Log Correlation Engine 4.2.2 Release Notes - 12/9/2013
The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.2.2, significant enhancements to LCE, and information about upgrading. A PDF file of these release notes is also available here.
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.2 Administration and User Guide.
- The LCE Server Virtual Machine Quick Start Guide explains how to initially configure the LCE server virtual machine.
- Lowering the number-silos setting can impact data storage. If this setting is lowered after data has been collected, LCE will archive or delete silos ranging outside of the specified maximum when rolling to silo 0. In order for data to be archived in this scenario, the silo archiving settings in lce.conf must be enabled.
- LCE version 4.2 is compatible with SecurityCenter version 126.96.36.199 or later. Older versions of SecurityCenter will work with LCE 4.2 without issues, but will not support many of the new features available in LCE 4.2. Please contact Tenable Support at email@example.com if you have any questions about compatibility issues.
Upgrading from LCE 4.0.x and below
- In order to enable LCE’s reporting features, the report proxy settings must be configured. This can be done by editing the “Discovery Options” section of lce.conf, or running the /opt/lce/tools/lce-post-install.sh script.
- In order for plugins and other updates to be retrieved, LCE 4.2 must first be activated using your provided activation code. This can be done by running the post-install script referenced above.
Upgrading from LCE 3.x
- Beginning with version 4.0 LCE Clients, their configuration files, now called "policies", must be managed centrally with the LCE Client Manager tool when connected to LCE Server 4.0 or later. Existing configuration files may be converted using the LCE Configuration File Converter tool, and imported/assigned with the LCE Client Manager. LCE Clients connected to an LCE Server 3.6 or earlier may continue to use the traditional configuration files.
- The LCE log archive feature has been removed. Existing logs may continue to be searched via the SecurityCenter's "Raw Log Search", but new logs will be searchable via SecurityCenter's "Events" analysis.
File Names & MD5 Checksums
This is a bug-fix release only.
- Fixed an issue where some queries could hang, impacting query performance
- Fixed an issue where the LCE Client Manager could not appropriately signal the LCE server process of changes to the LCE Client policies or authorizations.
- Added intelligence to fix a partial database entry that could occur during an ungraceful shutdown or disk failure
- Fixed an issue that could cause a failed import of event vulnerabilities into SecurityCenter
- Fixed an issue that could cause invalid data to be used in an LCE alert generated from using the sensor, event1, event2, type, or user macros in rules.conf
- Fixed an issue where the query service would fail to query a portion of the database with a missing index
- Fixed an issue where the query service would fail to return data if multiple filters for the same indexed attribute were specified but one corresponding value did not exist
- Fixed an issue with the statistics engine that could cause it to stop sending events occasionally on a 64-bit host
- Fixed an issue that could cause false client entries to be listed if the LCE server host was scanned
- Added the lsof package as a dependency
- Fixed an issue where the LCE Report Proxy service did not bind to all listed interfaces in lce.conf
- Fixed a memory consumption issue when reloading discovery plugins
- Fixed an issue where the plugin account activation script could fail to parse the response
- Increased the frequency of threatlist downloads