The following notes describe the changes that are included in Log Correlation Engine (LCE) version 4.8.1, significant enhancements to LCE, and information about upgrading. A PDF file of these release notes is also available here.
General Upgrade Notes
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 4.8 User Guide.
- Supported upgrade paths:
- 4.6.0 > 4.8.1
- 4.8.0 > 4.8.1
- LCE version 4.8.1 is compatible with SecurityCenter version 188.8.131.52 or later. Older versions of SecurityCenter will work with LCE 4.8 without issues, but will not support some new features.
- LCE version 4.8.1 is compatible with LCE Clients version 4.0.0 or later. Older LCE Clients will not be able to log in and send event data to LCE 4.8.1.
- Please contact Tenable Support at email@example.com if you have any questions about compatibility issues.
File Names & MD5 Checksums
New Features and Improvements:
- Added support for Google Pub-Sub endpoints in the LCE Web Query 4.8.0 agent
- Speed up upgrades by distinctly correcting only database files and folders not already owned by LCE
- Enable extraction of usernames from plugins normalizing logs of type "login-failure"
- Reduce TASL script log file size by de-duplicating similar and adjacent admin log messages
- Log license updates in the web server log file whenever plugins are updated
- Upgrade OpenSSL to 1.0.2h
- Upgrade libpcre to 8.39
- Upgrade libxml2 to 2.9.4
- Upgrade libcURL to 7.50.1
- Upgrade jQuery Core to 2.2.4
- Fixed a performance issue related to connecting thousands of agents to a single LCE server
- Fixed an issue rebuilding raw logs within the TASL engine which could result in incorrect tokens in rebuilt logs being passed to TASL scripts
- Fixed an issue with blank lines being sent between logs to the 2nd-to-Nth TCP syslog forward targets
- Fixed an issue where a large user database could result in a server reboot at startup
- Fixed an issue displaying IP addresses in little-endian byte order in the Connection Summary in SecurityCenter
- Fixed an issue that resulted in incorrectly interpreted included networks for some TASLs resulting in incorrect directionality calculations
- Fixed an issue where the text indexer would re-index from the first silo rather than the state persisted to disk on shutdown
- Fixed an issue where a PRM plugin with a dynamically determined event field could restart the engine
- Fixed resources leaks in the TASL engine when reloading plugins