Log Correlation Engine 6.0.6 Release Notes (09-29-2020)

New Features

  • The "archive peek" feature, present in LCE 4.x but either missing or inoperable in LCE 5.x, is again fully operational.

  • Configuration attributes have been added to make optional and configurable the population of the 5 largest rollup tables, as well as indexing of several columns of the silo-partitioned events table; these attributes should be not be manipulated directly with cfg-utils --set-sv, but only with the new toggle-augmented-event-lookups utility. Please contact Tenable Support for help deciding which rollups you can disable without impacting your accustomed queries.

  • To allow desired operation in environments where LCE server is known by a public virtual IP even to non-NAT clients, added public_IP_for_clients_not_behind_NAT configuration attribute.

Changed Functionality and Performance Enhancements

  • The optimize-datastore utility now also collapses rows in the rollup tables used to satisfy summary queries; this both decreases disk usage and improves query performance.

  • 48-hour summary queries can now also take advantage of the rollup tables.

  • Several new rollup tables have been added, for a total of 8; summary queries filtering on event type plus another attribute can now be satisfied with rollup tables, greatly improving performance of over 55% of built-in queries, as well as many custom queries.

  • Text search configuration has been refined; as a result, indexes on rawlog column (of siloN tables created after upgrading to LCE 6.0.6) will be 5% to 20% smaller.

  • More than just print snapshot names, archival-manager --list-snapshots now also reports, for each snapshot in archiveDb:

    • compressed on-disk size

    • compression level used (4 normally, 7 if archiveDb__compress_tighter enabled)

    • when snapshot had been written to archiveDb

    • whether you can "peek" query this snapshot (yes if snapshot had been created with LCE 6.0.6+, otherwise no)

  • Progress is reported with higher granularity by archival-manager --roll-currsilo-now; it separately reports [a] when specified silo is no longer the current silo (i.e. new events are no longer being written to it); and [b] when the specified silo's post-roll housekeeping tasks are complete (i.e. utilities which need to temporarily detach silo they are operating on would no longer block on this one).

  • To quickly learn ID of the silo new events are being written to, you can now archival-manager --identify-currsilo.

  • The counters printed to tracelog by the lce_queryd daemon now report failure modes broken down into 5 categories, up from 3; this extends the amount of troubleshooting possible without debug having been configured.

  • The helper scripts alerts-by-day.sql, alerts-by-month.sql, table-sizes--silo.sql, and silos.sql have been modified to report the same data but more compactly.

  • The helper scripts disk-usage.sql, indexes--other.sql, table-access-stats--other.sql, and table-sizes--nonsilo.sql now take an optional table name fragment argument, to restrict output to only the matching tables.

  • To improve output readability, many of the helper scripts which produce reports now render the background of every other row in an alternative dark color.

  • Added the reached_license_limit alert occasion, so both operators and Tenable Support staff can more easily tell that LCE Server has been trimming activeDb to stay under license limit; along with other alerts, reached_license_limit will be in output of alerts-by-day.sql, alerts-by-month.sql, and recent-alerts-24hours.sql helper scripts.

  • Before overwriting the local activeDb as part of full-DB --restore-from a given backup, the online-pg-backup utility now saves the license activation key (along with other node-specific configuration and status values) to a directory outside of activeDb; after the full-DB restore is complete, online-pg-backup retrieves those special values and updates the local activeDb with them. This makes moving an LCE instance from one host to another a significantly smoother process.

  • The following utilities now trace, to facilitate troubleshooting, to backup-and-restore.log:

    • online-pg-backup

    • port-controlfiles

  • The following utilities all now trace to activeDb-maint.log, instead of sharing postgresql-setup-accretive.log with installer/upgrader utilities as previously:

    • archival-manager, when invoked with --roll-currsilo-now

    • create--make-current--silo

    • reattach-partition

Bug Fixes

  • To firewall_checkpoint.prm, added missing and requested Checkpoint-TCP_Spoof rule.

  • Migration of a LCE 5.x silo into activeDb could fail if size of activeDb had reached maximum, whether due to availability of unused disk blocks or due to the configured activeDb_max_on_disk_size__MB having been reached.

  • Invalid SQL generated for -assetfile summary query.

  • Licensed limit of activeDb silos was checked only on startup of the lced daemon; hence applying a new license would require a restart of the lced daemon, entailing up to 55 seconds of lost incoming events.

  • Optimization for queries involving single-address IP filters had been rendered dysfunctional.

