Log Correlation Engine 3.6.1 Release Notes
The following notes describe the changes that are included in Log Correlation Engine (LCE) version 3.6.1, significant enhancements to the LCE and information about upgrading. A PDF file of these release notes is also available here.
- As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
- LCE version 3.6.1 is compatible with SecurityCenter version 3.4.5 or later. Older versions of Security Center may work with LCE 3.6 without issues, but will not support many of the new features. Please contact Tenable Support at email@example.com if you have any questions about compatibility issues.
- Detailed instructions and notes on upgrading are located in the Log Correlation Engine 3.6 Administration and User Guide.
File Names & MD5 Checksums
- TASL scripts are now included with LCE by default. Previously they had to be downloaded manually from the Tenable Support Portal after installation.
- Ability to disable TASL scripts individually.
- Hourly statistical data related to logging performance available as LCE events. This includes:
- Logs/bytes per second
- Number/percentage of logs matched/unmatched
- Number of events correlating with vulnerabilities
- Number/percentage of logs from clients, syslog, and IDS
- Number of TASL alerts generated
- Threatlist detection plugins now download as daily updates to the LCE.
- Managed Ranges is now determined from the "include/exclude-network" ranges defined in the LCE configuration file instead of CustomerRanges.ip. Please make sure this range matches IP addresses that are considered "internal" from an event perspective. Starting with LCE 3.6.1, this range is used by a number of TASL scripts and the Stats daemon to define inbound/outbound/internal specifications for LCE events. Prior to 3.6.1, these ranges were solely used by the Stats daemon. This is different from the "Directions" filter on the SecurityCenter 4.2 events page, which uses the logged-in user's managed ranges to determine event direction.
- Improved stability by adding the ability to automatically restart the lced or lce_queryd daemon after a serious error. If this occurs, an entry is written to the LCE log (e.g., /opt/lce/admin/log/2011May.log).
- New configuration option to manage the amount of memory allocated to the query daemon.
- Log messages exceeding the maximum length (2048 char) are now normalized correctly.
- LCE now correctly filters when the port "!=" operator is in use.
- Correctly resets client status back to "Alive" after "Logged in - Dead" condition when new log data or a heartbeat is received.