TOC & Recently Viewed

Log Correlation Engine 3.6.1 Release Notes

The following notes describe the changes that are included in Log Correlation Engine (LCE) version 3.6.1, significant enhancements to the LCE and information about upgrading. A PDF file of these release notes is also available here.

Upgrade Notes

  • As with any application, it is always advisable to perform a backup of your LCE installation and archived logs before upgrading.
  • LCE version 3.6.1 is compatible with SecurityCenter version 3.4.5 or later. Older versions of Security Center may work with LCE 3.6 without issues, but will not support many of the new features. Please contact Tenable Support at support@tenable.com if you have any questions about compatibility issues.
  • Detailed instructions and notes on upgrading are located in the Log Correlation Engine 3.6 Administration and User Guide.

File Names & MD5 Checksums

File MD5
lce-3.6.1-es4.i386.rpm d9496cc69b984c7940121aabfabc5cd6
lce-3.6.1-es5.i386.rpm b30997f52eb153fe75aa083d5fe3a3d4
lce-3.6.1-es5.x86_64.rpm 26f29962f50a2dc419f1dbcd06d593ef
lce-3.6.1-es6.i386.rpm 50d5543c184d114fa3de18da3d894c3e
lce-3.6.1-es6.x86_64.rpm f805f4a5c35964bbdf9016503b8e1e71

Application Notes

LCE Features

  • TASL scripts are now included with LCE by default. Previously they had to be downloaded manually from the Tenable Support Portal after installation.
  • Ability to disable TASL scripts individually.
  • Hourly statistical data related to logging performance available as LCE events. This includes:
    • Logs/bytes per second
    • Number/percentage of logs matched/unmatched
    • Number of events correlating with vulnerabilities
    • Number/percentage of logs from clients, syslog, and IDS
    • Number of TASL alerts generated
  • Threatlist detection plugins now download as daily updates to the LCE.
  • Managed Ranges is now determined from the "include/exclude-network" ranges defined in the LCE configuration file instead of CustomerRanges.ip. Please make sure this range matches IP addresses that are considered "internal" from an event perspective. Starting with LCE 3.6.1, this range is used by a number of TASL scripts and the Stats daemon to define inbound/outbound/internal specifications for LCE events. Prior to 3.6.1, these ranges were solely used by the Stats daemon. This is different from the "Directions" filter on the SecurityCenter 4.2 events page, which uses the logged-in user's managed ranges to determine event direction.
  • Improved stability by adding the ability to automatically restart the lced or lce_queryd daemon after a serious error. If this occurs, an entry is written to the LCE log (e.g., /opt/lce/admin/log/2011May.log).
  • New configuration option to manage the amount of memory allocated to the query daemon.

Fixes

  • Log messages exceeding the maximum length (2048 char) are now normalized correctly.
  • LCE now correctly filters when the port "!=" operator is in use.
  • Correctly resets client status back to "Alive" after "Logged in - Dead" condition when new log data or a heartbeat is received.

Copyright 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.