Tools

When Tenable Log Correlation Engine is installed, it includes a number of tools and utilities. All tools are installed in the /opt/lce/tools/ directory.

General Tools

The following table lists in alphabetical order each tool and describes its function.

Tool	Description	Usage
`archival-manager`	Performs tasks relating to archiveDb. For more information, see Silo Archiving.	--list-snapshots [<siloName> \| -<N_newest> \| <N_oldest>] --enum-snapshots [<siloName>] (Faster but less informative than --list-snapshots.) --archive <siloName> --restore <snapshotId> [<into_siloName>] --remove-active <siloName> --remove-archived <snapshotId> --archive--range [--dry-run] <from_date> <to_date> --restore--range [--dry-run] <from_date> <to_date> --remove-active--range [--dry-run] <from_date> <to_date> --remove-archived--range [--dry-run] <from_date> <to_date> (Each date must be given in YYYYMmmDD format. A range includes both "to" and "from" dates. Dates refer to tOrigin of contained events.) --identify-currsilo --roll-currsilo-now Note: Each date must be given in YYYYMmmDD format. A range includes both "to" and "from" dates. Dates refer to tOrigin of contained events.
cfg-utils	Used to manipulate Tenable Log Correlation Engine Server configuration attributes that do not appear in the web UI. Tenable Support may ask you to perform administrative tasks with this utility.	The most commonly used actions are: --help --list-all --like <case-ignored substring of K> --describe <K> --get <K> --vlike <case-ignored substring of K> --set-sv <K> <V> To see the complete list of available actions, run: cfg-utils --help For information about configuring site policies related to user activity, see Site Policies. Tip: You can use cfg-utils to configure certificate-authenticated web UI logins. For more information, see Certificate-Authenticated Web UI Logins.
`change-activeDb-location`	Changes the root directory of the operational Tenable Log Correlation Engine datastore from the default.	<absolute path of new location>
`change-tracelogs-location`	Changes the root directory of the Tenable Log Correlation Engine tracelogs from the default.	<absolute path of new location>
`create--make-current--silo`	If silo rolling is inoperable, this utility can be used (with all Tenable Log Correlation Engine daemons stopped) to switch to a new silo.	<siloNumber> \| --take-next
check_fix-file_accessibility	Detects and fixes file accessibility problems like wrong ownership, wrong permissions, and inadvertently set immutable (“i”) extended file attribute. Normally, invoke with --normal.	--check-only \| --normal
ha-manager	Configures, manages, or disables high availability. For more information about high availability configurations, see High Availability.	--initialize-as-master <standbyIP> <i/f> <virtualIP> --initialize-as-standby <masterIP> <i/f> <virtualIP> --copy-SSH-keys-to-peer --status --disconnect --de-configure For more information, see: Configure High Availability Monitor Your High Availability Configuration Disable High Availability
`import_logs`	Imports a directory of log files or a list of one or more logs on disk into the active database on the Tenable Log Correlation Engine server. You must specify whether the logs you are importing are encoded as ASCII (`--ASCII`) or UTF-8 (`--UTF8`).	--ASCII \| --UTF8 [--now-as-timestamp \| --may-guess-timestamps] [--minimum-timestamp-epoch <N>] [--maximum-timestamp-epoch <N>] [--no-eval-event-rules] <inputFileAbsolutePath> For more information about import_logs usage, see Import Log Correlation Engine Data Manually.
`install-PostgreSQL-man-pages`		For the description and usage, see install-PostgreSQL-man-pages.
`lce_crypto_utils`	Used to generate and manipulate SSL credential files in the /opt/lce/credentials/syslog and /opt/lce/credentials/web_UI directories.	--generate-creds-cryptSyslog [<CA_dnSpec>] [<endEntity_dnSpec>] (NB: any prior contents of /opt/lce/credentials/syslog/ will be erased.) --generate-creds-vulnReporter [-q] (Will prompt for cert generation parameters, unless -q.) (NB: any prior contents of /opt/lce/reporter/ssl/ will be erased.) --generate-creds-webUI [-q] (Will prompt for cert generation parameters, unless -q.) (NB: any prior contents of /opt/lce/credentials/web_UI/ will be erased.) --is-signed-by <endEntity_cert_path>.pem <CA_cert_path>.pem --is-revoked-per <endEntity_cert_path>.pem <CRL_path>.pem --save-as-PKCS12 <endEntity_cert_path>.pem <endEntity_privkey>.pem <into_path>.pfx (Will prompt for password, and again to confirm.) --print-cert <endEntity_cert_path>.pem --print-CRL <CRL_path>.pem --print-privkey <privkey_path>.pem --print-PKCS12 <PKCS12_path>.pfx (Will prompt for password.) --what-is <path> __________________________________________________________________________________________ A <dnSpec> is a ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>' Tip: To rotate your web UI credentials using lce_crypto_utils, see Rotate Web UI Credentials.
`list-clients`	Used to list clients since Log Correlation Engine 5.0.3.	# /opt/lce/tools/list-clients Note: The `--brief` option can be used for brief output. The default output is verbose.
`list-policies`	Used to list policies since Log Correlation Engine 5.0.4.	# /opt/lce/tools/list-policies
`msmtp`	An SMTP client with a sendmail compatible interface.	To configure msmtp, update msmtp.conf and provide an smtp host, username, password, and port. # msmtp [email protected]
online-pg-backup	Allows you to take an online backup of the PostgreSQL database that contains Log Correlation Engine events and part of the Log Correlation Engine control state.	For more information about online-pg-backup, see: Perform an Online PostgreSQL Backup Restore an Online PostgreSQL Backup
