Log Correlation Engine 4.6 Administration and User Guide May 17, 2016 (Revision 4) Table of Contents Introduction ........................................................................................................................................................................................ 6 Standards and Conventions ........................................................................................................................................................................................ 6 Components of the Log Correlation Engine ......................................................................................................................................................... 6 IDS Collection and Correlation ........................................................................................................................................................................... 7 IDS Collection Only ................................................................................................................................................................................................. 7 Prerequisites .................................................................................................................................................................................................................... 7 Supported Operating Systems/Platforms ...................................................................................................................................................... 7 Licenses ....................................................................................................................................................................................................................... 8 SecurityCenter.......................................................................................................................................................................................................... 8 Secure Shell Public Keys ........................................................................................................................................................................................ 8 Secure the Log Correlation Engine Server System ...................................................................................................................................... 8 LCE 4.6 Overview ............................................................................................................................................................................. 8 LCE Server Installation................................................................................................................................................................ 10 Getting Started ..............................................................................................................................................................................................................10 Installation Location ....................................................................................................................................................................................................10 Installing the Package .................................................................................................................................................................................................10 Setup Wizard ...........................................................................................................................................................................................................11 Step 1: Change Default Password .............................................................................................................................................................11 Step 2: Proxy Configuration ........................................................................................................................................................................11 Step 3: Set Activation Code .........................................................................................................................................................................12 Step 4: Port Configuration ...........................................................................................................................................................................12 Step 5: Database Directory .........................................................................................................................................................................13 Step 6: Network Ranges ...............................................................................................................................................................................13 Setup Complete ...............................................................................................................................................................................................14 Files and Layout ............................................................................................................................................................................................................15 Upgrading the License ..........................................................................................................................................................................................16 System Configuration .................................................................................................................................................................. 17 Basic Configuration .....................................................................................................................................................................................................17 Storage Configuration ................................................................................................................................................................................................18 IDS Configuration .........................................................................................................................................................................................................19 Load Balancing Configuration .................................................................................................................................................................................20 Configuring the Primary LCE Server ..............................................................................................................................................................21 Configuring the Auxiliary LCE Server ............................................................................................................................................................21 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 2 Advanced Configuration Options ........................................................................................................................................... 23 Storage .............................................................................................................................................................................................................................23 LCE Web Server ............................................................................................................................................................................................................23 Sensor Names ................................................................................................................................................................................................................24 Clients ...............................................................................................................................................................................................................................25 User Tracking .................................................................................................................................................................................................................27 Host Discovery and Vulnerabilities .......................................................................................................................................................................29 Statistical Alerts .....................................................................................................................................................................................................30 Resource Usage and Performance ..................................................................................................................................................................32 DNS Caching ............................................................................................................................................................................................................32 Data Forwarding ...........................................................................................................................................................................................................34 Sending Syslog Messages to Other Hosts .....................................................................................................................................................34 Syslog Compliant Messages ...............................................................................................................................................................................35 Content of Forwarded syslog Messages .......................................................................................................................................................35 TCP Syslog Server Reconnect Interval ..........................................................................................................................................................35 Checksum Forwarding .........................................................................................................................................................................................35 