Tools

When Tenable Log Correlation Engine is installed, it includes a number of tools and utilities. All tools are installed in the /opt/lce/tools/ directory.

General Tools

The following table lists in alphabetical order each tool and describes its function.

Tool Description Usage
archival-manager

Performs tasks relating to archiveDb.

For more information, see Silo Archiving.

--list-snapshots [<siloName> | -<N_newest> | <N_oldest>]

--enum-snapshots [<siloName>]

(Faster but less informative than --list-snapshots.)

--archive <siloName>

--restore <snapshotId> [<into_siloName>]

--remove-active <siloName>

--remove-archived <snapshotId>

--archive--range [--dry-run] <from_date> <to_date>

--restore--range [--dry-run] <from_date> <to_date>

--remove-active--range [--dry-run] <from_date> <to_date>

--remove-archived--range [--dry-run] <from_date> <to_date>

(Each date must be given in YYYYMmmDD format.

A range includes both "to" and "from" dates.

Dates refer to tOrigin of contained events.)

--identify-currsilo

--roll-currsilo-now

Note: Each date must be given in YYYYMmmDD format. A range includes both "to" and "from" dates. Dates refer to tOrigin of contained events.

cfg-utils Used to manipulate Tenable Log Correlation Engine Server configuration attributes that do not appear in the web UI. Tenable Support may ask you to perform administrative tasks with this utility.

The most commonly used actions are:

--help --list-all --like <case-ignored substring of K> --describe <K> --get <K> --vlike <case-ignored substring of K> --set-sv <K> <V>

To see the complete list of available actions, run:

cfg-utils --help

For information about configuring site policies related to user activity, see Site Policies.

Tip: You can use cfg-utils to configure certificate-authenticated web UI logins. For more information, see Certificate-Authenticated Web UI Logins.

change-activeDb-location Changes the root directory of the operational Tenable Log Correlation Engine datastore from the default.

<absolute path of new location>

change-tracelogs-location Changes the root directory of the Tenable Log Correlation Engine tracelogs from the default.

<absolute path of new location>

create--make-current--silo If silo rolling is inoperable, this utility can be used (with all Tenable Log Correlation Engine daemons stopped) to switch to a new silo.

<siloNumber> | --take-next

check_fix-file_accessibility

Detects and fixes file accessibility problems like wrong ownership, wrong permissions, and inadvertently set immutable (“i”) extended file attribute.

Normally, invoke with --normal.

--check-only | --normal

ha-manager

Configures, manages, or disables high availability.

For more information about high availability configurations, see High Availability.

--initialize-as-master <standbyIP> <i/f> <virtualIP>

--initialize-as-standby <masterIP> <i/f> <virtualIP>

--copy-SSH-keys-to-peer

--status

--disconnect

--de-configure

For more information, see:

import_logs

Imports a directory of log files or a list of one or more logs on disk into the active database on the Tenable Log Correlation Engine server. You must specify whether the logs you are importing are encoded as ASCII (--ASCII) or UTF-8 (--UTF8).

--ASCII | --UTF8

[--now-as-timestamp | --may-guess-timestamps]

[--minimum-timestamp-epoch <N>]

[--maximum-timestamp-epoch <N>]

[--no-eval-event-rules]

<inputFileAbsolutePath>

For more information about import_logs usage, see Import Log Correlation Engine Data Manually.

install-PostgreSQL-man-pages   For the description and usage, see install-PostgreSQL-man-pages.
lce_crypto_utils

Used to generate and manipulate SSL credential files in the /opt/lce/credentials/syslog and /opt/lce/credentials/web_UI directories.

--generate-creds-cryptSyslog [<CA_dnSpec>] [<endEntity_dnSpec>]

(NB: any prior contents of /opt/lce/credentials/syslog/ will be erased.)

--generate-creds-vulnReporter [-q]

(Will prompt for cert generation parameters, unless -q.)

(NB: any prior contents of /opt/lce/reporter/ssl/ will be erased.)

--generate-creds-webUI [-q]

(Will prompt for cert generation parameters, unless -q.)

(NB: any prior contents of /opt/lce/credentials/web_UI/ will be erased.)

--is-signed-by <endEntity_cert_path>.pem <CA_cert_path>.pem

--is-revoked-per <endEntity_cert_path>.pem <CRL_path>.pem

--save-as-PKCS12 <endEntity_cert_path>.pem <endEntity_privkey>.pem <into_path>.pfx

(Will prompt for password, and again to confirm.)

--print-cert <endEntity_cert_path>.pem

--print-CRL <CRL_path>.pem

--print-privkey <privkey_path>.pem

--print-PKCS12 <PKCS12_path>.pfx

(Will prompt for password.)

--what-is <path>

__________________________________________________________________________________________

A <dnSpec> is a ,-separated list of K=V pairs, all optional save the last; \-escape as needed:

'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

Tip: To rotate your web UI credentials using lce_crypto_utils, see Rotate Web UI Credentials.

list-clients Used to list clients since Log Correlation Engine 5.0.3.

# /opt/lce/tools/list-clients


Note: The --brief option can be used for brief output. The default output is verbose.
list-policies Used to list policies since Log Correlation Engine 5.0.4.

# /opt/lce/tools/list-policies

msmtp An SMTP client with a sendmail compatible interface.

To configure msmtp, update msmtp.conf and provide an smtp host, username, password, and port.

online-pg-backup

Allows you to take an online backup of the PostgreSQL database that contains Log Correlation Engine events and part of the Log Correlation Engine control state. 

