Log Correlation Engine 4.0.1 Release Notes - 8/20/2012
The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.0.1, significant enhancements to the LCE, and information about upgrading. A PDF file of these release notes is also available here.
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.0 Administration and User Guide.
- Lowering the number-silos setting can impact data storage. If this setting is lowered after data has been collected, LCE will archive or delete silos ranging outside of the specified maximum when rolling to silo 0. In order for data to be archived in this scenario, the silo archiving settings in lce.conf must be enabled.
Upgrading from LCE 3.x
- LCE version 4.0 is compatible with SecurityCenter version 4.2 or later. Older versions of Security Center may work with LCE 4.0 without issues, but will not support many of the new features. Please contact Tenable Support at firstname.lastname@example.org if you have any questions about compatibility issues.
- Beginning with version 4.0 LCE Clients, their configuration files, now called “policies”, must be managed centrally when connected to LCE Server 4.0 or later with the LCE Client Manager tool. Existing configuration files may be converted using the LCE Configuration File Converter tool, and imported/assigned with the LCE Client Manager. LCE Clients connected to an LCE Server 3.6 or earlier may continue to use the traditional configuration files.
- The LCE log archive feature has been removed. Existing logs may continue to be searched via the SecurityCenter's "Raw Log Search", but new logs will be searchable via SecurityCenter's "Events" analysis.
File Names & MD5 Checksums
- Logs imported using the command line import_logs utility are now automatically indexed, allowing full text searches to be performed on the resulting archives.
- The log importer utility now conforms to the store-unnormalized setting in lce.conf, allowing unnormalized logs to be imported.
- Added Client Manager support for a policy and sensor to be specified prior to authorizing a client.
- Added Client Manager support for configuring a client to operate on the loopback interface.
- Added Client Manager support for hostnames to be specified instead of IP addresses.
- Added support for hostnames in the load balancing configuration options.
- Changes made in the Client Manager now take effect immediately, without the need to exit the utility.
- The SecurityCenter/LCE Manager sensor filter and sensor summary are now case insensitive.
- If the LCE is configured as a load balancing auxiliary server, it will now fail to start and log an error if the primary server is not available when the service is started.
- Added support for an environment in which only a subset of the clients are located behind a NAT.
- Fixed a crash that occurred on 64-bit systems when the server was shutting down. This resulted in a debug file being generated in the log directory upon each service stop or restart.
- Fixed an issue preventing silo .ndb files from being compressed after they became inactive.
- Fixed an issue where the LCE server occasionally forced a client to reconnect.
- Fixed an issue resulting in false positive results for some text searches utilizing the NOT operator.
- Fixed an issue resulting in inaccurate sensor names for some logs.
- Fixed an issue resulting in the server application log flooding with entries after an error on the client communication interface.
- Fixed an issue where new configuration options were not added on upgrade from LCE 3.x when the existing lce.conf file was larger than 32KB.
- Fixed an issue where the query daemon crashed and restarted when a single punctuation character was searched.
- Fixed an issue resulting in event count discrepancies when drilling down into an event type in the SecurityCenter or LCE Manager.
- Fixed an issue where raw.gz files were not deleted after rolling over to a silo that previously contained LCE 3.x data.
- Fixed an issue where LCE 3.x data was no longer searchable from the SecurityCenter or LCE Manager after an upgrade to LCE 4.0.