Log Correlation Engine 4.6
Administration and User Guide
May 17, 2016
(Revision 4)
Table of Contents
Introduction ........................................................................................................................................................................................ 6
Standards and Conventions ........................................................................................................................................................................................ 6
Components of the Log Correlation Engine ......................................................................................................................................................... 6
IDS Collection and Correlation ........................................................................................................................................................................... 7
IDS Collection Only ................................................................................................................................................................................................. 7
Prerequisites .................................................................................................................................................................................................................... 7
Supported Operating Systems/Platforms ...................................................................................................................................................... 7
Licenses ....................................................................................................................................................................................................................... 8
SecurityCenter.......................................................................................................................................................................................................... 8
Secure Shell Public Keys ........................................................................................................................................................................................ 8
Secure the Log Correlation Engine Server System ...................................................................................................................................... 8
LCE 4.6 Overview ............................................................................................................................................................................. 8
LCE Server Installation................................................................................................................................................................ 10
Getting Started ..............................................................................................................................................................................................................10
Installation Location ....................................................................................................................................................................................................10
Installing the Package .................................................................................................................................................................................................10
Setup Wizard ...........................................................................................................................................................................................................11
Step 1: Change Default Password .............................................................................................................................................................11
Step 2: Proxy Configuration ........................................................................................................................................................................11
Step 3: Set Activation Code .........................................................................................................................................................................12
Step 4: Port Configuration ...........................................................................................................................................................................12
Step 5: Database Directory .........................................................................................................................................................................13
Step 6: Network Ranges ...............................................................................................................................................................................13
Setup Complete ...............................................................................................................................................................................................14
Files and Layout ............................................................................................................................................................................................................15
Upgrading the License ..........................................................................................................................................................................................16
System Configuration .................................................................................................................................................................. 17
Basic Configuration .....................................................................................................................................................................................................17
Storage Configuration ................................................................................................................................................................................................18
IDS Configuration .........................................................................................................................................................................................................19
Load Balancing Configuration .................................................................................................................................................................................20
Configuring the Primary LCE Server ..............................................................................................................................................................21
Configuring the Auxiliary LCE Server ............................................................................................................................................................21
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
2
Advanced Configuration Options ........................................................................................................................................... 23
Storage .............................................................................................................................................................................................................................23
LCE Web Server ............................................................................................................................................................................................................23
Sensor Names ................................................................................................................................................................................................................24
Clients ...............................................................................................................................................................................................................................25
User Tracking .................................................................................................................................................................................................................27
Host Discovery and Vulnerabilities .......................................................................................................................................................................29
Statistical Alerts .....................................................................................................................................................................................................30
Resource Usage and Performance ..................................................................................................................................................................32
DNS Caching ............................................................................................................................................................................................................32
Data Forwarding ...........................................................................................................................................................................................................34
Sending Syslog Messages to Other Hosts .....................................................................................................................................................34
Syslog Compliant Messages ...............................................................................................................................................................................35
Content of Forwarded syslog Messages .......................................................................................................................................................35
TCP Syslog Server Reconnect Interval ..........................................................................................................................................................35
Checksum Forwarding .........................................................................................................................................................................................35
TCP Syslog ................................................................................................................................................................................................................36
Receiving Encrypted Syslog ......................................................................................................................................................................................36
Encrypted TCP Syslog ..........................................................................................................................................................................................36
Example Encrypted TCP Syslog Configuration ....................................................................................................................................37
Correlation ........................................................................................................................................................................................................40
TASL and Plugins ..........................................................................................................................................................................................................40
Excluding TASL Files .............................................................................................................................................................................................40
Excluding PRM Files..............................................................................................................................................................................................41
TASL Parameters ...................................................................................................................................................................................................41
Event Rules .....................................................................................................................................................................................................................41
Email Syntax .............................................................................................................................................................................................................41
Syslog Syntax ...........................................................................................................................................................................................................42
Custom Command Syntax ..................................................................................................................................................................................42
LCE Rule Filters ......................................................................................................................................................................................................42
LCE Shell Command Options .............................................................................................................................................................................44
Email/Alerting/Execution ..........................................................................................................................................................................................45
Debugging ......................................................................................................................................................................................... 46
Debug Mode ...................................................................................................................................................................................................................46
Storing All Logs with “save-all” ................................................................................................................................................................................46
Different File System ..................................................................................................................................................................................................47
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
3
Multiple Plugin Matches per Log File “multiple-matches” ......................................................................................................................47
Quick Example ...............................................................................................................................................................................................................47
SSH Keys ..........................................................................................................................................................................................................................49
Service Control ..............................................................................................................................................................................................................50
Feed Settings ..................................................................................................................................................................................................................51
Feed Registration...................................................................................................................................................................................................51
Plugin Update.................................................................................................................................................................................................................52
Updating Plugins (PRM Files) and TASL Scripts .........................................................................................................................................52
Offline Updates .............................................................................................................................................................................................................53
Web Proxy .......................................................................................................................................................................................................................53
LCE Health and Status ................................................................................................................................................................. 54
Correlation Statistics ..................................................................................................................................................................................................55
LCE Users .......................................................................................................................................................................................... 59
Add Users ........................................................................................................................................................................................................................60
Edit Users ........................................................................................................................................................................................................................60
Remove Users ................................................................................................................................................................................................................61
Managing Client Configuration Files .................................................................................................................................... 62
Upgrading LCE ................................................................................................................................................................................ 62
LCE Command Line Operations .............................................................................................................................................. 63
Starting LCE ....................................................................................................................................................................................................................63
Halting LCE .....................................................................................................................................................................................................................64
Restarting LCE ...............................................................................................................................................................................................................64
Determine LCE Status ................................................................................................................................................................................................64
Operating the stats Daemon ....................................................................................................................................................................................65
Stopping and Starting all Daemons in RHEL 7 / CentOS 7 ..................................................................................................................65
Additional Features ...................................................................................................................................................................... 66
Importing LCE Data Manually .................................................................................................................................................................................66
User Tracking .................................................................................................................................................................................................................67
Working with SecurityCenter .................................................................................................................................................. 68
Adding the LCE to SecurityCenter .........................................................................................................................................................................68
Configuring Organizations ........................................................................................................................................................................................70
Analyzing Security Events .........................................................................................................................................................................................71
Identifying Vulnerabilities .........................................................................................................................................................................................71
TASL Scripts .............................................................................................................................................................................................................72
Full Text Searches ........................................................................................................................................................................................................72
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
4
Tokens ........................................................................................................................................................................................................................73
Operators .................................................................................................................................................................................................................73
Grouping ...................................................................................................................................................................................................................74
Examples: Putting it All Together ....................................................................................................................................................................74
For More Information .................................................................................................................................................................. 75
About Tenable Network Security ........................................................................................................................................... 76
Appendix 1: Sample msmtp.conf File .................................................................................................................................... 77
Appendix 2: Event Rule Table................................................................................................................................................... 78
Appendix 3: Troubleshooting ................................................................................................................................................... 81
Appendix 4: Manual SC4/LCE Key Exchange .................................................................................................................... 82
Appendix 5: Offline Activation and Plugin Updates ....................................................................................................... 84
Offline Activation .........................................................................................................................................................................................................84
Offline Plugin Updates ...............................................................................................................................................................................................86
Appendix 6: Non-Tenable License Declarations .............................................................................................................. 88
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
5
Introduction
This document describes the installation, configuration, and administration of Tenable Network Security’s Log Correlation
Engine 4.6 for use with SecurityCenter (including SecurityCenter Continuous View). Please email any comments and
suggestions to support@tenable.com.
The LCE is used with Tenable’s SecurityCenter, which is installed separately. This documentation assumes that you already
have an operational SecurityCenter. Knowledge of SecurityCenter operation and architecture is also assumed. Familiarity
with system log formats from various operating systems, network devices, and applications and a basic understanding of
Linux and Unix command line syntax is also assumed.
Standards and Conventions
Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as
gunzip, httpd, and /etc/passwd.
Command line options and keywords are also indicated with the courier bold font. Command line examples may or may
not include the command line prompt and output text from the results of the command. Command line examples will display
the command being run in courier bold to indicate what the user typed while the sample output generated by the system
will be indicated in courier (not bold). Following is an example running of the Unix pwd command:
# pwd
/opt/local/lce
#
Important notes and considerations are highlighted with this symbol and grey text boxes.
Tips, examples, and best practices are highlighted with this symbol and white on blue text.
Components of the Log Correlation Engine
The Log Correlation Engine (LCE) has three main components: the LCE clients, the daemon/server component (lced), which is
referred to as the LCE server, and a GUI interface that is used for LCE server administration. Data gathered by LCE is
analyzed using SecurityCenter.
The LCE clients are installed on hosts to monitor and collect events that are forwarded on to the LCE server. When received
by the LCE server, events are both stored as raw logs and normalized and correlated with vulnerabilities (if applicable). The
SecurityCenter UI makes both the raw and normalized event data available to the user for event analysis and mitigation.
LCE users work with log data from a wide variety of sources. Each organization can make queries to one or more LCE servers
that contain events from a wide variety of devices including firewalls, servers, routers, honeypots, mobile device managers,
applications, and many other sources. The LCE supports many types of agents including:
Windows Event Logs (collected locally or remotely via a WMI client)
Windows, Linux, and Unix system and application logs
Check Point OPSEC events
Cisco RDEP events
Cisco SDEE events
NetFlow
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
6
Splunk
Sniffed TCP and UDP network traffic (Tenable Network Monitor)
Sniffed syslog messages in motion
File monitoring (Linux, Unix, and Windows)
LCE has many signature processing libraries to parse logs and can normalize and correlate most network IDS devices, as well
as messages from SecurityCenter. The LCE supports the following IDS sources:
IDS Collection and Correlation
Bro
Cisco IDS
Enterasys Dragon
HP TippingPoint
IBM Proventia (SNMP)
Juniper NetScreen IDP
McAfee IntruShield
Fortinet IDS events
Snort (and Snort-based products)
TippingPoint’s syslog event format must be modified to use a comma delimiter rather than a tab delimiter
before it can be processed by the LCE.
IDS Collection Only
AirMagnet
Check Point (Network Flight Recorder)
Portaledge
Toplayer IPS
There are thousands of normalization rules that support most operating systems, firewalls, network routers, intrusion
detection systems, honeypots, and other network devices. The list of officially supported log sources is frequently updated
on the Tenable website.
Prerequisites
It is important to ensure that the prerequisite requirements for LCE are met before beginning installation. These
requirements include:
A CentOS/RHEL OS 64 bit platform with all unnecessary services disabled
LCE license
LCE management installation (SecurityCenter)
LCE clients 4.0 or higher (if applicable)
Secure Shell (SSH) key generation
Supported Operating Systems/Platforms
The LCE server component is available for the Red Hat Enterprise Linux (RHEL) and CentOS 5.x, 6.x, and 7.x operating
systems for 64-bit platforms. One or more LCE servers can be configured to operate with a single SecurityCenter.
The LCE server can be installed on the SecurityCenter’s host system, but this configuration is not recommended for
performance reasons
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
7
If you are using an AWS instance in conjunction with LCE, it is required that you use an Elastic Network Interface (ENI). More
information about using an ENI with an AWS instance can be found here.
Licenses
LCE servers are licensed to the specific hostname of the system it is to be installed on. There is no licensed limit to the
number of events or IPs that the LCE can be configured to monitor.
There are different licenses available for the LCE based on the total amount of storage used by the LCE. The licenses are
based on 1 TB, 5 TB, and 10 TB storage sizes. A license for LCE is provided as a part of the SecurityCenter Continuous View
offering. The maximum number of silos available to each license size is 103, 512, and 1024, respectively. There is no
difference in the LCE software that is installed, just the maximum storage size that can be used by the LCE. Data silos are
always limited to a maximum size of 10 GB per silo.
SecurityCenter
LCE information is analyzed utilizing SecurityCenter, so you must have an operational SecurityCenter deployed before
installing LCE. Please refer to the SecurityCenter documentation for more information on installation and configuration.
Secure Shell Public Keys
LCE analysis is provided to SecurityCenter through the use of command execution across a Secure Shell (SSH) network
session. When SecurityCenter queries a LCE server, it invokes a SSH session to the configured LCE server. All execution and
analysis of LCE data occurs on the LCE server.
SSH public keys are configured such that SecurityCenter can invoke commands on the LCE server. Non systemadministrator accounts are used to perform these queries. The trust relationship is only needed from SecurityCenter to the
LCE server.
Secure the Log Correlation Engine Server System
It is recommended that the server operating system be locked down before installation to ensure that no unnecessary
services are running. The only service that is required to support remote users is SSH and the LCE administration web GUI.
While the LCE daemon is operational, it will listen by default on UDP port 514 for syslog messages, UDP port 162 for SNMP,
TCP port 601 for reliable syslog service messages over TCP, TCP port 6514 for Encrypted TCP Syslog messages, TCP port
31300 for the LCE API (needed if LCE clients are operational), TCP port 31302 for load balanced LCE servers, and port 8836
for the LCE administration web GUI. If vulnerability detection features are used with SecurityCenter, the default TCP port
1243 will also be used.
The system running the LCE can operate a syslog daemon, but the syslog daemon must not be listening on
the same port(s) that the LCE server is listening on.
LCE 4.6 Overview
LCE 4.6 contains key improvements over previous versions including the ability to receive TCP Encrypted syslog, and the
ability to track clients via UUID, which will be beneficial in environments where DHCP is utilized (available in version 4.6 LCE
clients). Also, available in LCE 4.6 is an Application Programming Interface (API). The API can potentially be used by thirdparty applications to create custom interfaces to the LCE daemon. To configure LCE 4.6, navigate to the DNS name or the IP
address of the LCE server over port 8836 (https://<dns name or IP address>:8836>) in your preferred web browser.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
8
The following image shows what the LCE GUI will look like upon initial login after the LCE has been upgraded. The initial
section that is displayed is “Health and Status”. Details on each sub-section are described later in this document. To edit any
configuration option select “Configuration”. To add or remove a user, select “Users”.
The right side of the screen displays the username of the user that is currently logged in. Clicking on the drop-down arrow
beside the username displays a list of options. These options allow the currently signed in user to “Change Password”, view
basic “Help & Support” information, or “Sign Out” of the LCE GUI.
There is also a red bell shown in the extreme far right hand corner of the LCE GUI that displays the last few notifications
generated by the LCE server. These notifications can also be found in the “Alert” section of the “Health and Status” page.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
9
LCE Server Installation
Getting Started
Before beginning the LCE installation, it is important to understand the high-level steps required to facilitate a successful
installation. These steps are typically performed in the following order:
1.
Download the LCE server RPM and confirm the integrity of the installation package by comparing the downloaded
MD5 checksum with the one listed in the product release notes.
