The following notes describe the changes that are included in Log Correlation Engine (LCE) version 5.0.2, significant enhancements to LCE, and information about upgrading. A PDF file of these release notes is also available here.
Caution: If you are upgrading to LCE 5.0, review the increased hardware requirements. LCE 5.0 requires a minimum of 2x your licensed storage space, 16GB of RAM, and a 64-bit, 8-core, 3GHz processor. However, your actual hardware requirements will vary based on the number of events your LCE server is processing. If the system running your current LCE is operating near or at maximum capacity, you should not upgrade to LCE 5.0 until ensuring the hardware requirements are met.
General Upgrade Notes
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- Before upgrading from LCE Server 4.x to 5.x, please review the updated hardware requirements in the Log Correlation Engine 5.0 User Guide.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 5.0 User Guide.
- Supported upgrade paths:
- 4.6.x > 5.0.2
- 4.8.x > 5.0.2
- LCE version 5.0.2 is compatible with SecurityCenter version 220.127.116.11 or later. Older versions of SecurityCenter will work with LCE 5.0.2 without issues, but will not support some new features.
- LCE version 5.0.2 is compatible with LCE Clients version 4.0.0 or later. Older LCE Clients will not be able to log in and send event data to LCE 5.0.2.
- Please contact Tenable Support at firstname.lastname@example.org if you have any questions about compatibility issues.
File Names & MD5 Checksums
- Improved install/upgrade robustness by checking more minimum requirements, ensuring group/user creation is successful in hardened environments, adding resilience to Elasticsearch failures, preventing OS VM fragmentation when Elasticsearch starts, and fixing Bash compatibility issues for users on older systems
- Added more resolution to disk space display in the Status UI
- Deprecated options from older installations are now hidden in the Configuration UI
- The normalized Sensor field is now available to TASL scripts
- Added more information to diagnostics files related to troubleshooting installation issues
- Improved visibility for username link selection and interaction for accessibility purposes
- Updated OpenSSL to 1.0.2l
- Fixed a resource leak in the TASL engine
- Fixed an issue where event searches could cause the Query service to consume too much CPU
- Fixed an issue where event searches with more than 1024 clauses would degrade Query performance
- Fixed an issue where, on RHEL 7 systems, LCE may not start automatically after reboot
- Fixed an issue where event searches by Asset could return more or fewer results than expected
- Fixed an issue where syslog forwarding via the Event Rules feature caused additional characters and an additional syslog header to be prepended to logs already containing a syslog header
- Fixed an issue where directional filters did not filter results as expected
- Fixed an issue that could cause corrupt sensor names in logs from LCE Agents
- Fixed an issue that could cause the engine to restart if an LCE Agent IP address changes via DHCP if other rare circumstances were met
- Fixed an issue that could cause the engine to restart if LCE internal events were created under certain circumstances
- Fixed an issue where the TASL event count function returned zero in some scripts
- Downgraded client IP changes from Alert severity to Debug severity to reduce Alert notifications in the LCE UI
- Fixed an issue where Data Sensors timestamp display dates would be significantly older than the correct date