TOC & Recently Viewed

Recently Viewed Topics

Log Correlation Engine 4.4.0 Release Notes - 8/12/2014

The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.4.0, significant enhancements to LCE, and information about upgrading. A PDF file of these release notes is also available here.

General Upgrade Notes

  • As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
  • Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.4 Administration and User Guide.
  • Upgrading to LCE version 4.4.0 from LCE version 3.x or earlier is not supported. An intermediate upgrade to LCE 4.2.2 must be performed before upgrading to LCE 4.4.0.
  • After upgrading to LCE version 4.4.0, the text-based configuration files (e.g., lce.conf) will be migrated to a database and are no longer used.

Compatibility Notes

  • LCE version 4.4.0 is compatible with SecurityCenter version or later. Older versions of SecurityCenter will work with LCE 4.4.0 without issues, but will not support some new features.
  • LCE version 4.4.0 is compatible with LCE Clients version 4.0.0 or later. Older LCE Clients will not be able to log in and send event data to LCE 4.4.0.
  • Prior to upgrading or deploying LCE 4.4.0 with High Availability, please contact Tenable Support at
  • Please contact Tenable Support at if you have any questions about compatibility issues.

File Names & MD5 Checksums

File MD5
lce-4.4.0-el5.x86_64.rpm f36aeb548a21f16f1621893fe805acad
lce-4.4.0-el6.x86_64.rpm 73f8a5a5ffd6dc1cc799b3ffa24ce556

Application Notes

New Features

  • New User Interface - a new HTML5 web-based interface similar to Nessus may now be used to configure and administer LCE.
  • Streamlined Installation - to configure and setup LCE for the first time, direct your browser to https://<IP or hostname of LCE server>:8836 and follow the quick-setup instructions.
  • New Syslog Forwarding - LCE can now forward events in CEF (Common Event Format) from the log engine or forward specific events in CEF using the Event Rules configuration section.
  • Enhanced Sensor Reporting - the web-based interface allows users to quickly see the total number of logs sent and last timestamp for all known syslog and LCE Client data sensors.
  • Automatic Client Authorization and Policy Assignment - client rules can now be set to automatically authorize and assign client policies given a client network range.


  • Increased the number of unique normalized events, detailed events, and sensors that LCE is capable of storing.
  • Lowered the write operations/second of the log engine with enhanced batched normalized database writes.
  • Added an override to use the network source address for all LCE Clients as the normalized source address in lieu of the reported LCE Client private address.
  • Added the ability to delete a client policy using the lce_client_manager tool.

Issues Addressed

  • Patched LCE Report Proxy for CVE-2013-2566. This patch was also released separately as a hotfix for LCE version 4.2.2.
  • Fixed an issue where the LCE server would not shutdown if the installation directory file system or database directory file system has insufficient space.
  • Fixed several issues where unnormalized events or internally generated events for load balancing, clients, and host discovery normalized the incorrect source or destination IP address.
  • Fixed an issue where invalid input to the lce_client_manager could cause an LCE Client to be assigned to an LCE Server of
  • Fixed an issue parsing IDS events from a Snort sensor if the Snort sensor hostname contained a particular string.
  • Fixed an issue where duplicate clients could be listed by the lce_client_manager tool.
  • Fixed an issue where compound text queries for "verbose" returned incorrect results.
  • Fixed an issue where queries for an event with "syslog" in the query returned incorrect results.
  • Fixed an issue where specific IP ranges in a SecurityCenter repository could cause some IPs to be omitted from LCE event results.
  • Fixed an issue where negative query filters on the port attribute returned incorrect results.
  • Fixed an issue where a TASL could stop the LCE engine if it exhausted its allowed memory footprint.
  • Fixed an issue where specific IDS processing may not occur if the IDS configuration between the Primary LCE and Auxiliary LCE did not match.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.