2.
Install the LCE server RPM.
3.
Copy the activation code from the “Activation Code” section of the Tenable Support Portal
(https://support.tenable.com).
4.
Using a web browser, navigate to the address or hostname of the LCE server over port 8836 (https://<ip or
hostname>:8836), and complete the “Quick Setup” wizard.
5.
Add the LCE server to the SecurityCenter, via the SecurityCenter’s web interface as a SecurityCenter Administrator
user.
Installation Location
The installation file may be placed anywhere on the installed system. The installation steps described below assume
execution from the same directory where the installation package is located.
Installing the Package
To ensure consistency of audit record time stamps between the LCE and SecurityCenter, make sure that the
underlying OS makes use of the Network Time Protocol (NTP) as described in:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sectDate_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html
If you are upgrading from a previous version of LCE, please skip this section and see the section titled “Upgrading the Log
Correlation Engine” below. Please follow the instructions in this section for new installations.
As the root user, install the LCE RPM using the following command:
# rpm -ivh lce-4.6.x-el6.x86_64.rpm
An example is shown below:
# rpm -ivh /tmp/lce-4.6.0-el6.x86_64.rpm
Preparing...
########################################### [100%]
1:lce
########################################### [100%]
The installation process is complete.
Please refer to /var/log/lce_upgrade.log to review installation messages.
This is a new installation. To configure LCE, please direct your browser to:
https://l92.168.1.101:8836
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
10
Setup Wizard
After the initial installation is complete, navigate to the DNS name or the IP address of the LCE server over port 8836
(https://<dns name or IP address>:8836>) in your preferred web browser. The login screen will be displayed. The default
login credentials are User name “admin” and password “admin”. Enter the default information, and select “Sign In To
Continue”.
Step 1: Change Default Password
Upon initial login, the “Quick Setup” will begin. The first step is to change the password. The password complexity is set to 4
alphanumeric characters. The password complexity can be changed, and will be covered in a later section of this guide.
Step 2: Proxy Configuration
The next section of the configuration wizard requires “Proxy Configuration” information. If a proxy is utilized in the
environment where LCE is deployed select “Yes” and enter the required information into the corresponding fields. If a proxy
is not required, select “No”. After the appropriate option is selected and any corresponding fields are completed, choose
“Next Step”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
11
Step 3: Set Activation Code
The “Set Activation Code” section requires a valid activation code. The activation code can be obtained by logging into the
Tenable Support Portal (https://support.tenable.com) and then selecting “Activation Codes”. Enter the Activation Code and
click “Apply”. A check mark can be seen next to the “Apply” button to confirm the Activation Code is valid. When the
Activation Code has been entered correctly, select “Next Step” to proceed. If the LCE is not connected to the Internet, an
offline plugin update will need to be periodically performed. Please review the Offline Activation and Plugin Update section
of this guide for more information.
Step 4: Port Configuration
The “Port Configuration” section displays the default ports already assigned for each type of communication. If an alternate
port is used for communication for the services listed, it can be changed here. If changes are made, select “Apply” to ensure
those changes are enforced. Then select “Next Step” to continue.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
12
Step 5: Database Directory
The “Database Directory” section displays the default LCE database location, “/opt/lce/db/”. This can be changed to an
alternate directory if needed, but is not recommended. If it is changed after the “Quick Setup” is complete, the database will
need to be moved using a manual process. If changes are made, select “Apply” to ensure those changes are enforced. Confirm
that there is adequate space available in the directory location for the license that you have uploaded, which is reported in
the center of the “Database Directory” window, and then select “Next Step” to continue.
Step 6: Network Ranges
The “Network Ranges” section specifies the networks to be monitored or ignored by LCE. The network ranges that are to be
monitored by LCE will need to be entered in CIDR notation (192.168.0.0/24) or IP/netmask (192.168.0.0/255.255.255.0)
into the “Monitored Network” box. The networks that are excluded from LCE will need to be entered in CIDR notation or
IP/Netmask in the “Excluded Network” box. After the information is entered select “Next Step”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
13
Setup Complete
At this point the “Quick Setup” process is complete, and LCE services will require a restart. If you would like to revisit any
step before finalizing the configuration, choose “Previous Step” to edit the desired step. Otherwise select “Restart” to
complete setup.
Once the LCE has restarted the initial configuration is complete. It is possible to log in to the LCE web interface to address
any additional configuration to include syslog forwarding, load balancing across multiple LCE servers, NAT setup for LCE
clients, and other advanced settings.
For more information on large scale deployments, please refer to the Log Correlation Engine 4.6 High Availability
Large Scale Deployment Guide.
The installation process will create a user and group named “lce” and install the LCE server to the /opt/lce directory. All
files will be installed with the user and group of “lce” except for the actual lced daemon, which is set-user-id root. This must
be started as the “root” user, and once the daemon has bound to the appropriate port(s), it will drop privileges. If the lced
daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a warning to the
LCE logs.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
14
Files and Layout
LCE resides in the /opt/lce directory, and contains various sub-directories. The contents of each subdirectory are
summarized in the table below.
Directory
Description
admin
This directory contains all of the LCE’s log files. There is a subdirectory named log that
contains various log files. System log file names are based on the format of year month,
and date such as 2015May.log. Log files in the main log directory are general LCE log
system files. The log directory contains sub-directories for specific components of LCE
such as clientmanager, indexer, stats, queries, reporter, and importer.
credentials
This directory contains certificates and keys for LCE modules to authenticate remote
connections. For example, the syslog sub-directory contains the default keys and certs
to authenticate encrypted TCP syslog senders.
daemons
This directory contains the lced binary (the log engine) and all other helper daemons in
LCE. The LCE Client Manager is also located here. The daemons directory also contains
sub-directories for plugins, policies, and other items updated automatically via the LCE
plugin feed.
When LCE starts, it will load all files in the plugins directory unless they are disabled
via the configuration.
db
LCE stores all event data in the db directory. Each silo will be labeled with a
lce(number).ndb and log_store and db_index directories.
The location of this directory will differ if the configuration was altered at
some point.
docs
This directory contains the LCE Software License Agreement.
ha
This subdirectory contains the tools utilized if LCE is configured for high availability.
For more information on this feature review the Log Correlation Engine 4.6
High Availability Large Scale Deployment Guide.
ids
IDS signature mappings and host vulnerability information from Security Center is
stored here for correlation.
reporter
This directory and its sub-directories contain certs and keys for the Nessus Transport
Protocol interface for SecurityCenter to retrieve report information.
reports
This directory contains host vulnerability information LCE has discovered by scanning
logs.
tmp
Directory used for temporary data that is utilized by LCE.
tools
This directory contains various tools that are utilized by LCE, and some can be utilized
via the command line if required.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
15
var
The db subdirectory under the var directory contains the following databases:
lce_alert.db, lce_config.db, lce_status.db, lce_users.db, and pm.db. The www directory
contains the web client, and web server information. The users subdirectory contains a
directory for each user configured in the LCE GUI.
Upgrading the License
It is possible to upgrade from your silo license to one with a higher capacity (e.g., 1 TB to 10 TB). A replacement license key
will be required. Perform the following steps to upgrade your license:
1.
Log in to the LCE user interface (https://<ipaddress or hostname>:8836).
2.
Select “Configuration” in the LCE user interface.
3.
Choose “Feed Settings” in the “Configuration” menu.
4.
Enter the “Activation Code”, and select “Apply”.
5.
Select update at the bottom of the “Feed Settings” page.
The number of silos can indicate the type of license in use. For example, 103 silos indicate a 1 TB license, 512
silos indicate a 5 TB license, and 1024 silos indicate a 10 TB license, when the maximum silos for a license are
used.
The total number of silos along with how many silos have been used is displayed in the “Health and Status” section under the
“Advanced” section of the LCE GUI as shown below.
Navigate to “Health and Status”, and select “Plugins” to verify the "Activation status" is “Licensed”, and the "Feed
Expiration does not show “Expired”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
16
System Configuration
The LCE system configuration is administered by logging into the LCE web interface and selecting “Configuration” at the top
of the page. The sections that are available in “System Configuration” are “Basic”, “Storage”, “IDS”, “Load Balancing”,
“Advanced”, “Control”, and “Feed Settings”. Each of these sections is covered in detail below. Each configuration page in the
“System Configuration” section has an “Update” option at the bottom that needs to be selected prior to any changes made in
that section being applied to the LCE. The updates are applied while the LCE is running, thus removing the need to restart the
LCE services.
Basic Configuration
The Basic Configuration section comprises the essential configuration needed for an LCE server to function. The items in this
section are addressed in the initial “Setup Wizard”, but can be changed in this section at a later time if the need arises.
Each menu option for the “Basic” section is covered in detail below.
Option
Description
Server Address
This option allows you to specify the IP address of the network interface(s) on which
lced and lce_report_proxyd will listen. More than one interface may be specified
on separate lines:
127.0.0.1
172.0.0.2
By default, or if left blank the above LCE services will listen on all available network
addresses.
LCE Client Port
This option specifies the port number that lced listens on. By default, it is set to 31300,
but may be reset to another value.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
17
Syslog Port(UDP)
LCE listens for UDP syslog traffic on the standard port of 514 by default. If the
environment requires the LCE to listen on a different port, this setting may be changed.
Syslog Port(TCP)
This setting determines the port to listen on for reliable syslog messages via the TCP
protocol.
Encrypted TCP Syslog Listen
Port
This setting determines the port for receiving encrypted TCP syslog traffic. The default
port for encrypted syslog over TLS is 6514 per RFC5425, but the port may be altered if
required.
Include Networks
The following sections define your internal network range. All networks specified in the
first section are included, while the Exclude Networks option is used to make exceptions.
Make sure this range matches IP addresses that are considered “internal”
from an event perspective. This range is used by a number of TASL scripts
and the Stats daemon to define inbound/outbound/internal specifications
for LCE events.
This is different from the “Directions” filter on the SecurityCenter events
page, which uses the logged-in user’s managed ranges to determine event
direction.
Exclude Networks
Provides exceptions to the “Include Networks” directive ranges specified above.
Storage Configuration
The storage section of “System Configuration” shows the database location, silo size, and number of silos, and also contains
the archiving configuration information.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
18
Option
Description
Database Directory
Specifies the location of the LCE database directory.
Silo Size
Specifies the maximum amount of data from matched log events that will be stored in
one indexed file (silo). Choose the “MB” to specify megabytes. For example, entering
10240, and choosing MB specifies the maximum silo size of 10 Gigabytes. Choosing “GB”
specify gigabytes. For example, entering 1, and choose “GB” specifies 1 gigabyte. By
default, this is set to 10G.
Note that the filesystem must support the file size selected within this
setting.
When considering silo size: It is suggested that the total number of silos for
the license should not be exhausted more than once in a single month.
Number of Silos
Specifies the number of silos that lced will create. The maximum number of silos that
can be created is 1024 for a 10 TB license, 512 for a 5 TB license, and 103 for a 1 TB
license. When configuring this setting, consider the silo-size setting and maximum disk
space available for storage. Example: 1 TB is available for storage and silos configured
for 10 GB would allow for a maximum of 102 silos before disk exhaustion.
Enable Archiving
This option allows the archive functionality of LCE to be enabled, or disabled.
If there is insufficient disk space on the silo archive device, LCE will no
longer attempt to save a silo before overwriting. If this occurs, log
messages will be generated warning of the event. The event alerting
functionality of LCE can be leveraged to automatically notify concerned
individuals (e.g., email alert) when this sort of event occurs. Please
reference the section of this document titled “Event Rules” for more
information.
Location
If the archive functionality is enabled in LCE a location for the archive files must be
specified. An example of an archive location is shown below:
Example:
/opt/lce/silo_archive
Save Index
This option specifies if the LCE database index files are to be saved for faster searching
of archived silos. The “Save Database” option must be selected for this option to be
selectable.
Save Raw Logs
This option specifies if the LCE raw log files are to be saved. These files contain the
original matched log messages before normalization.
IDS Configuration
LCE has the ability to receive IDS events from multiple sources. In addition to being normalized and stored in the log
database, each event will be checked against any SecurityCenter vulnerability databases. If a host is vulnerable to attack, the
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
19
event is marked as such, allowing rules to trigger on this scenario so that the information can be distributed to the affected
administrators.
For each IDS sensor, a sensor name and type must be defined as in the example below. The supported types are Snort, Bro,
RealSecure, Dragon, IntruVert, IntruShield, Juniper, NetScreen, NFR, Fortinet, Cisco, TippingPoint-Sensor, and
TippingPoint-SMS.
Option
Description
IDS IP
The IP address of the IDS.
Sensor Name
Name to be used within the SecurityCenter logs.
Sensor Type
IDS sensor type.
Load Balancing Configuration
Multiple LCEs may be configured in a tiered system. This allows for one LCE to be designated as the primary LCE, which can
send incoming log messages to one or more auxiliary LCE servers (depending on loading, which is calculated on a regular
interval). This distributes the storage and processing of the log messages among up to 256 different LCE servers. Taking
advantage of this configuration allows for all the LCE clients and log sources to be configured for a single LCE server, and
that primary LCE server load balances the incoming requests between itself and its auxiliary servers. Additionally, clients
may be configured to send their logs directly to an auxiliary server, bypassing the primary LCE if there is a need to do so. One
example would be if you want all firewall logs to go to a specific LCE for storage, then they would have their logs point to that
specific LCE, bypassing the primary LCE.
Load balancing messages and logs sent between the primary and auxiliary LCEs are encrypted. To provide additional
encryption, the encryption passphrase option may be configured. This option can use a phrase between 1-32 characters.
When set, all of the connected LCEs must be configured with the same passphrase in their configurations.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
20
When using tiered LCE servers, each one must be configured in SecurityCenter in order to be queried. If SecurityCenter user
only has access to three out of four LCE servers in a group, that user will receive incomplete results based only on the data
stored in the three LCE servers to which the user has access.
Configuring the Primary LCE Server
The primary LCE server listens on TCP port 31302 (by default) for status data from auxiliary LCE servers. The listening port
of the primary LCE server may be changed by modifying the Local Status Port option on the Load Balancing tab. There may
only be one primary LCE server configured in a group, and servers may not play a dual role of primary and auxiliary. Unless
the server is specifically configured to be an auxiliary LCE server, it considers itself a primary LCE server and listens on port
31302 (by default).
Configuring the Auxiliary LCE Server
When configured as an auxiliary LCE, the server will accept log files sent to it by the primary. To enable the auxiliary mode,
configure the Load Balancing Auxiliary setting on the Load Balancing tab with the IP address and port number of the
primary LCE. If the primary LCE is running on the default port of 31302, adding the port number is not required.
