Log Correlation Engine 4.2.0 Release Notes - 5/23/2013
The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.2.0, significant enhancements to LCE, and information about upgrading. A PDF file of these release notes is also available here.
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.2 Administration and User Guide.
- Lowering the number-silos setting can impact data storage. If this setting is lowered after data has been collected, LCE will archive or delete silos ranging outside of the specified maximum when rolling to silo 0. The silo archiving settings in the lce.conf file must be enabled for data to be archived in this manner.
- LCE version 4.2 is compatible with SecurityCenter version 220.127.116.11 or later. Older versions of SecurityCenter will work with LCE 4.2 without issues, but will not support many of the new features available in LCE 4.2. Please contact Tenable Support at email@example.com if you have any questions about compatibility issues.
- The report proxy settings must be configured to enable LCE's new reporting features. This can be done by editing the Discovery Options section of the lce.conf file, or running the /opt/lce/tools/lce-post-install.sh script.
- LCE 4.2 must first be activated using your provided activation code for plugins and other updates to be retrieved. This can be accomplished by running the /opt/lce/tools/lce-post-install.sh post-install script.
Upgrading from LCE 3.x
- Beginning with version 4.0 LCE Clients, their configuration files, now called "policies", must be managed centrally with the LCE Client Manager tool when connected to LCE Server 4.0 or later. Existing configuration files may be converted using the LCE Configuration File Converter tool, and imported/assigned with the LCE Client Manager. LCE Clients connected to an LCE Server 3.6 or earlier may continue to use the traditional configuration files.
- The LCE log archive feature has been removed. New logs will be searchable via SecurityCenter's "Events" analysis tools.
File Names & MD5 Checksums
Major New Features
- Automatic Asset Discovery. Information is now extracted from log data to identify and report assets present on the network. When used in conjunction with SecurityCenter, Nessus, and PVS, this enables discovery and inventory of 100% of IT assets, both authorized and unauthorized, in any network topology.
- Vulnerability Detection. LCE now performs additional analysis on log data to identify and report a variety of vulnerabilities. (only available when used with SecurityCenter 18.104.22.168)
- Advanced Network Profiling. While log data is being processed, LCE now continually builds a detailed profile of the network to provide additional contextual data for analysis and reporting on security and compliance. The profile includes a unique list of user accounts active on each host, a collection of statistics defining the footprint of normalized logs for each host, reporting of open and browsed ports by some applications, and more. (only available when used with SecurityCenter 22.214.171.124)
- High Availability. A powerful set of features supporting high availability requirements has been added. This includes the ability to create a redundant remote copy of a system using a new log mirroring component, along with advanced load balancing and automated capabilities for failover and recovery. Please see the LCE High Availability Large Scale Deployment Guide for more detail. (only available when used with SecurityCenter/LCE Manager 126.96.36.199 )
Other New Features/Improvements Added
- Ability to filter events by text content when defining rules in rules.conf.
- Ability to define separate source and destination IP address filters in rules.conf.
- Ability to access a log’s normalized username in TASL scripts.
- Support for Suricata IDS products. These can be added with the Snort type in lce.conf.
- A configuration option to force user-defined sensor names to override sensor names extracted from logs.
- Option to automatically authorize all clients that connect to the server during a configurable time window after LCE starts.
- Ability to reload the system configuration after changes, without the need to restart the LCE service.
- Any non-printable characters in logs are now stored with their hexadecimal representations.
- Query performance has been improved by ensuring utilization of all available CPU cores even when only processing a single query.
- Fixed an issue that prevented vulnerabilities with critical severity from being correlated with IDS events.
- Fixed an issue that caused full text searches including very large numeric strings to fail.
- Fixed an issue that could have prevented the query daemon from recovering automatically after a failure.