TCP Syslog ................................................................................................................................................................................................................36 Receiving Encrypted Syslog ......................................................................................................................................................................................36 Encrypted TCP Syslog ..........................................................................................................................................................................................36 Example Encrypted TCP Syslog Configuration ....................................................................................................................................37 Correlation ........................................................................................................................................................................................................40 TASL and Plugins ..........................................................................................................................................................................................................40 Excluding TASL Files .............................................................................................................................................................................................40 Excluding PRM Files..............................................................................................................................................................................................41 TASL Parameters ...................................................................................................................................................................................................41 Event Rules .....................................................................................................................................................................................................................41 Email Syntax .............................................................................................................................................................................................................41 Syslog Syntax ...........................................................................................................................................................................................................42 Custom Command Syntax ..................................................................................................................................................................................42 LCE Rule Filters ......................................................................................................................................................................................................42 LCE Shell Command Options .............................................................................................................................................................................44 Email/Alerting/Execution ..........................................................................................................................................................................................45 Debugging ......................................................................................................................................................................................... 46 Debug Mode ...................................................................................................................................................................................................................46 Storing All Logs with “save-all” ................................................................................................................................................................................46 Different File System ..................................................................................................................................................................................................47 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 3 Multiple Plugin Matches per Log File “multiple-matches” ......................................................................................................................47 Quick Example ...............................................................................................................................................................................................................47 SSH Keys ..........................................................................................................................................................................................................................49 Service Control ..............................................................................................................................................................................................................50 Feed Settings ..................................................................................................................................................................................................................51 Feed Registration...................................................................................................................................................................................................51 Plugin Update.................................................................................................................................................................................................................52 Updating Plugins (PRM Files) and TASL Scripts .........................................................................................................................................52 Offline Updates .............................................................................................................................................................................................................53 Web Proxy .......................................................................................................................................................................................................................53 LCE Health and Status ................................................................................................................................................................. 54 Correlation Statistics ..................................................................................................................................................................................................55 LCE Users .......................................................................................................................................................................................... 59 Add Users ........................................................................................................................................................................................................................60 Edit Users ........................................................................................................................................................................................................................60 Remove Users ................................................................................................................................................................................................................61 Managing Client Configuration Files .................................................................................................................................... 62 Upgrading LCE ................................................................................................................................................................................ 62 LCE Command Line Operations .............................................................................................................................................. 63 Starting LCE ....................................................................................................................................................................................................................63 Halting LCE .....................................................................................................................................................................................................................64 Restarting LCE ...............................................................................................................................................................................................................64 Determine LCE Status ................................................................................................................................................................................................64 Operating the stats Daemon ....................................................................................................................................................................................65 Stopping and Starting all Daemons in RHEL 7 / CentOS 7 ..................................................................................................................65 Additional Features ...................................................................................................................................................................... 66 Importing LCE Data Manually .................................................................................................................................................................................66 User Tracking .................................................................................................................................................................................................................67 Working with SecurityCenter .................................................................................................................................................. 