  • The lce_report_proxyd daemon would save a vuln_report_upload_error alert upon receiving credentials with an empty username from Tenable Security Center; since that happens when vuln upload has simply not been configured by customer, it does not constitute an error mode per se.

  • Setting vuln reporter username/password from Web UI would cause unscheduled termination of the lce_wwwd daemon process.

  • The stats daemon would, in certain unusual circumstances, skip over some events records instead of properly scanning them.

  • The install-logrotate-config utility, when invoked by the RPM upgrader, would create a backup of the old LCE-specific logrotate configuration and save that backup in /etc/logrotate.d directory, potentially causing system administration problems. Fix both corrects said behavior and erases any logrotate configuration backups we had previously created in /etc/logrotate.d directory.

  • SQL generated to satisfy a showids query with a -dirinb|-dirout|-dirint keyword was valid but functionally incorrect.

  • The IP ranges comprising (for purposes of a showids query with a -dirinb|-dirout|-dirint keyword) the internal network were being computed in a manner inconsistent with description in User Guide; corrected, and added boolean configuration attribute internal_network_definedBy__mipfile1 to allow reversion to old behavior if needed.

  • The port-controlfiles utility did not correctly import client policies (.lcp files), when invoked with --import option.

  • Could not add elements to the multi-valued intrusion_detect_sensors configuration attribute from the WebUI, for 3 particular IDS sources.

  • The lce_queryd daemon would, under certain combinations of operational circumstances, fail to properly erase mipfile.* tempfiles created by Tenable Security Center in the /tmp directory.

  • The lce_queryd daemon was not rejecting invalid showids commands with empty “match=” expressions.

  • Total count for certain distinct-IP and distinct-port queries was reported as half its true value.

  • The lce_tasld daemon was ignoring values of include_networks and exclude_networks configuration attributes.

  • The migrateDB-from4X executable, invoked by migrateDB-overseer utility, was ignoring value (if non-default) of activeDb_directory configuration attribute.

  • The indexes--nonsilo.sql helper script was not reporting correctly the fillfactor PostgreSQL storage parameter of subject indexes.

Security Enhancements

  • Updated to the latest stable version of JavaScript libraries (crypto-browserify, i18n, js-yaml, tilt, and others) used in Web UI, in order to incorporate available security fixes.

Upgrade Notes

  • If you are upgrading from a version earlier than LCE 4.8.4, upgrade to LCE 4.8.4 before upgrading to LCE 6.0.6.
  • If you are upgrading from LCE 5.0.x, upgrade to LCE 5.1.1 before upgrading to LCE 6.0.6.
  • If you are upgrading from LCE 4.8.4 with high availability configured, use the method described in Migrate Your High Availability Configuration to LCE 6.0.4 or Later in the LCE User Guide.
  • If you are upgrading from 6.0.4 with high availability configured, use the method described in Migrate Your High Availability Configuration to LCE 6.0.5 or Later in the LCE User Guide.

  • If you are upgrading from LCE 5.x.y or 6.0.0, run:

    rpm --nopreun -Uvh lce-6.0.6-el6.x86_64.rpm

  • If you are upgrading from LCE 6.0.x, after the rpm command completes, run:

    nohup /opt/lce/tmp/upgr606-rebuild-hhourlies &

    Note: The upgr606-rebuild-hhourlies script takes approximately 2.5 minutes to run per activeDb silo.

  • If you are upgrading from LCE 6.0.x, after the rpm command completes, run:

    nohup /opt/lce/tmp/upgr603-rebuild-silos &

    This command rebuilds your pre-existing event silos in the new format (which takes up less disk space and improves query performance). As each silo is rebuilt, it will automatically become available for querying again. The upgr603-rebuild-silos script will take 25-30 minutes to rebuild each pre-existing silo; it prioritizes silos with the most recent events.

    Note: If you are upgrading from LCE 6.0, 6.0.1, or 6.0.2, run /opt/lce/tmp/upgr606-rebuild-hhourlies first, then upgr603-rebuild-silos.

  • If you are prompted to run /opt/lce/tmp/restore_per-client_decisions.sql and you performed explicit client authorizations (without the aid of client assignment rules or the auto-authorization setting) or specified custom sensor names for individual LCE clients, run:

    source /opt/lce/tools/source-for-psql-shortcuts.sh

    psqlf /opt/lce/tmp/restore_per-client_decisions.sql

    This script applies the changes you made to your upgraded LCE.

    Note: If you did not perform explicit client authorizations or specify custom sensor names for individual LCE clients, you do not need to run /opt/lce/tmp/restore_per-client_decisions.sql