Log Correlation Engine 4.4.0 Release Notes - 8/12/2014
The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.4.0, significant enhancements to LCE, and information about upgrading. A PDF file of these release notes is also available here.
General Upgrade Notes
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.4 Administration and User Guide.
- Upgrading to LCE version 4.4.0 from LCE version 3.x or earlier is not supported. An intermediate upgrade to LCE 4.2.2 must be performed before upgrading to LCE 4.4.0.
- After upgrading to LCE version 4.4.0, the text-based configuration files (e.g., lce.conf) will be migrated to a database and are no longer used.
- LCE version 4.4.0 is compatible with SecurityCenter version 18.104.22.168 or later. Older versions of SecurityCenter will work with LCE 4.4.0 without issues, but will not support some new features.
- LCE version 4.4.0 is compatible with LCE Clients version 4.0.0 or later. Older LCE Clients will not be able to log in and send event data to LCE 4.4.0.
- Prior to upgrading or deploying LCE 4.4.0 with High Availability, please contact Tenable Support at firstname.lastname@example.org.
- Please contact Tenable Support at email@example.com if you have any questions about compatibility issues.
File Names & MD5 Checksums
- New User Interface - a new HTML5 web-based interface similar to Nessus may now be used to configure and administer LCE.
- Streamlined Installation - to configure and setup LCE for the first time, direct your browser to https://<IP or hostname of LCE server>:8836 and follow the quick-setup instructions.
- New Syslog Forwarding - LCE can now forward events in CEF (Common Event Format) from the log engine or forward specific events in CEF using the Event Rules configuration section.
- Enhanced Sensor Reporting - the web-based interface allows users to quickly see the total number of logs sent and last timestamp for all known syslog and LCE Client data sensors.
- Automatic Client Authorization and Policy Assignment - client rules can now be set to automatically authorize and assign client policies given a client network range.
- Increased the number of unique normalized events, detailed events, and sensors that LCE is capable of storing.
- Lowered the write operations/second of the log engine with enhanced batched normalized database writes.
- Added an override to use the network source address for all LCE Clients as the normalized source address in lieu of the reported LCE Client private address.
- Added the ability to delete a client policy using the lce_client_manager tool.
- Patched LCE Report Proxy for CVE-2013-2566. This patch was also released separately as a hotfix for LCE version 4.2.2.
- Fixed an issue where the LCE server would not shutdown if the installation directory file system or database directory file system has insufficient space.
- Fixed several issues where unnormalized events or internally generated events for load balancing, clients, and host discovery normalized the incorrect source or destination IP address.
- Fixed an issue where invalid input to the lce_client_manager could cause an LCE Client to be assigned to an LCE Server of 0.0.0.0:0.
- Fixed an issue parsing IDS events from a Snort sensor if the Snort sensor hostname contained a particular string.
- Fixed an issue where duplicate clients could be listed by the lce_client_manager tool.
- Fixed an issue where compound text queries for "verbose" returned incorrect results.
- Fixed an issue where queries for an event with "syslog" in the query returned incorrect results.
- Fixed an issue where specific IP ranges in a SecurityCenter repository could cause some IPs to be omitted from LCE event results.
- Fixed an issue where negative query filters on the port attribute returned incorrect results.
- Fixed an issue where a TASL could stop the LCE engine if it exhausted its allowed memory footprint.
- Fixed an issue where specific IDS processing may not occur if the IDS configuration between the Primary LCE and Auxiliary LCE did not match.