Log Correlation Engine 3.2.0 Release Notes
The following notes describe many of the changes that are included in Log Correlation Engine (LCE) version 3.2.0, including significant enhancements that have been made, as well as notes for upgrading. A PDF file of these release notes is also available here.
Note: Additional 3.2 clients will be released separately.
- As with any application, it is always wise to perform a backup of your LCE installation before upgrading.
- LCE version 3.2.0 is compatible with Security Center version 3.4.0 or greater. The 3.4.4 version of the Security Center will work with LCE 3.0 without issues but does not support many of the new features. Support for the new LCE 3.2 features is available in Security Center 3.4.4 or greater. Please contact Tenable Support at email@example.com if you have any questions regarding this.
- To assist with the upgrade process, Tenable has designed and tested all of the version 2.0.x clients and above to be compatible with all of the LCE version 2.0.x servers and above. Because of this, you may choose in what order and manner the components are to be upgraded within your environment.
Thunder to LCE Upgrade Related
- For upgrades from Thunder 2.0.3 to LCE 3.x, configuration files, data files and log files from your previous installation of LCE will be left in their original locations. All other files will be removed as part of the upgrade process. The configuration and log files are not used by the upgraded application, but are left for the administrator to be used as reference.
- While the upgrade process updates the data files (silos), it does not move them to the new /opt/lce/ directory structure. You may choose to do this after you have verified that the upgrade process was successful, but it is not required. If you plan to move the LCE data files, please reference the documentation regarding the database-directory directive of the /opt/lce/daemons/lce.conf file.
- Previous versions of LCE (2.x) installed to the /usr/thunder/ directory by default. Beginning with version 3.0.0, LCE installs to the /opt/lce/ directory by default. All related file names, services and file text that previously contained "thunder" now accurately reflect "lce".
- Please note that for upgrades from Thunder 2.0.3 or earlier, as part of the upgrade process, existing data files will be modified. As the nature of LCE is to collect and retain large amounts of data, Tenable cannot create backups of the existing data files as part of the upgrade process since this would run the risk of exhausting available disk storage. Please be sure to backup your LCE installation, including data files, prior to performing the upgrade process.
- Detailed instructions and notes on upgrading are located in the Upgrading from LCE 2.x section of the Log Correlation Engine 3.2 Administration and User Guide. Please be sure to review this entire section of the documentation before upgrading.
LCE Server Related
- Users now have the Security Center option under "Events" -> "Search Raw Logs" to view historical LCE data across multiple LCEs. Because of the potential for large amounts of LCE data, raw logs are stored compressed on the LCE servers and on the Security Center. This feature requires configuring two options in /opt/lce/daemons/lce.conf: "enable-log-archiving" and "archive-directory". Data collected through "enable-log-archiving" is stored in the directory specified by "archive-directory".
- The TASL engine now performs extensive logging of syntax errors as well as runtime exception conditions. The log file is named tasl_scripts.log, and is stored in the LCE log directory (by default: /opt/lce/admin/log/).
The following new option has been added to lce.conf to accommodate clearing this log:
# In addition to the performance report, the TASL processor logs # detailed technical information related to scripts such as syntax and # runtime errors. This data is written to a file called # tasl_scripts.log in the log directory. Since errors in scripts cause # log entries to be generated each time they are encountered, this log # can potentially grow large. When set to yes, the following option # causes the log file to be reset each time the scripts are # automatically updated. As a result, all log messages will be relevant # to the currently installed scripts after an update. clear-tasl-log-on-update yes
- The LCE log archive module maintains usage statistics that are available through the Security Center console under "Events" -> "LCE Archive Status" for users that have enabled "enable-log-archiving" for compressed raw log storage.
- User access is configurable on a "per-LCE" basis for raw log data stored using the "enable-log-archiving" function. Configure this option using the Security Center console through "Users" -> "Manage LCE Access".
- Log archives stored using the "enable-log-archiving" function may be searched from the LCE command-line using the "search_logs" command. The command-line format for a search is:
# /opt/lce/search_logs [max results] [start date] [end date] [boolean expression]
- Multiple compressed "enable-log-archiving" logs may be rebuilt into a single text file using a new command-line option "rebuild_logs." The usage of the tool is:
# /opt/lce/rebuild_logs [full path to target subdirectory]For example, the following command will create a file with the logs that were compressed under the target directory:
# /opt/lce/rebuild_logs /opt/lce/log_archive/2009-02-06/1/ &> feb02-2006-1.txt
LCE Client Related
- A Splunk Agent is now available to receive log data from multiple Splunk sources and forward log data on to the LCE server. When configuring the external Splunk server, it is necessary to set sendCookedData=false in outputs.conf.
- TNM TCPDump filters (BPF) are now configurable in tnm.conf using the following expression types:
# filter-expression "tcp or icmp or udp port 514";These filters determine the data to be processed by the LCE Network Monitor.
- LCE Unix clients on Red Hat, Mac OS X, FreeBSD, Solaris, Ubuntu and AIX systems may now monitor process binary accounting data via the "accounting-file" option in lce_client.conf. An example entry is shown below:
# In addition to plain text files, the LCE client is capable of # monitoring process accounting data. The accounting-file keyword # is used to specify each file that has been configured to store # this data on the host. The binary entry for each executed # command is converted to an English log and sent to the LCE # server. accounting-file /var/account/pactIn addition to standard process accounting, the Solaris client has the ability to monitor data collected by the Basic Security Module (BSM) and send equivalent logs back to the LCE server.