For more information about online-pg-backup, see:

openssl-utils.sh

Used to generate and view self signed CA certificates in .pem format when troubleshooting issues with Tenable Support.

Note: This tool relies on the external openssl binary, not distributed with Log Correlation Engine but available as part of the OpenSSL RPM.

Tip: This tool is intended for troubleshooting with Tenable Support. Otherwise, use the lce_crypto_utils tool.

--generate-CA-creds <CA_dnSpec> <into_dir> [<certSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--generate-creds <hostSpec> <dnSpec> <into_dir> <CA_creds_dir> [<certSpec>]

(NB: any prior contents of <into_dir> will be erased!!)

--is-signed-by <cert_path>.pem <CA_cert_path>.pem

--revoke <cert_path>.pem <CA_creds_dir> <CRL_path>.pem

--save-as-PKCS12 <endEntity_cert_path>.pem <endEntity_privkey>.pem <into_path>.pfx

--print-cert <cert_path>.pem

--print-CRL <CRL_path>.pem [<CA_cert_path>.pem]

--print-PKCS12 <PKCS12_path>.pfx

A <hostSpec> is: <host_DNS_name> <host_IP>; IP can be IPv4 or IPv6

A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>'

A <certSpec> is: <days_to_expiry> --rsa|--dsa <bits>; defaults to: 366 --rsa 1024

optimize-datastore The PostgreSQL maintenance commands requisite for best query performance have been collected into the /opt/lce/tools/optimize-datastore script. It is suggested that you run this script during off-peak (low-load) hours, triggered by a cron(1) job. The contained commands are resource-intensive and query performance will be poor while optimize-datastore is being run.

( --only-silo <N> | --all ) [--also-cluster | --also-reindex] [--max-runtime-hours <M>]

port-controlfiles

Allows you to save and restore all of an Tenable Log Correlation Engine server installation's control files, including:

  • policies
  • plugins
  • IDS signatures
  • cronjob definitions
  • SSH keys
  • daemon initscripts
  • Text search stopword lists

port-controlfiles can be used to assist in moving an Tenable Log Correlation Engine instance from one host to another.

--export

--import <full path of previously exported .tar.gz>

query-plan-explainer A convenient wrapper around the PostgreSQL EXPLAIN command, making its output both more concise and better readable.

[--estimate-only] <sqlFile> | "SQL query"

send_syslog Sends syslog messages to one or more servers.

# /opt/lce/tools/send_syslog (server address 1) [...] [server address N] -message "(message)"

[-port <port num>]

[-priority #]

[-facility <facility>]

[-severity <severity>]

start-all

Starts PostgreSQL daemon and all Log Correlation Engine daemons.

# /opt/lce/tools/start-all

restart-all

Without bar-pg, restarts the Log Correlation Engine daemons and PostgreSQL.

With bar-pg, only restarts the Log Correlation Engine daemons.

# /opt/lce/tools/restart-all [bar-pg]

stop-all

Without bar-pg, stops the Log Correlation Engine daemons and PostgreSQL.

With bar-pg, only stops the Log Correlation Engine daemons.

# /opt/lce/tools/stop-all [bar-pg]

timestamp_formats.txt

Used to identify the timestamp formats that appear for event timestamps in logs imported by import_logs. By default, this file includes a list of date formats.

If you are importing logs with timestamps in formats that are not included in this file, you can append the new formats to the list.
toggle-augmented-event-lookups

Tenable Log Correlation Engine Server maintains several special database lookups to improve query performance.  These lookups incur a cost in [a] computing resources to build, and [b] disk space once built.  If your queries involve the database column(s) to which a particular lookup is devoted, the benefit is well worth the cost; if not, disabling that lookup will save disk space.

Note: Use only at direction of Tenable Support.

--add-lookup | --zap-lookup

( rollup_table__ip

| rollup_table__port

| rollup_table__sensor

| rollup_table__user

| siloN_tables__event2

| siloN_tables__ip

| siloN_tables__sensor

| siloN_tables__user )

ts-test Used to check how a particular log would be tokenized for the purpose of text search indexing and whether a particular text search phrase would match it.

[--detail-spaces]

<rawDocument> [<tsQuery_inclStopwords>]

or

<path to file with rawDocument> [<tsQuery_inclStopwords>]

____________________________________________________________________________

To translate a showids +text search expression to a tsQuery expression, use

/opt/lce/daemons/lce_queryd --translate-filter-on-rawlog <showidsSearchExpr>

For more information, see ts-test.

validate-PRM-regex To test matching, using exactly the same regex matching package, version, and settings, as used by the Tenable Log Correlation Engine engine.

<PRM_reg.ex._line> <sample_log>

For more information, see validate-prm-regex.

user-utils

Reset the password for one of the secured accounts used to login to an Tenable Log Correlation Engine Server instance from outside the instance's host, if the Tenable Log Correlation Engine UI is for some reason unavailable or an operator simply prefers a console interaction for the purpose.

--list-all

 

--lock--WebUI-acct <username>

--unlock--WebUI-acct <username>

 

--set-password--WebUI-acct <username>

 

--replace--vuln_reporter-acct <username>

Note: --set-password--WebUI-acct sets a temporary password and, if the user account was locked, unlocks the account.

For more information about changing user passwords, see Change a User's Password. For more information about locked user accounts, see Locked User Accounts.

Note: --replace--vuln_reporter-acct removes an existing account and sets a temporary password for the user. For more information about changing user passwords, see Change a User's Password.