You are here: Features > Resources > Log Correlation Engines

Log Correlation Engines

Tenable’s Log Correlation Engine (LCE) is a software module that aggregates, normalizes, correlates, and analyzes event log data from the myriad of devices within the infrastructure. LCE also has the ability to analyze logs for vulnerabilities and allows SecurityCenter to retrieve the data. Since LCE is closely integrated with SecurityCenter, log analysis and vulnerability management can be centralized for a complete view of an organization’s security posture.

SecurityCenter performs vulnerability, compliance, and event management, but does not directly receive logs or IDS/IPS events. Combining the LCE with SecurityCenter does all of this by processing the events with the LCE and then passing the results on to SecurityCenter.

Tip: More than one Log Correlation Engine can be configured to work with SecurityCenter.

To configure LCE servers, select “Log Correlation Engines” under the “Resources” tab. A screen will be displayed similar to the following:

Click “Add” to display the dialog in the screen capture below. Default viewable fields include Name, Description, Host, Organizations, and an unselected switch for Import Vulnerabilities. When the Import Vulnerabilities option is selected, additional fields become available for Repositories selection and Port, Username, and Password settings.

LCE servers generate vulnerability logs. Enabling the Import Vulnerabilities option allows SecurityCenter to collect and import the vulnerability information from the LCE server. The Repositories area defines the repositories to receive the data. The Port, Username, and Password settings enable SecurityCenter to log in to the LCE server to retrieve vulnerability information. The username and password are set when configuring the LCE server and is typically different than the system username and password used to configure the SSH key exchange described in the next section.

While configuring a LCE server there is a “Check Authentication” button. When clicked, SecurityCenter checks its ability to authenticate with the LCE server. If successful, a message will be displayed to acknowledge that fact. If the authentication fails, an option to enter a username and password to the LCE server is displayed. The user entered should have the ability to make changes on the remote system to enable the SSH key exchange between SecurityCenter and LCE. This is typically the root, root equivalent, or other high-level user on the LCE system. This is a one-time process to exchange SSH keys for secure communication between SecurityCenter and LCE. Once entered, click the “Push Key” button to initiate the transfer of the SSH Key. When successful, a checkbox and message will be displayed that the authentication is successful. If remote root or root equivalent user login is prohibited in your environment, refer to the LCE key exchange section for instructions on how to manually configure the LCE server using SSH key authentication.

LCE Options

Option Description

Name

Name used to describe the Log Correlation Engine.

Description

Descriptive text for the Log Correlation Engine.

Host

IP address of the Log Correlation Engine.

Check Authentication

This button checks the status of the authentication between SecurityCenter and the LCE server.

Organizations

Determines which Organization(s) will be able to access data from the configured Log Correlation Engine.

Import Vulnerabilities

When enabled, allows Event vulnerability data to be retrieved from the configured LCE server.

Repositories

Select the appropriate SecurityCenter repository(ies) to store the imported LCE data.

Port

Enter the port that the LCE reporter is listening on the LCE host.

Username

Enter the reporter username used to authenticate to the LCE to retrieve vulnerability information.

Password

Enter the reporter password used to authenticate to the LCE to retrieve vulnerability information.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.