TOC & Recently Viewed

Recently Viewed Topics

Log Correlation Engine 5.1.0 Release Notes - 8/28/2018

What's New

The following are the new improvements included in LCE 5.1.0:

  • Startup latency of the lced daemon has been reduced by over 60 seconds; this means less downtime in the event of LCE services restart.
  • Response latency and completion time of LCE initscripts have been reduced, so service lce <serviceName> commands will now be more responsive.
  • The stats daemon now saves an alert on startup, if the current LCE configuration precludes it from producing stats-type events.
  • The diagnostics tool diag now also collects:
    • Additional host and networking configuration which could have bearing on LCE installation and operation.
    • (only if activeDb and/or archiveDb are in NFS-mounted partitions) NFS-specific configuration.
    • Indication of whether Linux kernel has had a FIPS mode enabled.
    • User-created and user-modified .prm plugins.
    • Creation times, in addition to modification times, of critical datastore and configuration files.
    • Roll-up summaries of connected clients, grouped by recent behavior and by assigned policy.
    • An extra list of client policy files, grouped by checksum and with any duplicate-content files clearly marked.
  • The install-logrotate-config utility, in /opt/lce/tools/, is new. It generates a specialized config stanza, leveraging logrotate(8) to manage disk space needed for LCE tracelogs.
  • The list-policies utility, in /opt/lce/tools/, is new. It lists on-disk policy files with basename parts color-coded for easier review, and also prints policy creation times.
  • The save-customizations utility, in /opt/lce/tools/, is new; it is intended for situations where backup of LCE configuration, rather than events data, is desired.
  • The harmonize-datastore utility, in /opt/lce/tools/es-helper-scripts/, has a new “dry-run” mode, enabling operator to preview steps to be taken.
  • The list-clients utility, in /opt/lce/tools/, will now also report the agent software patchlevel. Also, this utility now accepts --flat option, to omit the header and then print all the columns per client on the same line; this is intended to ease post-processing.
  • To help troubleshoot unnormalized logs, the lced daemon offers a special mode, which is activated by setting the save-nonmatched config attribute. This mode has been re-implemented to provide a more representative sample with less performance overhead; also, the meaning of save-nonmatched has changed: if it is N, lced will print, to its normal tracelog, approximately every Nth unnormalized log encountered.

Resolved Items

  • Given certain syslog input combinations, TASL correlation engine crashes frequently.
  • SQLite3 databases (lce_status.db, pm.db, lce_alerts.db), used to store operational state, can become effectively read-only under certain conditions, causing LCE daemons reliant on those databases to terminate abnormally.
  • Non-default client policy assignments are not permanent.
  • Under certain circumstances, Linux and Windows tail clients do not stay connected.
  • Timestamp of logs in SecurityCenter reports, when such a report is exported in CSV format, is zeroed.
  • Plugin update is skipped if the lce_wwwd daemon is restarted within 72 hours of initialization.
  • Under certain conditions, Windows clients enter an infinite re-authorization loop.
  • No more than 10,000 records returned by lce_queryd daemon even when -maxlimit query parameter specifies otherwise.
  • Excess tracelog messages emitted, and alerts saved, when a client disconnects.
  • Request to list archived snapshots periodically sent to Elasticsearch when archiving is not configured, resulting in spurious error messages.
  • Invalid SQL generated and submitted by lce_wwwd daemon, in response to certain user administration operations.
  • Clients not auto-authorized when auto-authorize-clients-time config attribute set.
  • If a policy is assigned to one or more clients while LCE Server is shutdown, on startup of LCE Server those clients may become de-authorized.

File Names & MD5 Checksums

File MD5
lce-5.1.0-el5.x86_64.rpm 37dfa06460879294a05c01fc17b4e20d
lce-5.1.0-el6.x86_64.rpm dd1d3bbc4ca69d0f8a1b896d34d91d73
lce-5.1.0-el7.x86_64.rpm ff0ac95a07acaa3f764ab21d46a35d29

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.