`openssl-utils.sh`	Used to generate and view self signed CA certificates in .pem format when troubleshooting issues with Tenable Support. Note: This tool relies on the external openssl binary, not distributed with Log Correlation Engine but available as part of the OpenSSL RPM. Tip: This tool is intended for troubleshooting with Tenable Support. Otherwise, use the lce_crypto_utils tool.	--generate-CA-creds <CA_dnSpec> <into_dir> [<certSpec>] (NB: any prior contents of <into_dir> will be erased!!) --generate-creds <hostSpec> <dnSpec> <into_dir> <CA_creds_dir> [<certSpec>] (NB: any prior contents of <into_dir> will be erased!!) --is-signed-by <cert_path>.pem <CA_cert_path>.pem --revoke <cert_path>.pem <CA_creds_dir> <CRL_path>.pem --save-as-PKCS12 <endEntity_cert_path>.pem <endEntity_privkey>.pem <into_path>.pfx --print-cert <cert_path>.pem --print-CRL <CRL_path>.pem [<CA_cert_path>.pem] --print-PKCS12 <PKCS12_path>.pfx A <hostSpec> is: <host_DNS_name> <host_IP>; IP can be IPv4 or IPv6 A <dnSpec> is: ,-separated list of K=V pairs, all optional save the last; \-escape as needed: 'C=<country>,ST=<state>,L=<city>,O=<org>,OU=<orgUnit>,CN=<name>' A <certSpec> is: <days_to_expiry> --rsa\|--dsa <bits>; defaults to: 366 --rsa 1024
`optimize-datastore`	The PostgreSQL maintenance commands requisite for best query performance have been collected into the /opt/lce/tools/optimize-datastore script. It is suggested that you run this script during off-peak (low-load) hours, triggered by a cron(1) job. The contained commands are resource-intensive and query performance will be poor while optimize-datastore is being run.	( --only-silo <N> \| --all ) [--also-cluster \| --also-reindex] [--max-runtime-hours <M>]
port-controlfiles	Allows you to save and restore all of an Tenable Log Correlation Engine server installation's control files, including: policies plugins IDS signatures cronjob definitions SSH keys daemon initscripts Text search stopword lists port-controlfiles can be used to assist in moving an Tenable Log Correlation Engine instance from one host to another.	--export --import <full path of previously exported .tar.gz>
`query-plan-explainer`	A convenient wrapper around the PostgreSQL `EXPLAIN` command, making its output both more concise and better readable.	[--estimate-only] <sqlFile> \| "SQL query"
`send_syslog`	Sends syslog messages to one or more servers.	# /opt/lce/tools/send_syslog (server address 1) [...] [server address N] -message "(message)" [-port <port num>] [-priority #] [-facility <facility>] [-severity <severity>]
`start-all`	Starts PostgreSQL daemon and all Log Correlation Engine daemons.	# /opt/lce/tools/start-all
`restart-all`	Without bar-pg, restarts the Log Correlation Engine daemons and PostgreSQL. With bar-pg, only restarts the Log Correlation Engine daemons.	# /opt/lce/tools/restart-all [bar-pg]
`stop-all`	Without bar-pg, stops the Log Correlation Engine daemons and PostgreSQL. With bar-pg, only stops the Log Correlation Engine daemons.	# /opt/lce/tools/stop-all [bar-pg]
`timestamp_formats.txt`	Used to identify the timestamp formats that appear for event timestamps in logs imported by import_logs. By default, this file includes a list of date formats.	If you are importing logs with timestamps in formats that are not included in this file, you can append the new formats to the list.
toggle-augmented-event-lookups	Tenable Log Correlation Engine Server maintains several special database lookups to improve query performance. These lookups incur a cost in [a] computing resources to build, and [b] disk space once built. If your queries involve the database column(s) to which a particular lookup is devoted, the benefit is well worth the cost; if not, disabling that lookup will save disk space. Note: Use only at direction of Tenable Support.	--add-lookup \| --zap-lookup ( rollup_table__ip \| rollup_table__port \| rollup_table__sensor \| rollup_table__user \| siloN_tables__event2 \| siloN_tables__ip \| siloN_tables__sensor \| siloN_tables__user )
`ts-test`	Used to check how a particular log would be tokenized for the purpose of text search indexing and whether a particular text search phrase would match it.	[--detail-spaces] <rawDocument> [<tsQuery_inclStopwords>] or <path to file with rawDocument> [<tsQuery_inclStopwords>] ____________________________________________________________________________ To translate a showids +text search expression to a tsQuery expression, use /opt/lce/daemons/lce_queryd --translate-filter-on-rawlog <showidsSearchExpr> For more information, see ts-test.
`validate-PRM-regex`	To test matching, using exactly the same regex matching package, version, and settings, as used by the Tenable Log Correlation Engine engine.	<PRM_reg.ex._line> <sample_log> For more information, see validate-prm-regex.
`user-utils`	Reset the password for one of the secured accounts used to login to an Tenable Log Correlation Engine Server instance from outside the instance's host, if the Tenable Log Correlation Engine UI is for some reason unavailable or an operator simply prefers a console interaction for the purpose.	--list-all --lock--WebUI-acct <username> --unlock--WebUI-acct <username> --set-password--WebUI-acct <username> --replace--vuln_reporter-acct <username> Note: --set-password--WebUI-acct sets a temporary password and, if the user account was locked, unlocks the account. For more information about changing user passwords, see Change a User's Password. For more information about locked user accounts, see Locked User Accounts. Note: --replace--vuln_reporter-acct removes an existing account and sets a temporary password for the user. For more information about changing user passwords, see Change a User's Password.