Note that when utilizing tiered LCE servers, processing of log-related options such as syslog forwarding, storing
not-matched logs, and similar are performed on the server processing the logs. Such options must be configured
identically on all the LCE servers for consistent results.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
21
Option
Description
Load Balancing Local
Local Server Address
When there is more than one network interface available to receive data from the
primary LCE, enter the IP address of the interface to use. Otherwise, the default
interface’s IP address will be used. This can be used to balance bandwidth between
multiple interfaces.
Local Status Port
When the LCE server is configured to offload log data to auxiliary servers, TCP port
31302 is the default port used. Change the setting here to change the port on which the
LCE server communicates.
Encryption Passphrase
When load balancing between primary and auxiliary LCE servers, all messages are
encrypted. To enhance security, a user-specified key may be added. Enter up to a 32
character encryption phrase. The passphrase must be the same on all connected LCEs.
Allowed characters are alphanumeric and the following characters:
[].^$()|*+?{}/#_-~!@%=`'<>:|&\",
Load Balancing Auxiliary
Primary Server Address
When used as an auxiliary LCE server, this setting designates the IP address of the primary
LCE server.
Primary Server Port
TCP port 31302 is the default port used when the LCE server is configured to offload log
data to auxiliary servers. Change the setting here to change the port on which the LCE
server communicates.
High Availability
Virtual IP Address
This is the IP address used by devices such as syslog sensors and clients to send data to
LCE.
Virtual IP Interface
When specifying a Virtual IP Address, also specify an existing network adapter on which
the LCE will bind the virtual IP defaults to eth0.
Virtual Router ID
If you have a VRRP solution deployed or plan on adding one in the future to the same
network your LCE is deployed on, use this option to specify a router ID for the LCE
cluster, that differs from your other VRRP setup.
Mirror Mode
Optionally, instead of receiving a subset of logs, this LCE may register itself as a mirror
and receive ALL logs processed by the primary LCE, effectively creating a live backup of
the primary database. Check the box to enable this mode.
For more information Load Balancing and High Availability review the Log Correlation Engine 4.6 High
Availability Large Scale Deployment Guide.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
22
Advanced Configuration Options
The “Advanced” configuration section is used to fine tune your LCE server configuration. Each section that is changed in the
“Advanced” section will require that the “Update” button is selected before the updates are completed. Select “Cancel” to
clear any unwanted updates. The exceptions to this would be the “Add Syslog Sensor Name”, “Add New Client Rule”, “Create
Debug File”, and “Add New SSH Key”. Reference each section of this documentation when making changes to each of those
advanced configuration options.
Storage
The options available under the “Storage” subsection are “Store Unnormalized Logs” and “Disk Alert Percentage”. These
options are described in the table below.
Option
Description
Store Unnormalized Logs
If this is enabled, then LCE will store logs even when they are not normalized by existing
LCE plugins. These logs will have the type and event set to “unnormalized” and will still
be available for text, IP, and sensor-based searches.
Disk Alert Percentage
When disk utilization in the database directory exceeds the specified percentage (from 1
to 99 percent), an alert will be generated so that the user may take appropriate actions
and the LCE does not exhaust disk space for log storage. The default value is 75 percent.
LCE Web Server
The LCE Web Server section allows you to specify parameters governing login parameters for user access. These options are
described in the table below.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
23
Option
Description
Login Banner
Displays a banner (1300 character limit) prior to user login requiring the user to
acknowledge a customized statement or warning.
Enforce Complex Passwords
Requires LCE web server user passwords to have at least 1 uppercase, 1 lowercase, 1
number, and 1 special character.
Min Password Length
Minimum length of a password for an LCE web server user login. Only passwords that
are created or changed after this setting is updated will be affected.
Idle Session Timeout
Idle login sessions will be logged out after the amount of time specified in minutes.
Web Server Port
Configures the port that the LCE web server will listen on. By default this is set to 8836.
Enable SSL for Web Server
When enabled, SSL connections are enforced for connecting to the LCE web server and
it is on by default. Disabling this setting is not recommended as it will allow unencrypted
traffic to the LCE web server. When this setting is changed and applied, users must
reconnect to the server using the newly configured protocol.
Enable SSL Client Certificate
Authentication
When enabled, only SSL client certificates are permitted for user authentication. When
disabled (default setting) users authenticate with a username and password.
Sensor Names
This option allows the administrator to override the discovered name of a syslog sensor with a name that is more identifiable
in the environment. For example if the host is “syslogserver06.example.com” but that server resides in the research area of
the environment overriding its name to “research_syslog” may be preferred.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
24
The sensor name can be set by the source of the log, the configured sensor name of the client or syslog source, or the plugin
that normalizes the log. If this option is enabled, the sensor name will always be that of the configured client or syslog source
name. When creating new sensor names, both the “Sensor Name” and “IP Address” fields must be populated. After that is
complete select “Add Syslog Sensor Name” to confirm the changes.
Option
Description
Sensor Name
Sensor name to be used within the SecurityCenter logs.
IP Address
The IP address of the configured client or syslog source.
Clients
This section of the Advanced Configuration is used to further define how clients are able to connect to the LCE, and how they
are named when viewed in the “Event” section of SecurityCenter. The configurations are “Public Server Address”, “Auto
Authorize Clients”, “Use Client Network Address”, and “Override Sensor Name”, described in the table below.
Option
Description
Public Server Address
If the server is run from behind a device performing Network Address Translation (NAT),
and the LCE clients that it manages are on the public side of the device, the Public Server
Address field must be populated with the NAT address so that the managed clients can
connect to it. The LCE Client Manager will use, in order of preference: the Public Server
Address setting, the Server Address setting, or the first IP that it finds LCE using that is
not 127.0.0.1.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
25
When this setting is used, all managed clients on either side of the NAT
device must use this defined address to connect.
Auto Authorize Clients
LCE Clients version 4 and greater must be authorized by the LCE administrator to send
data after the client attempts to connect to the LCE server. Enable this option to
automate authorization for a specified number of minutes after LCE server startup or
reconfiguration. This automatically authorizes clients that have never previously tried to
connect to the LCE server for 10 minutes after startup.
Use Client Network Address
Override private client IP in events with the NAT / public network peer IP
Override Sensor Name
Prefer configured name over discovered name
The “Client Assignment Rules” subsection allows for specific policies to be applied to specific client ranges along with the IP
address and communications port used to communicate with the LCE server. When a Client Assignment Rule is created, a
“Policies” window is displayed to add the desired policies for the “Client Network” specified in the rule.
Specific LCE policies can be defined for that “Client Network”. Polices are matched by OS type, and if there are multiple
policies for a particular OS type, the first available policy for that type will be assigned. If no “Policies” match the OS found on
the “Client Network” the default policy for that OS will be used. The “Auto Auth” option can be deselected after all expected
clients have been authorized by the LCE. After adding one or more policies to the “Policies” section, select “Update” at the
bottom of the “Advanced Configuration” page to confirm the addition of those policies.
Option
Description
Client Network
The client network range in CIDR notation
LCE IP:port
LCE server IP and port it listens on for incoming LCE client data. The default port is
31300.
Auto Authorize
This enables auto authorization of clients in the defined network range.
Policies
This section allows multiple policies to be specified. The exact name of the policy must be
used. The policy must be OS specific, and if more than one OS is on the “Client Network”
a single policy for each OS type is suggested. If specific policies are not entered in this
section, the default policy for the OS type of each client will be assigned.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
26
If multiple policies are listed in this section for the same OS type the first
policy that matches the client OS will be assigned.
User Tracking
LCE tracks network users on the basis of their usernames. These options set restrictions on which usernames are considered
valid. Any usernames failing to match the specified criteria are disregarded and “invalid” is reported as the user for the
associated log entries.
Option
Description
User Tracking Plugins
Only Plugin IDs in this list are used to apply user tracking. Other plugins will normalize
usernames, but no tracking is performed based on the source and destination IP
addresses. Only usernames normalized by these plugins are subject to the additional
user tracking restrictions in this section. If a username is normalized by these plugins but
does not meet the additional restrictions it will not be associated with the log and will
not be associated with the subsequent logs from that IP address. Some IDs of plugins
that can be used as “User Tracking Plugins” are listed below.
Example:
4770 tenable_pvs.prm
5450 mail_imaps.prm
1708 mail_wuimap.prm
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
27
7293 os_win2008_sec.prm
3260,3262, 3294 os_win2k_sec.prm
LCE login-failure plugins do not normalize usernames because those logs
are not assured to provide a valid username, and it would contaminate the
username database. Additionally, it is advised never to add a login-failure
plugin ID into the list of User Tracking Plugins. Doing so would invalidate
user tracking for hosts that triggered the plugin.
Accept Letters
This option specifies whether alpha characters [a-zA-Z] are allowed when a plugin
normalizes a username.
Accept Numbers
This option specifies whether numbers [0-9] are allowed when a plugin normalizes a
username.
Valid Username Characters
Specifies which special characters are considered valid for usernames. By default, the
following characters are considered valid:
The “dash” character, as in “-”
The “underscore” character, as in “_”
The “dot” character, as in “.”
The “at sign” character, as in “@”
For example, the following address would be considered valid under the default criteria:
b.j-smith@a_b.com
Only the special characters that are specified with the Valid Username Characters
setting are considered to be valid when a plugin normalizes a username.
The semicolon character, “;” is not permitted in this context.
Max Username Length
Specifies the maximum number of characters allowed in a username.
Untracked Usernames
The IPs for this list of users are not tracked. The usernames are normalized and will
appear with their associated logs, but no alert is generated when the username switches
from one IP to another. Some possible considerations for usernames that are not tracked
are listed below.
Example:
root
lce
admin
administrator
Administrator
SYSTEM
INTERACTIVE
NETWORKSERVICE
LOCALSERVICE
ANONYMOUSLOGON
Nobody
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
28
NTAUTHORITY
DIALUP
NETWORK
BATCH
NO_USER_NAME
Host Discovery and Vulnerabilities
This section defines the parameters used by LCE to gather vulnerability information from SecurityCenter, as described in the
table below.
Option
Description
Enable Host Discovery
This option enables or disables host discovery. When set to yes, new hosts on the
network will be discovered and reported based on log data.
Report Frequency
The frequency, in minutes, in which the report file will be generated and updated on disk.
The default is 60 minutes.
Report Lifetime
The lifetime of a report in days. The report will be cleared after this amount of time. The
default is 7 days.
Learning Period
This option determines how many days a host has not been seen before an alert will be
generated. A setting of at least 1 or 2 days is recommended. After that, any host that was
not discovered during the period will be alerted on as new. Without this setting, LCE would
“discover” all of your hosts that are currently running and are not really “new”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
29
Reporter Port
The port used by SecurityCenter to retrieve host and vulnerability reports from LCE.
Reporter Username
The username used by both SecurityCenter, and LCE to exchange vulnerability
information.
Reporter Password
The password used by SecurityCenter and LCE to exchange vulnerability information.
Verify Reporter Password
This field is used for password verification.
Report SSL Key File
The LCE server reporter key filename, relative to /opt/lce/reporter/ssl/.
Report SSL CA File
The LCE server certificate authority filename, relative to /opt/lce/reporter/ssl/.
Report SSL Cert File
The LCE server certificate filename, relative to /opt/lce/reporter/ssl/.
Statistical Alerts
There are multiple Statistical anomalies that can occur on a network. Some examples are Social Network, Login Failure, DNS,
Virus, and Database anomalies. The LCE stats daemon can track these anomalies, and provide feedback when a specific
threshold is reached.
Each statistical anomaly is triggered based on a number of deviations. The table below shows what number of standard
deviations needs to occur before a statistical anomaly is triggered along with an example event name as it would be seen in
the “Events” section of SecurityCenter.
Type
Minimum number of
standard deviations from
the mean
Maximum number of
standard deviations from
the mean
Example
Minor Anomaly
1.0
5.99
Statistics-Login_Minor_Anomaly
Anomaly
6.0
9.99
Statistics-USB_Anomaly
Medium Anomaly
10.0
99.99
Statistics-SPAM_Medium_Anomaly
Large Anomaly
100.00
999999.99
Statistics-Intrusion_Large_Anomaly
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
30
Option
Description
Min Standard Deviation
This specifies the minimum standard deviation that must occur for an event before an
alert will be generated for it. The higher this number, the more statistically significant a
sequence of events needs to be before an alert is raised.
Min Number of Standard
Deviations
If an event occurs more or less than 5.0 standard deviation units, an alert will be
generated. Setting this value higher will cut down on any sequence of events that occur
close to the standard deviation.
Min Statistical History
This specifies the number of iterations (days) per-event are required before alerts will be
generated. If a large amount of LCE data is already present, set this number to a low value
or even to zero. The stats daemon can be started to read in all or just part of the existing
LCE data. If you have NO LCE data, leave this value around 7 so the stats daemon will not
alert on anything until it has 7 days of event data.
Max Occurrence Frequency
If an event occurs more or less than 5.0 standard deviation units, an alert will be
generated. Setting this value higher will cut down on any sequence of events that occur
close to the standard deviation.
Syslog Alerts
The statistics engine will send anomaly alerts to the syslog servers in this list. It is
recommended to include 127.0.0.1 for the local LCE service.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
31
Resource Usage and Performance
This section of the LCE “Advanced Configuration” is used to tune the performance of the LCE server.
Option
Description
Additional Query Memory
By default, 100 megabytes of memory is used for text queries. For systems with large
amounts of available memory, the Additional Query Memory option can be used to
allocate additional memory for the text string search functionality of the query daemon.
This will improve response time during event analysis in SecurityCenter. The option can
be specified in megabytes or gigabytes by selecting an “M” or “G” from the “Additional
Query Memory” drop-down menu.
Max TASL Memory Queue
To maximize performance on multi-processor and multi-core systems, correlated TASL
events are processed in parallel to receive regular incoming events. Since some TASL
scripts can run for an extended period of time, the primary event processor can
potentially receive many TASL-triggering events while a TASL script is still being
executed. In this case, the TASL job is stored in a queue for later processing. This option
defines the maximum size of this queue. On systems with extremely large volumes of
data, setting the maximum queue size higher results in increased performance. If a TASL
script that can be sampled is triggered while the queue is full, its callback functions will
not be executed.
Log-Processors
This option leverages multicore processors and determines how many threads will be
dedicated to log processing.
It is recommended that this setting be no higher than the number of CPU cores in the
LCE host system. This is an upper-limit, and should not be changed unless you have
greater than 8 total cores (e.g., a dual quad-core CPU system).
For systems with hyper-threading technology, the value may be scaled accordingly.
Sampleable TASLs
Sampleable TASL scripts may be skipped to alleviate processor load when the TASL
queue is full.
DNS Caching
When a log message is defined in a plugin, LCE provides the option to specify a hostname instead of an IP address for the
srcip and dstip fields. In this case, LCE automatically attempts to resolve the provided hostname to an IP address using
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
32
DNS. Since the same hostname is typically encountered multiple times, caching the results of lookups can greatly increase
performance. These options configure DNS caching in LCE.
