Log Correlation Engine 6.0.0 Release Notes - 2019-04-30

New Features and Changed Functionality

Note: Users should anticipate needing up to 40% more disk space in LCE 6.0.0 than what was required in LCE 5.x.
  • LCE now uses PostgreSQL as the backend datastore.
  • Datastore schema now includes several additional columns useful for troubleshooting and performance tuning; and a new vw__events view for easy ad-hoc SQL queries.
  • Having eliminated external dependencies makes for a vastly simplified installation process.
  • Improved built-in I/O monitoring, by having the lced daemon periodically collect and trace device-level statistics for the block device which stores the activeDb.
  • The PostgreSQL maintenance commands requisite for optimal query performance have been collected into the /opt/lce/tools/optimize-datastore script. It is suggested that you run this script during off-peak (low-load) hours, preferably every day, perhaps triggered by a cron(1) job. The contained commands are very resource-intensive, so query performance could be degraded during the time that optimize-datastore is being run.
  • Performance of certain drilldown queries can be improved by running the /opt/lce/tools/cache-filter-pointers utility at operator's discretion.
  • By default, to enhance LCE performance, Tenable Security Center repository-defining address ranges no longer filter Events Analysis query results in some limited circumstances. If you require the repository-defining address ranges to filter query results in all cases, please contact Technical Support for guidance on changing this default.

Bug Fixes

  • Sensor Summary query can return an empty string in the Sensor column.
  • Ignoring some legal values of the ssl-tls1p2-only configuration attribute.
  • No events generated by stats daemon.
  • An extra UTF8 BOM (byte-order mark) is prepended when forwarding syslog.
  • Windows and Linux LCE clients show Disconnected status intermittently.
  • Insecure transmission of WebUI credentials in the context of file upload.

Supported Platforms

  • Red Hat Enterprise Linux 5 64-bit / CentOS 5 64-bit
  • Red Hat Enterprise Linux 6 64-bit / CentOS 6 64-bit
  • Red Hat Enterprise Linux 7 64-bit / CentOS 7 64-bit

Upgrade Notes

Note: Before upgrading 5.0.x to 6.0.x, upgrade and migrate to 5.1.1.

Note: Tenable Security Center Dashboards and Reports will not display results for data in LCE 5.x event silos, until those LCE 5.x silos have been migrated to the LCE 6.x format.
  • Users should anticipate temporarily needing up to 120 GB more disk space while migrating LCE 5.x silos to LCE 6.x format.
  • If your upgrade path skips versions of LCE (e.g., upgrading from 5.0.0 to 5.1.1), Tenable recommends reviewing the release notes for all skipped versions. You may need to update your configurations because of features and functionality added in skipped versions.
  • Prior to beginning an event silo migration from LCE 5.x to LCE 6.0.0, users should ensure that there will be sufficient disk space, since a silo in the LCE 6.0.0 datastore (PostgreSQL) format will require more disk space than the same silo in the LCE 5.x datastore (Elasticsearch) format. Users should anticipate needing up to 40% more disk space for a silo migrated to LCE 6.0.0 from LCE 5.x.

  • To upgrade event silos from LCE 5.x format, execute, after running the RPM upgrade:

    /opt/lce/tools/migrateDB-overseer --migrate-all [--clear-source-on-success]