Tenable Log Correlation Engine Troubleshooting

Tenable Log Correlation Engine server does not appear to be operational

  1. Confirm that the Tenable Log Correlation Engine server state is Working along with all attached Tenable Log Correlation Engine clients.

  2. Check that you can SSH from the Tenable Security Center host to the Tenable Log Correlation Engine host.

  3. Check that the Tenable Log Correlation Engine daemon is running on its host and listening on the configured port (TCP port 31300 by default):

    # ss -pan | grep lced

    tcp        0      0 0.0.0.0:31300   0.0.0.0:*     LISTEN      30339/lced

  4. Check that the listening ports can be reached from the network and are not blocked by a firewall.

  5. If the Tenable Log Correlation Engine server is not operational, attempt to start the service:

    # service lce start

    Starting Log Correlation EngineLCE Daemon Configuration
    LICENSE: Tenable Log Correlation Engine 3-Silo Key for [user]
    EXPIRE: 11-10-2011
    REMAIN: 30 days
    MESSAGE: LCE (3-silo license)
    MESSAGE: Valid authorization
    --------------------------------------------------------
                                                               [  OK  ]

No events from an attached Tenable Log Correlation Engineserver

  1. Confirm that theTenable Log Correlation Engine server state is Working along with all attached Tenable Log Correlation Engine clients.

  2. Confirm connectivity by checking that heartbeat events show up in the Tenable Security Center UI.

  3. Check the Tenable Log Correlation Engine configuration settings in accordance with the Tenable Log Correlation Engine documentation.

  4. Check the individual Tenable Log Correlation Engine client configuration and authorization. If syslog is being used to collect information and events, ensure that the syslog service is running and configured correctly on the target syslog server in accordance with Tenable Log Correlation Engine documentation.

  5. Check for NTP time synchronization between the Tenable Security Center, Tenable Log Correlation Engine, and Tenable Log Correlation Engine clients.

Invalid Tenable Log Correlation Engine license

  1. Check that an up-to-date license exists on the Tenable Log Correlation Engine server.

Tenable Log Correlation Engine plugins fail to update

  1. Manually test a plugin update under Plugins with Update Plugins. If successful, the line Passive Plugins Last Updated will update to the current date and time.

  2. Ensure that the Tenable Security Center host is allowed outbound HTTPS connectivity to the Tenable Log Correlation Engine Plugin Update Site.

  3. For all other Tenable Log Correlation Engine plugin update issues, contact Tenable Support.