A particular hostname or all domain names with a certain extension can be excluded using the “Always Resolve” section. In
this case, the matching hosts are looked up at every occurrence. The “Always Resolve” section can be used to maintain a
more extensive list of domains to exclude when DNS caching is utilized. These host contained in the “Always Resolve” section
of DNS Caching is read when LCE starts up, but changes to the list can be made at any time. If changes are made to the
section the “Update” button at the bottom of the “Advanced Configuration” section of the LCE GUI will need to be selected.
Option
Description
Max Memory for DNS Cache
LCE will maintain a cache of hostname-to-IP addresses rather than performing the
lookup repeatedly, limited to this amount of memory [MB]. The “Max Memory for DNS
Cache” option can go up to 360K domain names.
DNS Cache Period
The “DNS Cache Period” option specifies the number of days to cache a hostname-to-IP
mapping before updating the result with a new lookup. This value can be set between 1
and 30 days.
Always Resolve
If a host ends with an extension listed here, it will be resolved each time it is encountered
rather than being cached. List each host or extension on a new line. A particular
hostname or all domain names with a certain extension can be excluded using the
“Always Resolve” section. In this case, the matching hosts are looked up at every
occurrence. The “Always Resolve” section can be used to maintain a more extensive list
of domains to exclude when DNS caching is utilized. The hosts contained in the “Always
Resolve” section of DNS Caching are read when LCE starts up, but changes to the list can
be made at any time. If changes are made to the section the “Update” button at the
bottom of the “Advanced Configuration” section of the LCE GUI will need to be selected.
Cache at Startup
Hosts listed in the “Cache at Startup” are resolved at startup and cached immediately to
reduce runtime DNS resolutions and improve performance. The format for these entries
is one hostname per line.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
33
Data Forwarding
Sending Syslog Messages to Other Hosts
The LCE can be the focal point of your entire log aggregation strategy. If a Storage Area Network, syslog server, or some
other type of log aggregation solution is deployed in your network, the LCE can be configured to send a copy of any received
message to one or more syslog servers. These messages include any message received from any client.
To configure the LCE to forward these messages, go to the “Configuration” section of the LCE GUI. Then select “Advanced”,
and in that section locate “Data Forwarding”. In the “Syslog Forwarding” section of “Data Forwarding”, simply enter a line
for each syslog server. The actual syslog service is not used to forward the messages. All packet generation is handled by
the lced process.
The format of each entry into the “Syslog Forwarding” section is IP:port,exclude-header as shown below. The IP is
the address of the syslog server to which the messages are sent. The port indicates the UDP port in which the receiving
syslog server is listening. The exclude-header option determines if the LCE appends a custom header to indicate if the
messages are sent from the LCE server or not. When omitted or set to “0”, the header is appended. When set to “1”, the
header is not added and only the original log message is sent without indication that it was forwarded from the LCE server. If
“2” is used the log will be sent in CEF format.
The following is an example section of the “Syslog Forwarding” section that forwards messages to multiple syslog servers
utilizing UDP. The first line forwards to UDP port 1234 and appends a LCE server header to each entry. The second forwards
to UDP port 514, and a LCE server header is not appended to each entry. The third forwards to UDP port 514 and the log will
be sent in CEF (Common Event Format) format.
The following is an example section of the “TCP Syslog Forwarding” section that forwards messages to multiple syslog
servers. The first line forwards to TCP port 601 and appends a LCE server header to each entry with an ASCII 10(Line Feed)
delimiter. The second forwards to TCP port 601, and a LCE server header is not appended to each entry. The third forwards
to TCP port 1234 and the log will be sent in CEF (Common Event Format) format.
LCE has the ability to forward logs in CEF format. However, the log is received by LCE whether it is a log message from an
LCE Client, Syslog server, IDS or any other compatible log format LCE will convert the original log generated into CEF
format. Shown below is a normal syslog message received by a LCE server followed by the forwarded CEF formatted
message.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
34
Apr 16 11:05:52 jetjaguar sudo:
COMMAND=/bin/bash
rongula : TTY=pts/0 ; PWD=/home/rongula ; USER=foo ;
CEF:0|Tenable|LCE|4.4.0|1404|Unix-Successful_Sudo|5|dpt=0 dst=192.168.1.23 spt=0
src=172.26.20.66 duser=rongula proto=0 msg=Apr 16 11:05:52 jetjaguar sudo:
rongula : TTY\=pts/0 ; PWD\=/home/rongula ; USER\=foo ; COMMAND\=/bin/bash
Syslog Compliant Messages
Logs forwarded by the LCE will retain the original syslog alert level and facility, if one was present. If one was not present,
the LCE assigns a log level of “auth.warning”.
Typically, LCE clients do not send syslog compliant messages. If a LCE client were configured to monitor a log file that
retained an original message’s syslog alert level and facility, then this would be retained if forwarded by the LCE.
This allows for a remote syslog server that is receiving events from the LCE to process the received messages and place
them in specific files. Depending on the type of syslog server, it may be possible to place logs from a router into one file,
operating system logs into another and so on.
Content of Forwarded syslog Messages
When the LCE forwards a message, it also adds any matched information to the log file as shown below if configured to do so:
Jun 30 17:45:36 lce: [not-matched] 0.0.0.0:0 -> 172.20.1.1:0 ::
<37>sshd(pam_unix)[15322]: authentication failure; logname= uid=0 euid=0
tty=NODEVssh ruser= rhost=172.20.1.1
The “::” characters are used to separate LCE’s heading from the original message. In this case, the message would also have
been sent with a syslog facility/severity of <37> since that was the facility of the original message.
Additionally, notice that the LCE tagged the example event above with a not-matched keyword. This means that the LCE did
not possess a .prm file to process the log. If it did, the matched event name would be present in the same location.
If configured to strip the LCE headers from the forwarded syslog messages, only the original log message is sent to the
remote syslog server.
TCP Syslog Server Reconnect Interval
The “TCP Syslog Server Reconnect Interval” sets the interval that the LCE will wait before making a reconnection attempt to
the TCP syslog server that lost its connection.
Checksum Forwarding
When LCE rolls a silo, the checksum of the completed silo .ndb file will be forwarded to each syslog server IP in this list.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
35
TCP Syslog
This list of decimal ASCII character codes tells LCE how to delimit TCP syslogs. By default only the standard linefeed
character (ASCII decimal 10) is recognized but other products may use special characters. [0-255]
Receiving Encrypted Syslog
Encrypted TCP Syslog
New in LCE 4.6 is the ability to receive encrypted syslog. The configuration to enable this functionality is located in two
places. The “Encrypted TCP Syslog Listen Port” can be found by selecting “Configuration” followed by “Basic”, and by default
is configured to port 6514. To locate the “Encrypted TCP Syslog” section, select “Configuration” followed by “Advanced”, and
scroll down until the “Encrypted TCP Syslog” section is displayed.
The “Encrypted TCP Syslog” functionality requires an rsyslog server configured to send encrypted syslog to the LCE server.
A self-signed certificate can be used, but it is recommended to use a signed certificate from a trusted CA (Certificate
Authority). The only configuration requirement in the “Encrypted TCP Syslog” is the “Senders’ CA Cert. PEM-encoded Path”,
and the suggested path is /opt/lce/credentials/syslog/<filename.pem>.
A fingerprint can be generated, and used for authentication if it is placed in the “Authorized Fingerprints” section of the
“Encrypted TCP Syslog” configuration. It is also suggested to include the IP address or DNS name of authorized hosts that
will be forwarding encrypted syslog into the “Authorized Hosts” section of “Encrypted TCP Syslog”.
An example configuration is shown below:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
36
Option
Description
Senders’ CA Cert PEMencoded Path
Path of encrypted syslog senders’ CA cert, PEM-encoded, for validating encrypted syslog
senders.
If this option is used neither an “Authorized Fingerprint” nor “Authorized
Host” is required for the “TCP Encrypted Syslog” configuration.
Authorized Fingerprints
Fingerprints (SHA-1 hashes of DER-encoded certificates, per RFC4572) of hosts
authorized to send encrypted syslog. The length of each fingerprint will be 65 characters.
This option can be used alone or in conjunction with “Authorized Hosts” to enable the
receipt of “TCP Encrypted Syslog”.
Using an “Authorized Fingerprint” will only verify the certificate’s
fingerprint against the configured value. It does not check if the certificate
is revoked or expired. It does not require the v3extension.
Authorized Hosts
DNS names or IPs of hosts authorized to send encrypted syslog to the LCE server. This
option can be used alone or in conjunction with “Authorized Fingerprints” to enable the
receipt of “TCP Encrypted Syslog”.
This option is only required if the X509v3 Subject Alternative Name is
present in the certificate.
Example Encrypted TCP Syslog Configuration
How the “Encrypted TCP syslog” is configured depends on the implementation of the rsyslog server that is forwarding the
logs to LCE. For this example, certificates generated by the “openssl-utils.sh” script contained in the
/opt/lce/tools directory will be used. The certificates generated by the “openssl-utils.sh” script are X509v3
certificates that will require the FQDN (Fully Qualified Domain Name) of each host. The OS used for this example is CentOS
6 64-bit.
Configuring TCP syslog will include the following steps:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
37
1.
Generate credentials using /opt/lce/tools/openssl-utils.sh.
2.
Copy credentials to /opt/lce/credentials/syslog, and to a directory on the remote rsyslog server.
3.
Set file permissions on the certificates.
4.
Edit rsyslog.conf, and restart the rsyslog service.
5.
Configure the “Encrypted TCP Syslog” settings in the LCE GUI under “Configuration” -> “Advanced”, and update the
configuration.
Step 1
Generate CA credentials.
# ./openssl-utils.sh --generate-CA-creds 'C=US,st=MD,CN=lce01.example.com' /tmp/foocreds/ca/
Generate the certificates for the rsyslog server.
# ./openssl-utils.sh --generate-creds devsyslog1.example.com 192.168.1.157
'C=US,st=MD,CN=syslog1.example.com' /tmp/foo-creds/client// /tmp/foo-creds/ca/
Generating a client certificate to revoke followed by the creation of the revocation list certificate is optional.
Generate a client certificate to revoke. This is done to create a certificate revocation list.
# ./openssl-utils.sh --generate-creds revoke.example.com 192.168.1.47
'C=US,st=MD,CN=revoke.example.com' /tmp/foo-creds/revoked// /tmp/foo-creds/ca/
Generate the revocation list certificate.
# ./openssl-utils.sh --revoke /tmp/foo-creds/revoked/cert.pem /tmp/foo-creds/ca/
/tmp/foo-creds/crl.pem
Step 2
Copy cert.pem certificates to /opt/lce/credentials/syslog directory on your LCE server. The certificate will need
to be renamed to rsyslog-ca.pem so it does not overwrite the LCE cert.pem file that already exists in the same location.
Make sure when copying the files to the /opt/lce/credentials directory that you do not overwrite the SSL
certificates that were generated at the time of installation. A list of those certificates are shown below:
ca-cert.pem
ca-privkey.pem
cert.pem
privkey.pem
sorted-cert-chain.pem
[root@test01 ca]# cp /tmp/foo-creds/ca/cert.pem /opt/lce/credentials/syslog/rsyslogca.pem
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
38
Copy the certification revocation list (crl.pem) to /opt/lce/credentials/syslog directory on your LCE server.
[root@test01 ca]# cp /tmp/foo-creds/crl.pem /opt/lce/credentials/syslog/crl.pem
Copy these certificates to a directory on the server running rsyslog. For this example they will be placed in the
/root/selfsigned directory of the rsyslog server.
/tmp/foo-creds/client/privkey.pem
/tmp/foo-creds/client/cert.pem
/tmp/foo-creds/ca/cert.pem
Notice that two of these certificates have the same name. It is suggested the certificate from the “/tmp/foo-creds/ca/”
folder be renamed to rsyslog-ca.pem.
Step 3
Verify the file permissions, and ownership on the certificates that were moved to /opt/lce/credentials/syslog. Each
file should be read only by user, and group. They should be owned by lce. Use the following commands to change ownership
and permissions.
# chmod 440 crl.pem
# chown lce:lce crl.pem
# chmod 440 rsyslog-ca.pem
# chown lce:lce ca.pem
The files moved to the rsyslog server should have the same file permissions, but should be owned by the root user.
# chmod 440 rsyslog-ca.pem
# chmod 440 privkey.pem
# chmod 440 cert.pem
Step 4
User your preferred text editor to add the following lines to the rsyslog server configuration (rsyslog.conf) file if they are
not already present.
#$MainMsgQueueType Direct
# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
#$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$ActionSendStreamDriverAuthMode x509/certvalid
# rsyslog v5 configuration file
# certificate files - just CA for a client
$DefaultNetstreamDriverKeyFile /root/self-signed/privkey.pem
$DefaultNetstreamDriverCertFile /root/self-signed/cert.pem
$DefaultNetstreamDriverCAFile /root/self-signed/rsyslog-ca.pem
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
39
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@lce01.example.com:6514
Restart the rsyslog service.
# service rsyslog restart
The following items will need to be included in the LCE GUI configuration of “Encrypted TCP Syslog. The path for the
Senders’ CA Cert, PEM-encoded Path will need to be given, which would be
/opt/lce/credentials/syslog/rsyslog-ca.pem.
The certificates were generated using X509v3 extensions, which means the FQDN (Fully Qualified Domain Name) will need
to be entered into “Authorized Hosts”. After the information has been entered scroll to the bottom of the page, and select
“Update”.
Correlation
LCE normally matches the vulnerability port with the port given in the normalized event to correlate an event with
vulnerability. If this option is disabled, LCE will ignore this requirement if the vulnerability port is 0, 22, or 445.
TASL and Plugins
Excluding TASL Files
TASLs may be disabled selectively by adding the TASL script file name (e.g., program_accounting.tasl) to the “Disabled
TASL Scripts” section. This option is located under the “TASL and Plugins” portion of the “Advanced” section of the LCE GUI.
This is useful for cases where a particular TASL script is not needed by an organization or where the TASL might be causing
performance issues and needs to be disabled either temporarily or permanently.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
40
Any disabled TASLs, if removed from the “Disabled TASL Scripts” section, can be re-enabled.
Excluding PRM Files
In some cases, a user may wish to allow the global updates of PRM files, but specifically exclude some from being run. This
can be facilitated by using the “Disabled PRM Scripts” section of the LCE GUI. The PRM files to be processed but not loaded
can be specified in this location, one per line.
