Tenable Log Correlation Engine 6.0.8 Release Notes (01-21-2021)

Note: Because CentOS 6 has reached end of life, Log Correlation Engine 6.0.8 is the last Log Correlation Engine release that will support CentOS 6. Tenable recommends upgrading to CentOS 7.

New Features

  • The archival-manager utility, when invoked with --list-snapshots, now also displays the range of contained events' tOrigin as a pair of human-readable tstamps. For example: 2019Dec30 13:48:25 - 2020Jan01 05:00:53.

  • The archival-manager utility now lets you operate on multiple activeDb silos or archiveDb snapshots at once with the new command verbs { --archive--range, --restore--range, --remove-active--range, --remove-archived--range}. The commands take a <from_date> and a <to_date> argument, both in YYYYMmmDD format. For example: 2019Dec30.

  • New configuration attribute internal_network_definedBy__include_networks (boolean, defaults to false). If set to true, then when receiving a showids command containing a directional clause (-dirinb, -dirout, -dirint), Log Correlation Engine will take the IP ranges given by include_networks attribute as defining the internal network for the purpose of that showids command. Of this attribute and internal_network_definedBy__mipfile1, one must be true and one must be false.

  • New check_fix-file_accessibility utility detects and fixes file accessibility problems like wrong ownership, wrong permissions, and inadvertently set immutable (“i”) extended file attribute.

  • New rebuild-rawlog-index.sql helper script rebuilds index on the rawlog column. Required to apply modified TS (text search) configuration retroactively to events already stored.

  • The lced daemon now saves trimming_activeDb and trimming_archiveDb alerts to give easier visibility into disk space management done by lced.

Changed Functionality and Performance Enhancements

  • The diag utility now also detects and reports the following problems with client policy (.lcp) files:

    • Non-ASCII characters

    • Invalid characters in a whitelist-hashes or custom-malware-hashes element string

    • Illegal length of a whitelist-hashes or custom-malware-hashes element string

  • The throughput--kilo-eps.sql helper SQL script now displays data with a variety of background colors, “heatmap”-style, to give you even clearer and faster insight into your Log Correlation Engine traffic volume over days and hour-to-hour.

  • You no longer need to bring up the /opt/lce/tools/pg-helper-sql/ path when invoking a helper SQL script with psqlf. Now, you can type psqlf, then press Space, then the first few letters of desired filename (e.g., w a if you want wal-activity.sql). Press Tab to complete, then Enter to run.

  • Added firewall_cisco_ftd.prm with rules to normalize logs from Cisco Firepower Threat Defense (FTD) devices.

  • Log Correlation Engine now specifies a log rotation policy for the postgresql/server.log tracelog so that the active tracelog file will not exceed 50 MB on average.

Bug Fixes

  • Dynamic halt condition encountered in the 3rd inter-page transition of Quick Setup wizard; command-line workaround possible but not desirable.

  • Fixed an issue where the throughput--kilo-eps.sql helper SQL script would display malformatted and incomplete output when invoked for a date range containing a daylight savings switchover date.

  • Fixed an issue where the utilities create--make-current--silo, reattach-partition, and query-plan-explainer were not specifying non-default resource needs for their PostgreSQL sessions; as result, they ran slower than possible.

  • When given a -sumdate command with --sorttime --sort-descending sort specifier, the lce_queryd daemon would under some circumstances preface its response with an incorrect header, ultimately leading to a skewed display in Tenable Security Center's Event Analysis Date Summary view.

  • Fixed an issue where instead of showing the username of a newly created administrator-level user, the web UI would show “0”.

  • Fixed an issue where the lce_queryd daemon would fail to execute several summary queries when a particular combination of filters was specified.

  • Fixed an issue where the optimize-datastore utility could interfere with the process of temporarily restoring an “archive peek” silo into activeDb.

  • Fixed an issue where the lce_wwwd daemon could reserve up to 7 PostgreSQL DB connections, contributing to an out-of-connections error condition in certain rare circumstances; lce_wwwd now uses no more than 2 PostgreSQL DB connections.

Security Enhancements

  • Upgraded lodash from 4.17.11 to 4.17.20.

  • Upgraded concat-stream and crypto-browserify.

  • Upgraded shelljs from 0.1.4 to 0.7.8.

  • Updated browser-pack to 6.1.0.

  • Upgraded uglify-js to 2.6.0.

Upgrade Notes

  • If you are upgrading from a version earlier than Log Correlation Engine 4.8.4, upgrade to Log Correlation Engine 4.8.4 before upgrading to Log Correlation Engine 6.0.8.
  • If you are upgrading from Log Correlation Engine 5.0.x, upgrade to Log Correlation Engine 5.1.1 before upgrading to Log Correlation Engine 6.0.8.
  • If you are upgrading from Log Correlation Engine 4.8.4 with high availability configured, use the method described in Migrate Your High Availability Configuration to LCE 6.0.4 or Later in the Tenable Log Correlation Engine User Guide.
  • If you are upgrading from 6.0.4 with high availability configured, use the method described in Migrate Your High Availability Configuration to LCE 6.0.5 or Later in the Tenable Log Correlation Engine User Guide.

  • If you are upgrading from Log Correlation Engine 5.x.y or 6.0.0, run:

    rpm --nopreun -Uvh lce-6.0.8-el6.x86_64.rpm

  • If you are upgrading from Log Correlation Engine 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, or 6.0.5, after the rpm command completes, run:

    nohup /opt/lce/tmp/upgr606-rebuild-hhourlies &

    Note: The upgr606-rebuild-hhourlies script takes approximately 2.5 minutes to run per activeDb silo.

  • If you are upgrading from Log Correlation Engine 6.0, 6.0.1, or 6.0.2, after the rpm command completes, run:

    nohup /opt/lce/tmp/upgr603-rebuild-silos &

    This command rebuilds your pre-existing event silos in the new format (which takes up less disk space and improves query performance). As each silo is rebuilt, it will automatically become available for querying again. The upgr603-rebuild-silos script will take 25-30 minutes to rebuild each pre-existing silo; it prioritizes silos with the most recent events.

    Note: If you are upgrading from Log Correlation Engine 6.0, 6.0.1, or 6.0.2, run /opt/lce/tmp/upgr606-rebuild-hhourlies first, then upgr603-rebuild-silos.

  • If you are upgrading from Log Correlation Engine 4.8.4, 5.1.1, 6.0, 6.0.1, 6.0.2, or 6.0.3, you may be prompted to run /opt/lce/tmp/restore_per-client_decisions.sql when the upgrade utility completes. If you receive this prompt and you performed explicit client authorizations (without the aid of client assignment rules or the auto-authorization setting) or specified custom sensor names for individual Log Correlation Engine clients, run:

    source /opt/lce/tools/source-for-psql-shortcuts.sh

    psqlf /opt/lce/tmp/restore_per-client_decisions.sql

    This script applies the changes you made to your upgraded Log Correlation Engine.

    Note: If you did not perform explicit client authorizations or specify custom sensor names for individual Log Correlation Engine clients, you do not need to run /opt/lce/tmp/restore_per-client_decisions.sql

Supported Platforms

  • Red Hat Enterprise Linux 6 64-bit / CentOS 6 64-bit

  • Red Hat Enterprise Linux 7 64-bit / CentOS 7 64-bit