Log Correlation Engine 4.2.1 Release Notes - 8/12/2013
The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.2.1, significant enhancements to LCE, and information about upgrading. A PDF file of these release notes is also available here.
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.2 Administration and User Guide.
- The LCE Server Virtual Machine Quick Start Guide explains how to initially configure the LCE server virtual machine.
- Lowering the number-silos setting can impact data storage. If this setting is lowered after data has been collected, LCE will archive or delete silos ranging outside of the specified maximum when rolling to silo 0. In order for data to be archived in this scenario, the silo archiving settings in lce.conf must be enabled.
- LCE version 4.2 is compatible with SecurityCenter version 184.108.40.206 or later. Older versions of SecurityCenter will work with LCE 4.2 without issues, but will not support many of the new features available in LCE 4.2. Please contact Tenable Support at email@example.com if you have any questions about compatibility issues.
Upgrading from LCE 4.0.x and below
- In order to enable LCE’s reporting features, the report proxy settings must be configured. This can be done by editing the “Discovery Options” section of lce.conf, or running the /opt/lce/tools/lce-post-install.sh script.
- In order for plugins and other updates to be retrieved, LCE 4.2 must first be activated using your provided activation code. This can be done by running the post-install script referenced above.
Upgrading from LCE 3.x
- Beginning with version 4.0 LCE Clients, their configuration files, now called “policies”, must be managed centrally with the LCE Client Manager tool when connected to LCE Server 4.0 or later. Existing configuration files may be converted using the LCE Configuration File Converter tool, and imported/assigned with the LCE Client Manager. LCE Clients connected to an LCE Server 3.6 or earlier may continue to use the traditional configuration files.
- The LCE log archive feature has been removed. Existing logs may continue to be searched via the SecurityCenter's “Raw Log Search”, but new logs will be searchable via SecurityCenter's “Events” analysis.
File Names & MD5 Checksums
New Features and Improvements
- Added an option to the plugins update script to retain the plugins archive and signature file for offline SecurityCenter plugin updates. The new option can be specified with the –k option (e.g., /opt/lce/daemons/lce_update_plugins.pl –avk) for the files to be retained in /tmp/.
- Added support for fast sorting of column data in the upcoming version 4.7 of SecurityCenter.
- Added an optimization to the query daemon to give higher caching priority to queries from interactive users over those from automated dashboards and reports.
- The rpm –verify command can now be used to determine whether an installation is intact.
- Fixed an issue that could result in corrupt usernames being included in the vulnerability report. This would in turn cause the SecurityCenter import of the data to fail.
- Fixed an issue in which the vulnerability report’s user history data could use excessive memory over time.
- Fixed an issue that could cause a plugin error to crash the LCE server.
- Fixed an issue in which assets with no associated events were not displayed in SecurityCenter’s asset summary.
- Fixed an issue that could result in the query daemon crashing and restarting periodically.
- Fixed an issue in which client policies could not be displayed on some systems.
- Fixed an issue that could prevent the stats daemon from initializing properly on systems where the number-silos setting had been increased above an earlier value.
- Disabled discovery of hosts from TASL and Stats Daemon events. This previously made it possible to discover a host that appeared in an event such as Nessus-Host_Scan_Start, but did not actually exist.
- When files are moved to the silo archive, LCE now ensures the proper permissions and ownership. Depending on how the silo archive was created, incorrect permissions previously could have caused an error when attempting to query the archive.
- Syntax errors in the rules.conf file will now produce errors in the application log. Previously, such errors could go undetected, causing unexpected behavior from event rules.