If there is a need to customize a plugin or plugins, rename the original file before making modifications. Once done, include
the name of the original plugin in the “Disabled PRM Scripts” section. If an existing PRM file is modified and not renamed, it
will be overwritten on the next PRM update. If the original is not disabled, and the Multiple Matches option is not enabled,
only one of the two PRM files will match. This option is located under the “TASL and Plugins” portion of the “Advanced”
section of the LCE GUI.
TASL Parameters
Advanced TASL parameters can be entered here.
Event Rules
This section is used to configure active response operations used by the LCE daemon. LCE rules are configured to analyze
LCE event content and fire if preset conditions are met. Active responses include the ability to send automatic emails
(msmtp, sendmail), syslog alerts (syslog,cef), or run custom commands on the LCE system.
Email Syntax
Command: echo "body: $log" | sendmail rgula@example.com "subject: $name"
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
41
Command: echo "This is a test message." | /opt/lce/tools/msmtp -C
/opt/lce/tools/msmtp.conf bob@example.com
Syslog Syntax
The following syslog line would forward any log that triggered the rule to the remote syslog server 10.10.10.10, port 514,
with the default priority of 36 (severity=4, facility=4):
syslog: 10.10.10.10 "Possible password guessing evidence: $log"
The following syslog line would forward any log that triggered the rule to two remote syslog servers, 10.10.10.9, and
10.10.10.10, on port 515, with the specified priority of 116 (severity=4, facility=14):
syslog: 10.10.10.9, 10.10.10.10 "Your message goes here: $log" -priority 116 -port 515
Custom Command Syntax
Command: /path/to/scripts/my_custom_firewall_reconfig_command.sh -block $sip
LCE Rule Filters
The following fields are optional filters. A plus sign signifies that events matching the specified values will receive rule
application, while a minus sign signifies that matching events will not. If no “+” filter is used, all events are matched by default
for the field, unless excluded specifically with the minus “-” filter. Multiple values can be specified for any filter.
Do not use spaces to precede LCE rules. If there is a space at the beginning of an option, that option will be
ignored.
Option
Description
IPS
This filter allows for the search of IP addresses that are or are not present as either
source or destination. The following five formats are supported for both +IPS and -IPS:
SrcIPS
This filter will search for source IP addresses that are or are not present. The following
five formats are supported for both +SrcIPS and –SrcIPS:
DstIPS
172.16.1.1/255.255.255.0
172.16.1.1/32
172.16.1.1-255
172.16.1.1-172.16.1.255
172.16.1.1
172.16.1.1/255.255.255.0
172.16.1.1/32
172.16.1.1-255
172.16.1.1-172.16.1.255
172.16.1.1
This filter will search for destination IP addresses that are or are not present. The
following five formats are supported for both +DstIPS and –DstIPS:
172.16.1.1/255.255.255.0
172.16.1.1/32
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
42
172.16.1.1-255
172.16.1.1-172.16.1.255
172.16.1.1
Events
Considers both the primary and secondary event names. The “Events” field allows
spaces in event names (because Nessus IDS signatures contain spaces), and thus events
must only be separated by commas and not spaces. Spaces, commas or both may be used
to separate entries in the other fields.
Sensors
Sensor that detected the LCE event
Types
LCE event type
Ports
Source or destination port within the LCE event
Protocols
Specified by TCP, UDP, ICMP or a number
Users
Username associated with the event
Text
Filter on any text token in the log that is or is not present (tokens can include spaces and
punctuation but not commas) by using +Text or –Text.
IText
This is the same filter as above but the token can be case insensitive, and +IText or –
IText must be used.
Vulnerable
“yes” or “no”
Ignore
Single keyword causes all events matching the rule’s filters to be ignored by LCE. If an
event is ignored in this manner, there will be no LCE database entry written for it, no
other matching rules will fire and no TASLs filtering on the event will be executed.
RateLimit
A string indicating the maximum number of event responses per time period that will be
allowed. When the quantity of incoming matching logs exceeds this constraint, the
remaining logs will be queued or ignored. This string follows the format:
(integer) per [second, minute, hour, day, week, month, year]
Command
Runs the given command at the command line as user “lce” (i.e., echo "log matched"
>> /opt/lce/my_log_file.log).
See the /opt/lce/tools/ directory for a tool supplied with LCE for emailing logs.
When using “Command:” to run a command, you may insert some or portions of the log
into your command using the following replacement macros. The following example
sends the original log text and the src IP:port dst IP:port via email for network
or connection type logs:
Name: Example command
+Types: network,connection
Command: printf "To:auser@example.com
\nFrom:buser@example.com
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
43
\nSubject: Network Connection\n\n
LOG MATCHED RULE $sip:$sport -> $dip:$dport $log .\n" |
/opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf
auser@example.com
MaxQueue
The maximum number of matching events to queue; those coming in while the queue is
full will be ignored.
Threshold
A string indicating the minimum number of matching events that must occur in a given
time period before event responses are generated. This string follows the format:
(integer) in a [second, minute, hour, day, week, month, year]
Log Forwarding
Logs that trigger a rule can be forwarded in syslog or Common Event Format (CEF). The
log format for CEF is predetermined and forwarded in a fixed format. The syslog option
can be sent with the priority and port specified, but it is not required. The syslog option
can also contain LCE shell command options, which are explained in detail in the LCE
Shell Command Options section.
An example of each is shown below.
For CEF forwarding:
cef: 192.168.1.4
For syslog forwarding:
syslog: 192.168.1.4 " Possible password guessing evidence: $log" -priority 36 -port 514
Additional information and examples are available in Appendix 2: Event Rules Tables.
LCE Shell Command Options
The following case sensitive variables may be included in the shell command string:
Any command using the list of shell command variables below need to be encapsulated in double quotations ("").
Option
Description
$sip
Source IP of event
$dip
Destination IP of event
$sport
Source port of event
$dport
Destination port of event
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
44
$proto
Protocol of event, displayed as N/A, TCP, UDP, ICMP, or a number for other protocols
$vuln
“no” if the event was not correlated with a vulnerability, “yes” otherwise
$sensor
Name of sensor generating the event
$event1
Primary event name
$event2
Secondary event name
$type
Type name of event
$time
Time event was recorded at LCE (format: Mon MM, YYYY H:M:S)
$user
Username associated with the event
$log
Raw text of log
$queued_logs
All logs currently in the event rules queue. Use of this variable has the effect of emptying
the rule’s queue
Additional examples of event rules and their usage can be found in Appendix 2: Event Rules Tables.
Email/Alerting/Execution
LCE can be configured with the ability to interpret received log events based on log content and use configurable rules to
generate active responses from the LCE server. These rules are configured in the LCE GUI in the “Event Rules” section and
can perform three primary responses:
email alerting
syslog alerting
command execution
The LCE server will generate email alerts using the settings found msmtp.conf file, which can be found in the
/opt/lce/tools/ directory on the LCE server. This file will need to include your email server information for
alerting to function correctly. A sample of the msmtp.conf file is also shown in Appendix 1: Sample msmtp.conf
File.
Examples of practical applications include configuring rules to rate limit certain types of log events, email administrators
immediately when an attack is detected, and send customized commands to a firewall when an inbound attack is detected
and firewall reconfiguration needs to take place.
Various fields within the received log alert are automatically placed in variables that may be used as parameters within the
active response. For example, consider the following “Event Rules” entry:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
45
Name: DMZ Login
+IPS: 192.168.20.15,192.168.20.100,192.168.20.110-112
Event: SC4-Login
Command: echo "body: $log" | sendmail rgula@example.com "subject: $name"
RateLimit: 5m
This rule takes LCE events labeled “SC4-Login” to the specified IP addresses and automatically generates an email alert to
the specified administrator email addresses. In addition, a rate limit is applied such that only one email would be sent every
five minutes to prevent the LCE server from overwhelming the email server system. Configuration possibilities are limited
only by the imagination of the LCE server administrator.
Debugging
Debug Mode
It is possible to add various types of debug parameters in the LCE GUI. Information about plugins loaded, LCE client status,
and operation can all be written to the current log file.
The LCE GUI “Debugging” section can be used to log all remote client authentication attempts by enabling “Log Client
Authorization”, which can be helpful when diagnosing remote agent problems. One activity that can be logged is the “Log Silo
Rollover”, which logs when a silo is rotated and indexed.
Enabling these debug messages is a great way to learn how the LCE operates and troubleshoot issues. However,
they can generate a lot of information and can create multi-gigabyte log files when left enabled.
If the lced daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a
warning to the LCE logs.
Storing All Logs with “save-all”
Many organizations have regulatory requirements to save all of their log data for a specified length of time. It may also be
part of that requirement that the data not be manipulated, normalized, or otherwise processed in case it must be used in a
legal proceeding. Any exculpatory evidence in the original logs must not be missing as well.
The LCE’s method of storing data in silos for high-speed normalization and analysis by many different administrators is not
the best place to keep one central log file. The LCE has means to save every message, even ones that do not match a certain
plugin to a central log file.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
46
This log file can be saved by adding the full path to the log file under the “Save All Logs File” section found in the “Debugging”
section of the advanced menu in the LCE GUI. The default location of the “Save All Log File” in previous versions of LCE was
/opt/lce/db/lce.log, which is in the same directory as the silos, but it can be changed to any desired location that has
adequate disk space. In new installations, the path and filename must be specified.
As the LCE daemon receives events through the API or from syslog, it will save the message into the file specified in the LCE
GUI. This log file will grow very large. Maintain rotation and compression of these logs with the logrotate program that is
already installed on all Linux systems supported by the LCE.
Different File System
Since the file that stores all the log files will grow to extremely large sizes when left enabled, it is highly recommended to
place this file on a different physical file system. If the LCE server is placed on a system with two hard drives, consider
creating physically separate partitions for both the LCE silo data and the “save-all” files.
If your network has use of a Storage Area Network (SAN), consider using this to store the “save-all” file. Many times, these
storage devices can be mounted through a network file system (NFS) or Windows file share (SMB) resource. Make sure that
write permissions from the LCE server are available and there is sufficient network bandwidth to send the data, if you use a
SAN.
Multiple Plugin Matches per Log File “multiple-matches”
By default, the LCE daemon will stop processing a log file as soon as one match has been made. This behavior may be
overridden by selecting “Enable Multiple Matches” in the “Debugging” section of the “Advanced” menu in the LCE GUI. With
this feature enabled, the LCE daemon will attempt to exercise the entire plugin set across every log message. This behavior is
useful for extracting multiple forms of information out of a log file. For example, there may be a plugin that looks for a generic
user login failure and another that looks for a login failure for user “root”. Without the multiple matches option enabled, only
one of the plugins will match, even though both are valid.
Even more so than with normal LCE operation, be sure to remove unneeded libraries with multiple matches
feature enabled, otherwise the LCE’s performance can be diminished.
Quick Example
Tenable implemented this feature for a customer who had a firewall log with NAT addresses. For each transaction, the firewall
logged the external Internet address, the customer’s Internet address and their internal RFC1918 address. What they wanted
was the ability to type in any of the IP addresses in question to produce a report of the history.
For example, a student may receive 192.168.20.10 via DHCP inside a high school. The school’s public IP address at the
firewall may be 64.64.64.64 and the student may have been attacking a web site at 99.99.99.99.
These “public” addresses were chosen at random and are in no way intended to be example organizations or
potential targets. We did not want to use RFC1918 addresses as example external addresses.
A firewall log may have all three IP addresses for any network browsing. Without “Enable Multiple Matches” options
selected, there is only one pair of IP addresses that can be matched. However, with “Enable Multiple Matches” enabled, two
rules can be used to process the same log file and extract the specific IP addresses.
The customer decided to log “external to public IP” and “public IP to internal IP” firewall logs. They generated two LCE events
for each firewall log event. However, when they added in the DHCP logs, they were able to use the IP address of a potentially
attacked target to get the actual internal IP address and MAC address. When someone outside of their network contacted
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
47
them and complained of a spammer, worm, or malicious activity, they were able to type in the IP address of the target, see
which public IP address was in use at the time, and then see which internal IP addresses were related.
If any changes are made to the “Debugging” section below, select the “Update” button at the bottom of the “Advanced” page
for the changes to go into effect.
Option
Description
Write Unnormalized Logs
If this is enabled, LCE will create a file named notmatched.txt in the database
directory and fill it with log events that have not matched any LCE plugin. This is an
excellent way to analyze events that may be inadvertently ignored. There is a hardcoded
limit of 2 GB for this option in addition to the number of events specified.
This option is deprecated - users are encouraged to instead enable “Store
Unnormalized Logs” above. If non-zero, this is the number of unnormalized
logs to write to the rolling notmatched.txt file in the database directory.
Save All Logs File
Specifics a log file where all events (not just the ones matched with a LCE plugin) are
stored. This log file does not rotate and must be managed by the logrotate process.
Note that this will require significantly more disk space than just keeping the events that
match plugin criteria. This option is most useful when used in conjunction with
logrotate and an external storage device.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
48
Deprecated - this should be enabled temporarily for debugging only. The
“Save All Logs File” option is only useful if a text version of all incoming logs
is desired.
Enable Multiple Matches
By default, LCE stops evaluating plugins when it encounters a match for a log. If this
option is enabled, LCE will evaluate all plugins for each log.
Log Client Event Packets
LCE server receives an event or event-related message from a LCE Client.
Log Client Authorization
LCE server receives a login, logout, version info, or related message from a LCE Client.
Log Server Client Tracking
LCE server connects, disconnects, updates status for, or performs related actions for a
LCE Client.
Log Plugin Matches
(successful)
LCE server successfully matches a log with a plugin match statement.
Log Plugin Matches (failed)
LCE server fails to match a log with a plugin match statement.
Log Plugin Matches
(attempted)
LCE server attempts to match a log with a plugin match statement.
Log Plugin Construction
LCE server parses the plugins and constructs internal representations
Log Plugin Match
Organization
LCE server sorts and builds the plugin execution structure internally.
Log Silo Rollover
LCE server fills a silo and prepares to write to the subsequent silo.
Log Load Balanced Data
LCE server offloads an event to an Auxiliary LCE, or LCE server receives an event from
Primary LCE in a load balancing configuration.
Log Load Balanced Status
LCE server receives a status heartbeat from an Auxiliary LCE, or LCE server sends a
status heartbeat to the Primary LCE in a load balancing configuration.
Log Load Balance
Connections
LCE server connects or disconnects to another LCE in a load balancing configuration
Log High Availability
LCE server connects, disconnects, fails over, or performs a related action in high
availability mode.
Log Reconfiguration
LCE server receives a configuration update from the web-based user interface.
Log User Tracking
LCE server processes an event with a normalized user name and performs a user
tracking action.
SSH Keys
The SSH key section displays the SSH keys that have already been exchanged between the SecurityCenter, and the LCE
server during the setup process that is performed on the SecurityCenter.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
49
However if there is a problem with automatic SSH key exchange that occurs during setup, or if it is preferred to upload the
key instead of performing the automatic SSH key exchange, the SSH keys can be uploaded by selecting “Add New SSH Key”.
