TOC & Recently Viewed

Log Correlation Engine 3.4.0 Release Notes

The following notes describe many of the changes that are included in Log Correlation Engine (LCE) version 3.4.0, including significant enhancements that have been made, as well as notes for upgrading. A PDF file of these release notes is also available here.

Upgrade Notes

  • As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
  • LCE version 3.4.0 is compatible with Security Center version 3.4.4 or later. Older versions of Security Center will work with LCE 3.4 without issues, but will not support many of the new features. Please contact Tenable Support at support@tenablesecurity.com if you have any questions about compatibility issues.
  • To assist with the upgrade process, Tenable has designed and tested all version 3.0.x clients and above to be compatible with all LCE version 3.0.x servers and above. This design allows you to choose the order and manner the components are to be upgraded within your environment.
  • Detailed instructions and notes on upgrading are located in the Log Correlation Engine 3.4 Administration and User Guide.

Application Notes

LCE Server Related

  • IDS Correlation: LCE 3.4 is now capable of managing IDS events from various sources. This functionality is based on what is currently available in Security Center 3.x. LCE can accept events from IDS devices via Syslog and/or SNMP traps. To differentiate between IDS events and ordinary logs in Security Center queries, a new "event2" field has been added to the LCE database schema. An incoming IDS event will be processed by the LCE plugins, as would happen with ordinary log events. The only difference is that for IDS events, the event2 field will be automatically set to the IDS event signature that was determined from the raw IDS event message unless the matching PRM specifies an overriding event2 value. Unless specified in the PRM, ordinary log events will have an event2 value of "none". Secondary events (event2 values) are summarized through the -lcesplash -splashevent2s showids tool. For example, if the following event is received from a Snort sensor:
    %lt;158%gt;snort[19997]: [1:8428:9] WEB-MISC SSLv2 openssl get shared ciphers overflow attempt 
    [Classification: Attempted Administrator Privilege Gain]
    [Priority: 1]: {TCP} 172.21.8.117:49523 -> 172.20.100.6:443
    
    a single database entry will be recorded. The "Summary by Event" tool will show a "Snort-TCP_Attempted_Administrator_Privilege_Gain" event, which is the normalized event name specified by the matching PRM.

  • Log importer: LCE now has the capability to import log data. The typical use case would be where historical logs exist from previous months or years. Another use case would be "semi-real time" where logs need to be batch imported into the LCE.

  • Assigning Syslog Sensor Names: There is a new configuration option to assign sensor names to syslog sources in the lce.conf file:
    # For logs received via syslog, a sensor name can be assigned to each IP
    # address sending data to LCE. This sensor name will be associated with
    # all logs from the designated source, regardless of whether or not another
    # sensor name is extracted from the log text.
    syslog-sensors-file /opt/lce/admin/syslog_sensors.txt
    
    The file syslog_sensors.txt then lists IP addresses and their names such as:
    192.168.20.100 CiscoPIX Corporate FW#1
    192.168.20.120 CiscoPIX Corporate FW#2
    192.168.20.130 CiscoPIX Corporate FW#3
    
  • Event Alerting: LCE 3.4 has the ability to send alerts based on rules, defined in /opt/lce/daemons/rules.conf, which detail how the LCE can:
    • send emails to one or more users
    • send Syslog data to one or more servers
    • run a user-defined command

    The rules also have the ability to define filters and be rate limited. Tools provided include:
    1. The msmtp SMTP client located in the /opt/lce/tools/ directory, along with a Tenable-produced default configuration file named msmtp.conf.
    2. A syslog tool is provided as the /opt/lce/tools/send_syslog executable. It has the following usage:
      send_syslog (server address 1) [...] [server address N] -message "(message)" [-priority #]
      
    For example, the following command will send the specified message to two servers with syslog priority 72:
    # /opt/lce/tools/send_syslog 127.0.0.1 10.0.0.4 -message "Hello World" -priority 72
    
    Note: the default priority is 36.

  • LCE Client Activity Logging: LCE Client activity logging is now supported with a new configuration option in the lce.conf file as follows:
    # When the following line is uncommented, client activity will be logged
    # to the LCE database. This includes connect, disconnect, and failed login
    # events.
    log-client-activity
    
  • Proxy Support: Proxy support is now available for plugin updates. The new configuration options appear as follows in the lce.conf file:
    # The following options configure both the automatic and manual update
    # processes to use a web proxy server when downloading files from Tenable.
    # When these values are commented out, proxy use is disabled.
    # proxy-address 192.168.10.10
    # proxy-user username
    # proxy-password password
    
  • Showids: The current showids IP filters apply to both the source and destination address of each log. LCE now has the ability to filter by source and destination address separately. showids now supports -mipfile, -sipfile, -dipfile, +port, +sport, and +dport arguments.

  • User Tracking: Users are now tracked by up to three different IP addresses. The user-ip-change event now indicates when a user is localized at a new IP address.

  • Plugin Test Mode: A test mode is now available for LCE PRM and TASL scripts that attempt to load all of the PRMs and all of the TASLs to verify that the plugins do not have any errors or compilation issues.

LCE Client Related

  • Note: A recent Microsoft update, Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2 for x64-based Systems - KB974470, has been found to cause the Windows 2008/Vista LCE client service to stop running. Attempts to restart the service manually do not work. This issue affects systems immediately after the Service Pack update and does not affect LCE client installations that occur after the Microsoft patch. A custom reinstall (detailed below) is required to resolve this issue:
    • Uninstall the LCE Client: At the command prompt window, execute "lce_client.exe /uninstall". Now use "Add/Remove Programs" to uninstall the lce client. The uninstall process will finish despite the service warnings.
    • Install the LCE Client again normally.

  • MD5 File Monitoring: LCE clients have new options available in the lce_client.conf file to monitor file changes. When a specified file is modified, an alert log indicating the change is sent to Security Center. The determination is made by periodically computing file MD5 checksums and comparing each to the previous result. Options include:
    • Specification of a single file for monitoring
    • Specification of files containing a certain extension in a directory for monitoring
    • Frequency for re-computing the MD5 checksums
    • Monitoring of the lce_client.conf file to determine if a configuration change has occurred

Copyright 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.