logging in lce_client.log (the Log Correlation Engine client debugging log). XML Example: <info>0</info>	0 (off) or 1 (on)
Verbose	Enable or disable verbose logging in lce_client.log (the Log Correlation Engine client debugging log). XML Example: <verbose>0</verbose>	0 (off), 1, or 2 1: 2: Additional debugging information.
Debug	Whether to enable debugging messages in lce_client.log (the Log Correlation Engine Windows Client log). If `<debug>1</debug>` is present in the policy, debugging messages are enabled. It is recommended you only enable debugging if directed to do so by Tenable Network Security. XML Example: <debug>0</debug>	0 (off) or 1 (on)
Client heartbeat frequency	The number of seconds between each client heartbeat message to the Log Correlation Engine server. If set to 0, the client will not send heartbeats. XML Example: <heartbeat-frequency>600</heartbeat-frequency>	An integer
Client statistics frequency	The number of minutes between each client host performance statistics report (CPU, Disk Space, and Physical Memory) to the Log Correlation Engine server. If set to 0, client statistics will not be sent. XML Example: <statistics-frequency>60</statistics-frequency>	An integer
Compress events	Whether client will compress log data prior to sending it to the Log Correlation Engine server in order to save bandwidth. Recommended except when debugging. If set to 0, events will not be compressed. XML Example: <compress-events>1</compress-events>	0 (off) or 1 (on)
Compression level	Compression level to use when compressing events for transmission across network using zlib, set on a scale from 1 to 9. 1 provides the least amount of compression, resulting in minimum CPU usage and minimum bandwidth savings; 9 maximizes compression, resulting in increased CPU usage and maximum bandwidth savings. Ignored unless compression is enabled. XML Example: <compression-level>5</compression-level>	An integer from 1 to 9.
Minimum compression ratio	Defines the minimum acceptable savings ratio for event data being transmitted across the network, in terms of (bytes total) / (bytes compressed). If the client determines a savings ratio of less than this value, then event data will not be compressed before sending. This reduces the effort on the Log Correlation Engine Server decompressing event data when compression benefits are minimal. Ignored unless compression is enabled. XML Example: <minimum-compression-ratio>1.5</minimum-compression-ratio>	A decimal number.
Minimum compression input size	The minimum number of bytes a packet must have to be compressed. Ignored unless compression is enabled. XML Example: <minimum-compression-input-size>2048</minimum-compression-input-size>	An integer greater than 0.
Event queue timeout	Maximum number of seconds between event messages the client sends to the Tenable Log Correlation Engine server. XML Example: <event-queue-timeout>30</event-queue-timeout>	An integer greater than 0.
Malware scan period	This option specifies the interval (in seconds) that the Log Correlation Engine Windows Client will scan running processes, and monitored directories. XML Example: <malware-scan-frequency>600</malware-scan-frequency>	An integer greater than 0.
Whitelist hashes	MD5 file hashes that will be ignored by Log Correlation Engine Windows Client that may otherwise be considered malware. XML Example: <whitelist-hashes>8d1ae0900d461fd593b4daf67ee72e00</whitelist-hashes>	An MD5 hash.
Custom malware hashes	MD5 file hashes that will be identified as malware by the Log Correlation Engine Windows Client if detected. XML Example: <custom-malware-hashes>e1112134b6dcc8bed54e0e34d8ac272795e73d74</custom-malware-hashes>	An MD5 hash.