In the “New SSH KEY” window, copy the public key for the SecurityCenter server, and provide a comment if desired. In the
example, the username for the public key being uploaded is included in the comments section. When the SSH Key, and
Comment fields have been completed select “Create SSH Key”.
After the key has been created it will be displayed under “SSH Key”. If the key needs to be removed, hovering over the key
will display an “X” next to the key. Clicking on the “X” will open a dialog box asking to confirm the deletion of the key.
Service Control
The “Control” section of “System Configuration” is used to verify the status of an LCE service. This section can also be used to
start and stop each service that is related to LCE if needed.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
50
Option
Description
All Processes
“Stop” or “Start” all LCE daemons
Log Engine
“Stop” or “Start” the LCE daemon
Query Interface
“Stop” or “Start” the LCE query daemon
Log Indexer
“Stop” or “Start” the LCE indexer daemon
Vulnerability Reporter
“Stop” or “Start” the LCE Vulnerability Reporter daemon
Statistics Engine
“Stop” or “Start” the Statistics daemon
Feed Settings
Feed Registration
The last section under “System Configuration” is “Feed Settings” that contains the “Feed Registration” section where the
activation code is entered, and license key file is uploaded. Once a new code and/or key is selected, click the “Update” button
at the bottom of the page to apply the change(s).
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
51
Option
Description
Activation Code
The Activation Code is obtained from the Tenable Support Portal. If an updated code is
required, enter it in the field and click the “Apply” button.
Plugin Update
Updating Plugins (PRM Files) and TASL Scripts
This section describes the method for updating LCE plugins (files with a .prm extension) and TASL scripts. Plugin updates
occur over a HTTPS connection at a set “Plugin Update Interval”. The default update interval is set to 3 days, but can be
increased or reduced if required. The LCE web interface “Plugin Update” section which is found in the “Configuration”
section under “Feed Settings” shown below can be easily used to update all plugins along with the HTML client, and LCE web
server by simply selecting “Update Plugins”.
The directories containing the PRM files and TASL scripts are specified in the /opt/lce/daemons/plugins directory.
When “Update Plugins” is invoked, the files contained in the /opt/lce/daemons/plugins directory, which are plugins
and correlation scripts (TASL) will be archived to the /opt/lce/daemons/plugins_archive directory. The backups of
the files in the TASL directory will appear in the plugins_archive directory as a file such as tasls.tar.gz, and the
backups of the files in the plugins directory will appear in the plugins_archive directory as a file such as lce.tar.gz.
The backup is only kept until the next plugin update.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
52
Offline Updates
The “Offline Plugin Update” section can be found under “Configuration”, “Advanced”, and “Feed Settings” of the LCE GUI. It
allows for a tar file of the LCE plugins to be uploaded by browsing to the file, and then selecting “Process Plugins”.
Option
Description
Offline Update File
This option allows a user to upload a new set of plugins to the LCE.
This option is only needed when an LCE server does not have internet
access.
Process Update
Selecting this option will complete the update process using the plugins file that was
uploaded.
Details on how offline plugin update can be completed are located in Appendix .5 in the “Offline Plugin Update”
section.
Web Proxy
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
53
Option
Description
Proxy Address
The IP address of the proxy server to be used with LCE
Proxy Username
The username for the proxy if it is required
Proxy Password
The password for the proxy if its required
Verify Proxy Password
The password entered again for verification
Custom Plugin Feed Host
If a custom plugin feed is used with the LCE server, that host information is entered here.
Custom User Agent
Custom user agent string used during plugin update requests.
LCE Health and Status
Included in the LCE 4.4 web interface is “Health and Status” information. In the “Service Status” section the name of the
“Service” of each daemon is shown along with the “Status” of each daemon. It also includes when the daemon was “Last
Started” and the “Version” of the daemon.
The “Plugins” section displays the “LCE Server Version”, “Web Server Version”, “HTML Client Version”, “Activation Status”,
“Plugin Set”, “Plugin Set Loaded”, and the “Feed Expiration” information.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
54
Correlation Statistics
In the “Statistics” section the amount of events are displayed by each “Source” of event data. The “LCE” source shows the
number of internally generated events from the LCE being administered. The “TCP Syslog”, and “UDP syslog” source displays
the number of events received on the configured TCP syslog or UDP syslog listening port. Likewise the “Client” source is the
total amount of event data that all the LCE clients produce. The IDS event source type is the total amount of event data from
all IDS sources. The “TASL” source type is all the event data created by the LCE TASL scripts.
The “Source” data is displayed in “Average Events / Second”, and “Average Bytes / Second since the startup of the LCE server.
The “Source” data also displays the “Total Events (today)” for the day, and the “Total Events (since startup)” is the total
number of events since the LCE server daemon was last restarted.
Runtime statistics pertaining to logging and correlation are collected including:
Logs/bytes per second
Number/percentage of logs matched/unmatched
Number of events correlating with vulnerabilities
Number/percentage of logs from clients, syslog, and IDS
Number of TASL alerts generated
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
55
This information is logged once per hour and is written both to the application log and to the normalized database under the
event name “LCE-Server_Statistics” (type “lce”).
Example Correlation Statistics Output found in the LCE admin logs (e.g., /opt/lce/admin/log/2014Jul.log):
An average of 50 logs are being received each second.
A total of 5,778 logs (521,046 bytes) have been received.
2,232 logs have been matched by plugins (38.63%). 3,546 logs did not match (61.37%).
Log source breakdown: 5,774 from clients (99.93%), 2 via syslog (0.07%), 0 from IDS
devices (0.00%).
No log events have correlated with vulnerabilities.
2 TASL alerts have been generated.
Example of Correlation Statistics found in the Health and Status section of the LCE GUI:
In the “Data Sensors” section there is a drop-down to select the type of data sources to be displayed. The “Clients” option is
selected by default, and each client that has sent events to LCE is displayed. The “Source” column will display the IP address
of the client. The “Logs Today” section will show the total number of logs collected by that client in the current day. The
“Client Type” column will display the type of client, and the “Last Timestamp” will show when the client last sent an event.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
56
The second option under “Select Data Source” is “Syslog Sensors”, which will display all hosts that are forwarding syslog to
the LCE server. The “Source” column displays the IP address of the syslog server, and the “Logs Today” column displays the
total number of logs sent in the last day for each syslog server. The “Encrypted” column shows if the logs being forwarded are
encrypted. The “Last Timestamp” shows the last time each syslog server sent logs to the LCE server.
The “Alerts” page is a simple way to see when a condition on the LCE server requires attention from the LCE administrator. It
includes informational alerts, such as when a new LCE client requests authorization to send events to LCE. It also includes
warnings, such as login failures to the LCE interface, or license expiration warnings. Finally, it includes error conditions that
could prevent LCE from working properly.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
57
Finally the “Advanced” page displays information about the LCE database. The “Current Silo” displays the current silo
number, and the total amount of silos that are available. The “Current Silo Size” displays the amount of space that used out of
the configured silo size. The “Advanced” page also displays an estimate of how many days it will take to fill the current silo.
On the “Advanced” page you will also find the amount of space that is currently being used by the database under “Active DB
File System Usage”, and the total amount of space that is being used by the database under “Archive DB File System Usage”.
The “Estimated Time to Fill Disk” is also displayed. The “Indexing DB Silo”, “Indexing Text DB silo”, and the “Indexing Log
Store” is also included on the “Advanced” page.
The current silo number range starts at 0. If you have 103 total silos and see 102/103 silos this indicates the last
silo before rolling over and restarting at 0.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
58
LCE Users
The LCE GUI can be accessed by two user types: “Administrator” and “Read Only”. An “Administrator” user has the ability to
perform all administration of the LCE GUI. The “Read Only” user can only view the “Health and Status” section of the LCE
GUI. A user’s privilege can be seen under “User Type”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
59
Add Users
To add a new user, log in to the LCE GUI as an “Administrator” user, and then select the “Users” section of the LCE GUI.
Choose “+New User” to start the process to add a new user. The “New User” screen is shown below:
Enter a “Username”, “Password”, and then “Confirm Password”. Select the “Administrator” box if the user is to be an
administrator, and select “Create User”. The maximum username length is 127 characters.
The Administrator user “bsmith” that was added is shown in the LCE GUI below:
Edit Users
A user’s privileges and status can be edited by selecting the username to be edited. The “Edit User” window will open, and the
user name will be shown in the window at the top. The user can have “Administrator” privileges added or removed. The user
account can also be locked or unlocked. If a user has too many failed login attempts their account will be locked and may be
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
60
unlocked using this setting. If the user is an “Administrator” they can be demoted to a “Read Only” user by deselecting
“Administrator” before the account can be locked. After the desired changes are made, select “Update” to complete the edits
to the user.
Remove Users
To remove a user, select the box beside the user to be deleted and choose “Actions” followed by “Delete Users”.
The following window will be displayed to confirm the user deletion. Choose “Delete” to remove the user or “Cancel” to abort
the process.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
61
Managing Client Configuration Files
Starting with version 4.2 of the LCE clients, the client configuration files are managed centrally from the SecurityCenter 4.6
or LCE server using the /opt/lce/daemons/lce_client_manager command line utility. This allows a central server to
manage the configuration files of all the deployed LCE clients that are configured for the server.
For more information on this option, see the LCE Clients Guide available from http://support.tenable.com.
Upgrading LCE
The LCE is upgraded simply by using the “rpm” command with the “-U” switch to force an upgrade. The LCE stops and starts
the service during the upgrade process, which makes a manual stop/start unnecessary.
The suggested upgrade path to LCE 4.6 would be from an activated/licensed version of LCE 4.4.0 or 4.4.1. If an
earlier version of LCE is upgraded the LCE license will need to be reactivated. The LCE's “Feed Expiration” and
“Activation Status” can be located in the “Health and Status” section under the “Plugins" tab of the LCE.
# rpm -Uvh lce-4.6.0-el6.x86_64.rpm
Preparing...
########################################### [100%]
1:lce
warning: /opt/lce/.ssh/authorized_keys created as
/opt/lce/.ssh/authorized_keys.rpmnew
########################################### [100%]
Moving deprecated file lce.conf to /opt/lce/tmp; OK to delete it once upgrade
succeeds.
Moving deprecated file feed.cfg to /opt/lce/tmp; OK to delete it once upgrade
succeeds.
Moving deprecated file rules.conf to /opt/lce/tmp; OK to delete it once upgrade
succeeds.
Moving deprecated file excluded_domains.txt to /opt/lce/tmp; OK to delete it once
upgrade succeeds.
Moving deprecated file trusted_plugins.txt to /opt/lce/tmp; OK to delete it once
upgrade succeeds.
Moving deprecated file hostlist.txt to /opt/lce/tmp; OK to delete it once upgrade
succeeds.
Moving deprecated file untracked_usernames.txt to /opt/lce/tmp; OK to delete it once
upgrade succeeds.
Moving deprecated file disabled-tasls.txt to /opt/lce/tmp; OK to delete it once
upgrade succeeds.
Moving deprecated file disabled-prms.txt to /opt/lce/tmp; OK to delete it once upgrade
succeeds.
Moving deprecated file sampleable_tasls.txt to /opt/lce/tmp; OK to delete it once
upgrade succeeds.
Moving deprecated file syslog_sensors.txt to /opt/lce/tmp; OK to delete it once
upgrade succeeds.
The installation process is complete.
Please refer to /var/log/lce_upgrade.log to review installation messages.
To configure LCE, please direct your browser to:
https://192.168.0.123:8836
After the upgrade changes to the LCE configuration will be done in the LCE GUI. To access the LCE GUI navigate to the IP
address or hostname of the LCE server over port 8836 (https://<ip address or hostname>:8836). The previous configuration
files are stored in /opt/lce/tmp and may be deleted once the upgrade is determined to be successful.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
62
LCE Command Line Operations
The version of the lced binary can be determined in two ways. The version is displayed in the “Service Status” section of the
LCE GUI, but it can also be found by running the lced binary with the -v option as shown below:
# /opt/lce/daemons/lced -v
Log Correlation Engine version 4.4
#
Use the following command to see how the LCE is configured during Linux startup and shutdown (installation defaults are
shown):
# chkconfig --list lce
lce
0:off
#
1:off
2:on
3:on
4:on
5:on
6:off
To change how the LCE will behave during Linux startup and shutdown use the following command:
# chkconfig [--level <levels>] lce <on/off/reset>)
Please refer to your own Red Hat Linux documentation on how to use chkconfig in conjunction with Linux run levels to
configure the LCE startup and shutdown to your requirements.
In RHEL 7 / CentOS 7 the usage of chkconfig has been deprecated. To check the status of a service systemctl is used.
Each service related to the LCE server (lce_server, lce_query, lce_indexer, lce_report_proxy, stats,
lce_www) can be checked individually using systemctl.
An example of checking the status of an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below:
# systemctl status lce_www.service
lce_www.service - SYSV: Starts and stops the LCE web server
Loaded: loaded (/etc/rc.d/init.d/lce_www)
Active: active (running) since Wed 2015-07-08 16:58:44 EDT; 25min ago
Process: 12358 ExecStart=/etc/rc.d/init.d/lce_www start (code=exited,
status=0/SUCCESS)
CGroup: /system.slice/lce_www.service
└─12362 /opt/lce/daemons//lce_wwwd
Jul 08 16:58:41 CentOS764 systemd[1]: Starting SYSV: Starts and stops the L.....
Jul 08 16:58:44 CentOS764 lce_www[12358]: Starting LCE Web Server[ OK ]
Jul 08 16:58:44 CentOS764 systemd[1]: Started SYSV: Starts and stops the LC...r.
Hint: Some lines were ellipsized, use -l to show in full.
Starting LCE
The RPM installation places a LCE start-up (/etc/rc.d) script in /etc/rc.d/init.d.
Use the following command to start the LCE:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
63
# service lce start
If the lced daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a
warning to the LCE logs.
In RHEL 7 / CentOS 7 the usage of service has been deprecated. To start a service systemctl is used. Each service
related to the LCE server (lce_server, lce_query, lce_indexer, lce_report_proxy, stats, lce_www) can be
started individually using systemctl.
An example of starting an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below:
# systemctl start lce_www.service
Halting LCE
Similarly, the /etc/rc.d script can be used to halt the LCE and gracefully exit any log analysis or log writing it is performing.
