Log Correlation Engine 4.0.2 Release Notes - 12/13/2012
The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.0.2, significant enhancements to the LCE, and information about upgrading. A PDF file of these release notes is also available here.
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.0 Administration and User Guide.
- Lowering the number-silos setting can impact data storage. If this setting is lowered after data has been collected, LCE will archive or delete silos ranging outside of the specified maximum when rolling to silo 0. In order for data to be archived in this scenario, the silo archiving settings in lce.conf must be enabled.
Upgrading from LCE 3.x
- LCE version 4.0 is compatible with SecurityCenter version 4.2 or later. Older versions of Security Center may work with LCE 4.0 without issues, but will not support many of the new features. Please contact Tenable Support at firstname.lastname@example.org if you have any questions about compatibility issues.
- Beginning with version 4.0 LCE Clients, their configuration files, now called “policies”, must be managed centrally when connected to LCE Server 4.0 or later with the LCE Client Manager tool. Existing configuration files may be converted using the LCE Configuration File Converter tool, and imported/assigned with the LCE Client Manager. LCE Clients connected to an LCE Server 3.6 or earlier may continue to use the traditional configuration files.
- The LCE log archive feature has been removed. Existing logs may continue to be searched via the SecurityCenter's "Raw Log Search", but new logs will be searchable via SecurityCenter's "Events" analysis.
File Names & MD5 Checksums
- The default configuration file has been reorganized into three broad sections, each with several categories of options. On upgraded systems, this file is available as /opt/lce/admin/lce.conf.default.
- A new post-install configuration script has been added. The script runs only on a new install, and provides an interactive walkthrough designed to configure all of the basic settings required for the LCE server to begin collecting logs. This configuration includes the following:
- The LCE license key
- The syslog, client-server, and reliable syslog port numbers. The script detects if any of the server’s required ports are in use.
- Network ranges
- Database directory
- Syslog sensor names
- LCE now provides the option of defining rules specifying the IP address and port on which each client should connect to the server. This provides added flexibility, such as in configuring firewall operation and determining how network interfaces will be used. Defining rules in NAT environments ensures that clients are assigned the required server address.
- Text searches are applied to tokens in the log, which were previously defined as any sequence of letters, numbers, and dots. For example, searching for “john” in logs containing “john.smith” would not return results, since “john.smith” was a single token. Dots are no longer considered to be part of a token, so searching for “john” or “smith” in the example would now return results. Note that this change will only affect logs stored after the upgrade.
- Automatic plugin updates were previously only performed upon a silo roll. If a silo does not roll for 3 days, the plugins will now be automatically updated as well.
- Event rules can now be defined for internally-generated LCE events, such as client authorization events, full disk alerts, and new TCP syslog connections.
- LCE now generates the LCE-Plugin_Update_Failed event to notify the administrator of failures to update plugins due to errors.
- Fixed an issue in which an extraneous, commented-out plugins-directory setting in lce.conf caused an error during plugin updates.
- Fixed an issue in which using the $user variable in an event rule triggering on an internal event caused the server to fail and restart.
- Fixed an issue in which a normalized database file larger than 2GB could not be queried properly.
- Added a 60-second timeout with three retries for plugin updates. This prevents the server from hanging when an invalid proxy is being used for plugin updates.
- Fixed an issue in which the LCE-Agent_Authorization_Granted event was logged for connecting clients that were already authorized.
- Fixed an issue preventing alerts from being generated when the configured disk-alert-percentage was reached. The LCE-High_Disk_Usage event will now be logged when the disk reaches the specified threshold.
- Fixed an issue in which revoking the access of a client using the LCE server’s client manager resulted in de-authorizing all clients with the same IP address.