Use the following command to stop the LCE server:
# service lce stop
An example of stopping an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below:
# systemctl stop lce_www.service
Restarting LCE
The /etc/rc.d script can be used to restart the LCE, gracefully exiting any log analysis or log writing it is performing and
starting the LCE again. Use the following command to restart the LCE server:
# service lce restart
An example of stopping an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below:
# systemctl restart lce_www.service
Determine LCE Status
The /etc/rc.d script can be used to determine the status of the LCE components and their PIDs. Use the following
command to acquire the status of the LCE server processes:
# service lce status
An example of checking the status of an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
64
# systemctl status lce_www.service
Operating the stats Daemon
Although this document does not cover all aspects of the stats daemon, a separate RC script is included in the LCE RPM for
starting and stopping the daemon. Use the following commands to stop, start, restart and verify the current status of the
stats daemon:
# service stats stop
# service stats start
# service stats restart
# service stats status
In RHEL 7 / CentOS 7 the systemctl command can be used to control the stats daemon.
# systemctl stop stats
# service start stats
# service restart stats
# service status stats
Stopping and Starting all Daemons in RHEL 7 / CentOS 7
The systemctl command can’t be used to stop, and start all LCE daemons simultaneously. However, there are two scripts
for RHEL 7 / CentOS 7, which can be used to either start or stop all LCE daemons. The scripts can be found in the
/opt/lce/tools directory.
To stop all LCE related services in RHEL 7 / CentOS 7 use the stop_lce script.
# /opt/lce/tools/stop_lce
Stopping lce_server (via systemctl):
Stopping lce_indexer (via systemctl):
Stopping lce_query (via systemctl):
Stopping lce_report_proxy (via systemctl):
Stopping lce_www (via systemctl):
[
[
[
[
[
OK
OK
OK
OK
OK
]
]
]
]
]
To start all LCE related services in RHEL 7 / CentOS 7 use the start_lce script.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
65
# /opt/lce/tools/start_lce
Starting lce_server (via systemctl):
Starting lce_indexer (via systemctl):
Starting lce_query (via systemctl):
Starting lce_report_proxy (via systemctl):
Starting lce_www (via systemctl):
[
[
[
[
[
OK
OK
OK
OK
OK
]
]
]
]
]
Additional Features
Importing LCE Data Manually
LCE data can be collected both via real-time logging and manually in batch mode using the “import_logs” tool. These
events will show up in the normalized event view along with events collected in real-time. This command-line tool allows
data to be imported into the LCE that may not be available in real-time, but is still important for correlation of vulnerability
data and for analysis of security posture and events.
Usage:
# /opt/lce/tools/import_logs <list of log files and directories to import> [-d, -disable-rules] [-a, --approximate-timestamps] [-c, --current-time] [-o, -output-prefix <prefix>]
Each item in the <list of log files and directories to import> is a file name or directory name. A directory name may or not end
with a slash. For example:
# /opt/lce/tools/import_logs /directory1 file1 file2 /directory2/
Directory imports are non-recursive.
The following table describes the options available for import_logs:
Option
Description
-d –disable-rules
Do not apply LCE event rules to imported logs.
-a, --approximatetimestamps
If no timestamp can be determined for an event, assign the most recent known
timestamp.
-c, --current-time
Use the current system time for all imported logs rather than the timestamps contained
within the event text.
-o, --output-prefix
<prefix>
Use the specified prefix when naming newly generated silos. For example, the “-o
Snort” option will generate silos with names like SnortJun142009Aug242009.db.gz. The default prefix is “lce”. This option can aid in the process of
searching for logs created by a particular import instance.
The log importer tool logs its actions to /opt/lce/admin/log/importer and archives within this directory can be
checked in the event that an import does not execute as expected.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
66
The log import tool only supports importing logs into an archived silo.
User Tracking
The LCE server has a feature that is designed to track users. User tracking can be applied to any event coming into the LCE
server, regardless of the source of the event. Events correlated from Windows, Linux, Unix, or other network devices can be
monitored.
When LCE encounters a log that has no username field, it will assign the username of the user most recently associated with
the source IP of the incoming log, or associated with the destination IP of the log if a destination IP (dstip) is provided but a
source IP (srcip) is not. If no user was previously tracked at either of the IPs, or if no IP is provided, an “(unknown)” entry is
assigned.
When a user changes IP addresses (i.e., a LCE receives a log where the user’s srcip differs from the srcip in the previous log
tagged with the username), the new IP address is also associated with the user. The last three IP addresses per user are
stored for the user, allowing for cases where a single user logs into multiple systems at the same time. For example, the
following event shows a user becoming active at a new IP address:
Network user IP address change: user someguy94 became active at 169.254.96.232 with
event login (169.254.96.232:0)
The data used to track usernames is stored in the files usernames.txt, ip_user.dat, and user_ip.dat in the LCE
database directory. The .dat files are written when the LCE service is shut down gracefully. In case of a server crash, the
data is automatically backed up every 10 minutes.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
67
A maximum of 65,534 unique usernames can be stored. If the maximum is reached, incoming logs with new users will have
the user fields marked with the “(unknown)” entry.
User tracking in LCE will function if the following conditions are met:
The LCE server has plugins that can match the events and pull usernames from the events. For example, plugin 3209
in os_win2k_sec.prm has the following line:
log=event:Windows-Account_Used_For_Login sensor:$1 dstip:$2 user:$3 type:login
event2:WindowsEvent-680
The “user:$3” directive tells the plugin to add the username to the available event searchable fields. As a result,
searches that query this event based on the username will return results.
The plugin IDs have been added to the “User Tracking Plugins” in the “User Tracking” section in the configuration
section of the LCE GUI (one plugin ID per line).
A list of the plugins provided by Tenable that include user information is found at the end of
/opt/lce/daemons/plugins/prm_map.prm.
The user tracking settings have been properly configured in the LCE GUI under “User Tracking”. Please refer to the
Advanced Configuration Options section of this document for a description of the following applicable keywords:
-
accept-letters
-
accept-numbers
-
additional-valid-characters
-
max-username-characters
If these conditions are not met, usernames may still be stored in normalized events; however, they cannot be searched using
the event filter “username” parameter. Another way to search for usernames in logs is through the raw log search feature of
SecurityCenter described below.
Working with SecurityCenter
Adding the LCE to SecurityCenter
To add your LCE server to SecurityCenter, log into SecurityCenter as the admin user and click on “Resources” and then “Log
Correlation Engines”. A screen similar to the one below is displayed with the currently available LCE servers.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
68
The “Add” button displays a dialog box with the following fields:
Option
Description
Name
The unique name that this LCE server will be known as.
Description
Descriptive text for the LCE server.
Host
The IP address of the LCE server.
When the SecurityCenter resides on the same host as the LCE server, it is
recommended to use the localhost IP address of 127.0.0.1.
Organizations
Select the customer that this LCE is assigned to from the drop down menu.
Event Vulnerability Data
Import Vulnerabilities
Selecting this box will allow you to configure your LCE use Event data to detect
vulnerabilities.
Repositories
This will allow you to select which repository you would like to keep the vulnerability
data collected from LCE events.
Event Vulnerability Host
Port
This allows you to configure the port used for communication between SecurityCenter
and LCE. The default port is 1243.In the LCE GUI this is known as the “Reporter Port”.
Username
This is the “Reporter Username” that was set in the LCE GUI under the “Configuration”,
“Advanced”, “Host Discovery and Vulnerabilities” section.
Password
This is known as the “Reporter Password” which is found in the “Configuration”,
“Advanced”, “Host Discovery and Vulnerabilities” section.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
69
An example of this screen is shown below:
After clicking on “Submit”, the LCE admin credentials (“root” user or equivalent) are requested to establish an authenticated
session between SecurityCenter and the LCE. After the LCE server is successfully added, highlight the new LCE server to
display options pertinent to that server.
If you are using DNS in your environment, make sure it is configured for reverse DNS resolution to facilitate
query speeds. If you are not using DNS, modify the /etc/hosts file to include your SecurityCenter IP address
and hostname. For example:
192.168.1.22 SecurityCenter4.example.com SecurityCenter4
More information about SecurityCenter configuration options is available through the “SecurityCenter Administration
Guide” available on the Tenable Support Portal.
Configuring Organizations
As a SecurityCenter administrator, LCE servers can be associated with various organizations. Through the web interface,
SecurityCenter can be configured such that users of specific organizations can make queries to each LCE server. This is
documented in the SecurityCenter documentation.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
70
Analyzing Security Events
A wide variety of LCE analysis and reporting tools are available to SecurityCenter users. These users can make use of any
LCE event that intersects with their range of managed IP addresses. All analysis and reporting options are described in the
“SecurityCenter 4 User Guide”.
Identifying Vulnerabilities
LCE can leverage log data to find vulnerabilities. The Tenable plugins that report this information will have the plugin ID
range of 800,000 - 899,999. A sample screen capture of data that can be found is shown below:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
71
You can filter for the vulnerabilities identified by LCE in SecurityCenter by using the “Filters” and selecting “Plugin ID”, then
selecting “≥” and then entering “800000”.The filter setting is pictured below:
TASL Scripts
After PRM processing normalizes an event, the event is submitted to the LCE TASL engine for advanced processing by TASL
scripts. TASL scripts are used for many types of detection events such as thresholds, successful attack detection, and alerting.
By default, all TASL scripts are included on the LCE server; however they can be disabled manually in the “TASL and Plugins”
section of the LCE GUI described in detail earlier in this document.
For more information regarding TASL scripts review the LCE TASL Reference Guide.
Full Text Searches
Full text searches may be performed on the data stored within the attached LCE servers. When viewing the events page the
Search field will accept text strings as valid search criteria. Search terms are case insensitive and Boolean searches may be
utilized to further enhance search results. This enables searching the raw logs for details contained in the events.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
72
The LCE text search feature is powerful but requires a bit of knowledge of the available operators as well as the underlying
search engine. To summarize, we will explain what it means when we say that LCE can search for compound groups of full
text tokens.
Tokens
What is a token? It's a full word, 2 characters or more, separated by punctuation or whitespace and not including that
punctuation or whitespace. In the previous sentence, the tokens are underlined. It doesn’t include single-character strings,
and it doesn’t include punctuation (like periods, hyphens, underscores, commas, apostrophes, etc).
LCE searches on full tokens, meaning that if you want to find “software” and “Microsoft” because you want to see your
Windows software update logs, then you must search for “software AND Microsoft” rather than “soft”, which would be a
common substring.
Operators
These are CASE SENSITIVE. If you do not capitalize the operator, it will be considered a search term. Search for “mike or
miked” will actually yield “mike AND or AND miked”, which is probably undesirable.
1.
AND
Finds logs containing both of the results.
2.
OR
Finds logs containing either of the results.
3.
NOT
Finds logs without the subsequent token.
4.
XOR
Finds logs with exactly one but not both tokens.
These can be chained, as well.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
73
Grouping
Parentheses may be used to group conditionals together to show evaluation precedence just as in mathematics. This is useful
in compound conditionals. Without grouping, this query:
text="blocked AND denied AND dropped OR firewall"
would return any log with just “firewall” in it because it satisfies the entire query. In reality, we probably wanted the other
terms in there and we want something more like:
text="blocked AND denied AND (dropped OR firewall)"
This requires that the log contains “blocked”, “denied”, and either “dropped” or “firewall”. Because it has additional
constraints now on the other terms, we expect that this query would return the same or fewer results.
Examples: Putting it All Together
Example NonResult
Why It Didn't
Match
LCE Client Heartbeat|
07/23/2014 00:25:00
AM Hostname:
lce_demo IP:
192.168.1.106
Revision: LCE Client
4.2.0 build 20131004
Heart
does not contain
the full term
"Heartbeat" by
itself, only as a
substring
Show me logs with the
term "linux" and the
term "process"
This linux host
executed process "ls".
This linux host
executed
nothing.
missing
"process"
text="linux NOT
process"
Show me logs with the
term "linux" but NOT
the term "process"
This linux host
executed nothing.
This linux host
executed
process "ls".
contains
"process"
text="linux OR
nothing"
Show me logs with
either term "linux" or
term "nothing"
This linux host
executed process "ls".
This nix host
did everything.
does not contain
"linux" and does
not contain
"nothing"
This linux host
executed process "ls".
This process
did everything.
The process did
nothing.
This linux host
did nothing.
contains
"process" but
not "linux" and
not "nothing"
Query String
Actual Query
What It Means
Example Result
text="Heartbeat"
text="Heartbeat"
Show me logs with the
term "Heartbeat"
text="linux process"
text="linux AND
process"
text="linux NOT
process"
text="linux OR
nothing"
This linux host
executed nothing.
text="(linux OR
nothing) AND
process"
text="(linux OR
nothing) AND
process"
Show me logs that have
terms "linux" and
"process" or "nothing"
and "process"
contains "linux"
and "nothing"
but not
"process"
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
74
text="172.26.20.66"
text="172 AND 26
AND 20 AND 66"
Show me logs with 172
and 26 and 20 and 66.
The punctuation in the
query string is treated
as a delimiter like
whitespace and ignored,
then the terms and
AND'd together by
default.
This linux host IP is
172.26.20.66.
This linux host
IP is
172.26.20.100.
missing "66"
This linux host IP is
66.20.172.26.
This linux host IP is
172.26.20.100 and
there are 66 users.
In general, if you have an
IP in your log it is more
desirable to filter these
using an "ip=",
"sourceip=", or
"destinationip=" filters,
all of which accept an IP
(172.26.20.66) or
IP/CIDR
(172.26.20.0/24).
For More Information
Tenable has produced a variety of other documents detailing the LCE’s deployment, configuration, user operation, and
overall testing. These documents are listed here:
Log Correlation Engine Architecture Guide – provides a high-level view of LCE architecture and supported
platforms/environments.
Log Correlation Engine 4.6 Administrator and User Guide – describes installation, configuration, and operation of
the LCE.
Log Correlation Engine 4.6 Quick Start Guide – provides basic instructions to quickly install and configure an LCE
server. A more detailed description of configuration and management of an LCE server is provided in the “LCE
Administration and User Guide” document.
Log Correlation Engine 4.4 Client Guide – how to configure, operate, and manage the various Linux, Unix, Windows,
NetFlow, and other clients.
Log Correlation Engine 4.4 OPSEC Client Guide – how to configure, operate, and manage the OPSEC Client.
Log Correlation Engine 4.6 High Availability Large Scale Deployment Guide – details various configuration methods,
architecture examples, and hardware specifications for performance and high availability of large scale deployments
of Tenable’s Log Correlation Engine (LCE).
Log Correlation Engine Best Practices – Learn how to best leverage the Log Correlation Engine in your enterprise.
Tenable Event Correlation – outlines various methods of event correlation provided by Tenable products and
describes the type of information leveraged by the correlation, and how this can be used to monitor security and
compliance on enterprise networks.
Tenable Products Plugin Families – provides a description and summary of the plugin families for Nessus, Log
Correlation Engine, and the Passive Vulnerability Scanner.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
75
Log Correlation Engine Log Normalization Guide – explanation of the LCE’s log parsing syntax with extensive
examples of log parsing and manipulating the LCE’s .prm libraries.
Log Correlation Engine TASL Reference Guide – explanation of the Tenable Application Scripting Language with
extensive examples of a variety of correlation rules.
Log Correlation Engine 4.4 Statistics Daemon Guide – configuration, operation, and theory of the LCE’s statistic
daemon used to discover behavioral anomalies.
Example Custom LCE Log Parsing - Minecraft Server Logs – describes how to create a custom log parser using
Minecraft as an example.
Documentation is also available for Nessus, the Passive Vulnerability Scanner, and SecurityCenter through the Tenable
Support Portal located at https://support.tenable.com/.
There are also some relevant postings at Tenable’s blog located at http://www.tenable.com/blog and at the Tenable
Discussion Forums located at https://discussions.nessus.org/community/lce.
For further information, please contact Tenable at support@tenable.com, sales@tenable.com, or visit our web site at
http://www.tenable.com/.
About Tenable Network Security
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure
compliance. Our family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and
®
integrated view of network health, and Nessus , the global standard in detecting and assessing network data. Tenable is
relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the
entire U.S. Department of Defense. For more information, visit tenable.com.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
76
Appendix 1: Sample msmtp.conf File
Note that when utilizing the msmtp.conf file a required entry is the password for the mail account. Anyone
with read access to the file on the file system will be able to read the password. This will be stored in clear text on
the disk so a low-priority email account should be used for this feature.
# Example msmtp configuration file
#
# Please replace the following with the desired settings for mail server, encryp
tion and authentication. The full
# msmtp documentation is located at http://msmtp.sourceforge.net/doc/msmtp.html.
#
# msmtp usage example: echo "This is a test message." | /opt/lce/tools/msmtp -C
/opt/lce/tools/msmtp.conf your_name@your_address.com
account provider
host smtp.gmail.com
tls on
tls_certcheck off
tls_starttls off
from your_username@your_domain.com
auth on
user your_username
password your_password
port 465
logfile /opt/lce/tools/msmtp.log
# Set the above account to be the default when the -a flag is not used
account default : provider
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
77
Appendix 2: Event Rule Table
The following table contains all the filter types that can be used for a rule. Each rule created must contain one or more filters,
and start with a “Name” and ending with either “ignore”, “Command”, or a log source. If “Command” is used, an action must be
given. If the filter is matched, the “Command” will execute. Entering “ignore” at the end of the filter will ignore all events that
are matched by that filter. If a log source is used it can be either “cef” or “syslog” and if the rule is matched the log would be
forwarded to the log server in either “cef” or “syslog” format. See each example for additional details in the table below.
Filters
Description
Usage
IPS
Filter on source or destination IP or CIDR.
Name: Ignore local logins
+Types: login
+IPs: 127.0.0.1
ignore
Examples:
192.168.1.1, 192.168.0.0/16
SrcIPS
Filter strictly on source IP.
Examples:
192.168.1.1, 192.168.0.0/16
DstIPS
Filter strictly on destination IP.
Examples:
192.168.1.1, 192.168.0.0/16
Events
Filter on LCE normalized event name.
Example:
Cisco-IDS_Command_Execution
Sensors
Filter on sensor name, available in the LCE
sensor summary view or specified in the
syslog_sensors.txt file.
Example:
XPmarketing01, Win7payroll02
Types
Filter on LCE event type.
Example:
login, lce, intrusion, scanning, system
Ports
Filter on the source or destination port.
Example:
80, 443, 8080
Protocols
Filter on the protocol of the event.
Example:
1 for ICMP, 2 for IGMP, 6 for TCP, 17 for UDP
Name: Ignore local login failures
+Types: login-failure
+SrcIPS: 127.0.0.1
ignore
Name: Ignore local file access
+Types: file-access
+DstIPs: 127.0.0.1
ignore
Name: Ignore Application Changes
+Events: Application_Change
+IPs: 192.168.1.0/24
ignore
Name: Ignore Application Changes
+Events: Application_Change
+IPs: 192.168.1.0/24
+Sensors: Exchange-10
ignore
Name: Ignore local file access and system
+Types: file-access, system
+IPs: 127.0.0.1
ignore
Name: Ignore lce / login events on port 22
+IPS: 192.168.1.1
+Types: lce,login
+Ports: 22
Ignore
Name: Ignore DNS Query
+Event: PVS-DNS_Client_Query
+IPS: 192.168.1.0/24
+Protocols: UDP
+Ports: 53
Ignore
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
78
Users
Filter on the username in a log.
Example:
Bob, Phil, Dan
Text
Filter on any text token in the log (tokens can
include spaces and punctuation, but not
commas).
Name: Ignore System login
+IPS: 192.168.1.0/24
+Types: login
+Users: SYSTEM
ignore
Name: Ignore 404 errors
+IPS: 192.168.1.0/24
+Text:404 page not found
ignore
Example:
Login, Failure
IText
Filter on any text token in the log, but the text
considered would be case insensitive (tokens
can include spaces and punctuation, but not
commas).
Name: Ignore 404 errors
+IPS: 192.168.1.0/24
+IText:404 page not found
ignore
Example:
Login, Failure
Vulnerable
"yes" or "no" – yes if you want to only match
logs that correlate to vulnerable hosts.
Example:
“yes”, or “no”
Threshold
The number of events required over a
specified length of time to trigger the rule.
The timeframe can be expressed in "second",
"minute", "hour", "day", "week", "month", or
"year".
Example:
5 in a minute
MaxQueue
The number of events that will be placed into
the event processing queue before being
dropped from rule evaluation.
Example:
100
Name: E-mail vulnerability correlations
Vulnerable: yes
Command: echo “body: $log" | sendmail
rgula@example.com "subject: $name”
Name: Potential SSH account username/password
guessing
+Events: SSH-Invalid_User, SSH-Failed_Password
+IPs: 10.0.0.0/8
-IPs: 10.0.0.1, 10.0.0.7-15
+Sensors: DMZ-1, DMZ-2
-Users: (unknown)
syslog: 10.10.10.10 "Possible password guessing
evidence: $log" -priority 97 -port 514
Threshold: 5 in a minute
RateLimit: 1 per minute
MaxQueue: 100
Threshold: 5 in a minute
RateLimit: 1 per minute
MaxQueue: 100
Name: Potential SSH account username/password
guessing
+Events: SSH-Invalid_User, SSH-Failed_Password
+IPs: 10.0.0.0/8
-IPs: 10.0.0.1, 10.0.0.7-15
+Sensors: DMZ-1, DMZ-2
-Users: (unknown)
syslog: 10.10.10.10 "Possible password guessing
evidence: $log" -priority 97 -port 514
Threshold: 5 in a minute
RateLimit: 1 per minute
MaxQueue: 100
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
79
Ratelimit
The maximum number of triggers that will
occur over a specified length of time
regardless of the number of triggering events.
The timeframe can be expressed in "second",
"minute", "hour", "day", "week", "month", or
"year".
Example:
1 per minute
Name: Potential SSH account username/password
guessing
+Events: SSH-Invalid_User, SSH-Failed_Password
+IPs: 10.0.0.0/8
-IPs: 10.0.0.1, 10.0.0.7-15
+Sensors: DMZ-1, DMZ-2
-Users: (unknown)
syslog: 10.10.10.10 "Possible password guessing
evidence: $log" -priority 97 -port 514
Threshold: 5 in a minute
RateLimit: 1 per minute
MaxQueue: 100
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
80
Appendix 3: Troubleshooting
The following are troubleshooting steps for determining LCE client/server functionality:
1.
Install and configure the LCE and clients by following the instructions in the documentation.
2.
Verify the clients are connecting by viewing the file /opt/lce/admin/log/client.status.
3.
4.
5.
6.
7.
a.
If the clients never connect, review configuration.
b.
If the configuration is correct, then there is a network issue. Check for proxies, firewalls or ACLs that may be
blocking traffic.
c.
If the clients connect but do not stay connected, continue to test.
The LCE client will not remain connected with the LCE server unless the client has some data to send. To “force” a
client to forward data to the LCE server, an observed log on the LCE client machine can be appended with entries
that are known to cause alerts within SC4. This gives the LCE client some data to send to the server. It is advised to
put “TEST OF FUNCTIONALITY” in the beginning of the log entries to ensure that these tests do not interfere with
actual alerts. Check your client logs to ensure communication is taking place.
a.
Yes? Communication is taking place. Continue to Step 4.
b.
No? Contact Tenable Support for an LCE Client Issue.
Once the logs are appended, check the client.status file. Has it changed?
a.
Yes? Functionality is working.
b.
No? Continue with next step.
Check SC4 for the IP address in question and the time of the test. Were there entries found?
a.
Yes? Your LCE is functioning properly. However, there may be an issue with the client.status
heartbeat. Notify Tenable Support of the issue.
b.
No? Continue to the next step.
Grep the logs in the LCE’s notmatched.txt file for the IP address in question and the time of test. Were there
entries found?
a.
Yes? Your LCE is functioning and logs are being updated properly. However there may be an issue with the
client.status heartbeat. Notify Tenable Support of the issue.
b.
No? Continue to the next step.
Perform a TCPDump on the LCE and capture traffic from the IP address of the client in question. Repeat step 3 to
force communications. Did you receive traffic?
a.
Yes? Notify Tenable Support of the issue for further assistance.
b.
No? You may have a network issue. Please work with your network support to troubleshoot the issue.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
81
Appendix 4: Manual SC4/LCE Key Exchange
A manual key exchange between SecurityCenter and the LCE is normally not required; however, in some cases where
remote root login is prohibited or key exchange debugging is required, you will need to manually exchange the keys.
For the remote LCE to recognize SecurityCenter, you need to copy the SSH public key of SecurityCenter and append it to the
“/opt/lce/.ssh/authorized_keys” file on the LCE server. The “/opt/lce/daemons/lce-install-key.sh”
script performs this function. The following steps describe how to complete this process:
The LCE server must have a valid license key installed and the LCE daemon must be running before performing
the steps below.
1.
Download the SSH public key for SecurityCenter by logging in as the SecurityCenter administrator user and
navigating to the “Keys” section (“System” -> “Keys”).
2.
Click on “Download Key”, choose the desired key format (both DSA or RSA work for this process) and then click on
“submit”.
3.
Save the key file (SSHKey.pub) to your local workstation. Do not edit the file or save it to any specific file type.
4.
From the workstation where you downloaded the key file, use a secure copy program, such as “scp” or “WinSCP” to
copy the SSHKey.pub file to the LCE system. You will need to have the credentials of an authorized user on the LCE
server to perform this step. For example, if you have a user “bob” configured on the LCE server (hostname “lceserver”)
whose home directory is /home/bob, the command on a Linux or Unix system would be as follows:
# scp SSHKey.pub bob@lceserver:/home/bob
5.
After the file is copied to the LCE server move the file to /opt/lce/daemons by doing the following:
# mv /home/bob/SSHKey.pub /opt/lce/daemons
6.
On the LCE server, as the root user, change the ownership of the SSH key file to ‘lce’ as follows:
# chown lce /opt/lce/daemons/SSHKey.pub
7.
Then append the SSH public key to the “/opt/lce/.ssh/authorized_keys” file with the following steps:
# su lce
# /opt/lce/daemons/lce-install-key.sh /home/bob/SSHKey.pub
8.
To test the communication, as the user “tns” on the SecurityCenter system, attempt to run the ‘id’ command:
# su tns
# ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
82
If a connection has not been previously established, you will see a warning similar to the following:
The authenticity of host '192.168.15.82 (192.168.15.82)' can't be established.
RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f.
Are you sure you want to continue connecting (yes/no)?
Answer “yes” to this prompt.
If the key exchange worked correctly, a message similar to the following will be displayed:
# uid=251(lce) gid=251(lce) groups=251(lce)
9.
The IP address of SecurityCenter can be added to the LCE system’s /etc/hosts file. This prevents the SSH daemon
from performing a DNS lookup that can add seconds to your query times.
10. The LCE can now be added to SecurityCenter via the normal administrator “LCE add” process documented in the
SecurityCenter Administration Guide.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
83
Appendix 5: Offline Activation and Plugin Updates
The steps below explain how to activate, and update LCE plugins on an air gapped network.
Offline Activation
1.
Navigate to https://support.tenable.com, and log in.
1.
Select “Activation Codes” from the menu, and select the plus symbol (+) next to “Log Correlation Engine” then copy
the “Activation Code” to be used with the offline LCE.
2.
Log in to the offline LCE terminal as root user, and execute the command below.
# /opt/lce/daemons/lce_wwwd --challenge
Challenge:
e1e02d38a48603467fb8728b13ada3e29e5e9fd4
Copy the challenge above and paste it (with your Activation Code) into:
https://plugins.nessus.org/v2/offline-lce.php
3.
Using a web browser go to https://plugins.nessus.org/v2/offline-lce.php and enter the activation code and challenge
code obtained in the previous steps.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
84
4.
Select the link that is generated to download the current plugin set. Make a copy of the link that is returned. The link
provided will be valid until the LCE subscription expires. Save the link, as it will be needed each time the plugins are
manually updated.
5.
Select the link to download the license key “lce.license”, or create a lce.license file by copying the information
returned into a text file from “-----BEGIN TENABLE LICENSE-----” to “-----END TENABLE LICENSE-----”.
6.
Upload the lce.license file to /opt/lce/daemons, and run the following command:
# /opt/lce/daemons/lce_wwwd --register-offline lce.license
7.
Then navigate to https://<ip address of your lce>:8836 and complete the setup, and configuration steps above.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
85
8.
To verify the license has been loaded successfully choose “Health and Status” followed by “Plugins”. The “Activation
Status” should now show “Licensed” as shown in the image below.
Offline Plugin Updates
1
Using the link found in step 5 of the “Activation” section download the newest “lce-combined.tar.gz” file
2
Under the “Offline Plugin Update” section choose “Browse” to upload the “lce-combined.tar.gz” file. The “lcecombined.tar.gz” file contains updates for LCE PRM(s), TASL(s), discoveries, client policies, the web client, and the
web server. After the file is uploaded successfully choose “Process Plugins”. The process may take a minute or two to
complete.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
86
3
To verify the plugins have been loaded successfully choose “Health and Status” followed by “Plugins”. The “Plugin
Set” and the “Plugin Set Loaded” will now be populated as shown in the image below:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
87
Appendix 6: Non-Tenable License Declarations
Below you will find the command that will list all the third-party software packages that Tenable provides for use with the
Log Correlation Engine. This command may be run at the command line interface by users with permissions to the lced
binary.
# /opt/lce/daemons/lced –l
For a list of third-party software packages that Tenable utilizes with LCE, see the “Tenable Third-Party License Declarations”
document.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks
of their respective owners.
88