68 Adding the LCE to SecurityCenter .........................................................................................................................................................................68 Configuring Organizations ........................................................................................................................................................................................70 Analyzing Security Events .........................................................................................................................................................................................71 Identifying Vulnerabilities .........................................................................................................................................................................................71 TASL Scripts .............................................................................................................................................................................................................72 Full Text Searches ........................................................................................................................................................................................................72 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 4 Tokens ........................................................................................................................................................................................................................73 Operators .................................................................................................................................................................................................................73 Grouping ...................................................................................................................................................................................................................74 Examples: Putting it All Together ....................................................................................................................................................................74 For More Information .................................................................................................................................................................. 75 About Tenable Network Security ........................................................................................................................................... 76 Appendix 1: Sample msmtp.conf File .................................................................................................................................... 77 Appendix 2: Event Rule Table................................................................................................................................................... 78 Appendix 3: Troubleshooting ................................................................................................................................................... 81 Appendix 4: Manual SC4/LCE Key Exchange .................................................................................................................... 82 Appendix 5: Offline Activation and Plugin Updates ....................................................................................................... 84 Offline Activation .........................................................................................................................................................................................................84 Offline Plugin Updates ...............................................................................................................................................................................................86 Appendix 6: Non-Tenable License Declarations .............................................................................................................. 88 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 5 Introduction This document describes the installation, configuration, and administration of Tenable Network Security’s Log Correlation Engine 4.6 for use with SecurityCenter (including SecurityCenter Continuous View). Please email any comments and suggestions to support@tenable.com. The LCE is used with Tenable’s SecurityCenter, which is installed separately. This documentation assumes that you already have an operational SecurityCenter. Knowledge of SecurityCenter operation and architecture is also assumed. Familiarity with system log formats from various operating systems, network devices, and applications and a basic understanding of Linux and Unix command line syntax is also assumed. Standards and Conventions Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as gunzip, httpd, and /etc/passwd. Command line options and keywords are also indicated with the courier bold font. Command line examples may or may not include the command line prompt and output text from the results of the command. Command line examples will display the command being run in courier bold to indicate what the user typed while the sample output generated by the system will be indicated in courier (not bold). Following is an example running of the Unix pwd command: # pwd /opt/local/lce # Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples, and best practices are highlighted with this symbol and white on blue text. Components of the Log Correlation Engine The Log Correlation Engine (LCE) has three main components: the LCE clients, the daemon/server component (lced), which is referred to as the LCE server, and a GUI interface that is used for LCE server administration. Data gathered by LCE is analyzed using SecurityCenter. The LCE clients are installed on hosts to monitor and collect events that are forwarded on to the LCE server. When received by the LCE server, events are both stored as raw logs and normalized and correlated with vulnerabilities (if applicable). The SecurityCenter UI makes both the raw and normalized event data available to the user for event analysis and mitigation. LCE users work with log data from a wide variety of sources. Each organization can make queries to one or more LCE servers that contain events from a wide variety of devices including firewalls, servers, routers, honeypots, mobile device managers, applications, and many other sources. The LCE supports many types of agents including: Windows Event Logs (collected locally or remotely via a WMI client) Windows, Linux, and Unix system and application logs Check Point OPSEC events Cisco RDEP events Cisco SDEE events NetFlow Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 6 Splunk Sniffed TCP and UDP network traffic (Tenable Network Monitor) Sniffed syslog messages in motion File monitoring (Linux, Unix, and Windows) LCE has many signature processing libraries to parse logs and can normalize and correlate most network IDS devices, as well as messages from SecurityCenter. The LCE supports the following IDS sources: IDS Collection and Correlation Bro Cisco IDS Enterasys Dragon HP TippingPoint IBM Proventia (SNMP) Juniper NetScreen IDP McAfee IntruShield Fortinet IDS events Snort (and Snort-based products) TippingPoint’s syslog event format must be modified to use a comma delimiter rather than a tab delimiter before it can be processed by the LCE. IDS Collection Only AirMagnet Check Point (Network Flight Recorder) Portaledge Toplayer IPS There are thousands of normalization rules that support most operating systems, firewalls, network routers, intrusion detection systems, honeypots, and other network devices. The list of officially supported log sources is frequently updated on the Tenable website. Prerequisites It is important to ensure that the prerequisite requirements for LCE are met before beginning installation. These requirements include: A CentOS/RHEL OS 64 bit platform with all unnecessary services disabled LCE license LCE management installation (SecurityCenter) LCE clients 4.0 or higher (if applicable) Secure Shell (SSH) key generation Supported Operating Systems/Platforms The LCE server component is available for the Red Hat Enterprise Linux (RHEL) and CentOS 5.x, 6.x, and 7.x operating systems for 64-bit platforms. One or more LCE servers can be configured to operate with a single SecurityCenter. The LCE server can be installed on the SecurityCenter’s host system, but this configuration is not recommended for performance reasons Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 7 If you are using an AWS instance in conjunction with LCE, it is required that you use an Elastic Network Interface (ENI). More information about using an ENI with an AWS instance can be found here. Licenses LCE servers are licensed to the specific hostname of the system it is to be installed on. There is no licensed limit to the number of events or IPs that the LCE can be configured to monitor. There are different licenses available for the LCE based on the total amount of storage used by the LCE. The licenses are based on 1 TB, 5 TB, and 10 TB storage sizes. A license for LCE is provided as a part of the SecurityCenter Continuous View offering. The maximum number of silos available to each license size is 103, 512, and 1024, respectively. There is no difference in the LCE software that is installed, just the maximum storage size that can be used by the LCE. Data silos are always limited to a maximum size of 10 GB per silo. SecurityCenter LCE information is analyzed utilizing SecurityCenter, so you must have an operational SecurityCenter deployed before installing LCE. Please refer to the SecurityCenter documentation for more information on installation and configuration. Secure Shell Public Keys LCE analysis is provided to SecurityCenter through the use of command execution across a Secure Shell (SSH) network session. When SecurityCenter queries a LCE server, it invokes a SSH session to the configured LCE server. All execution and analysis of LCE data occurs on the LCE server. SSH public keys are configured such that SecurityCenter can invoke commands on the LCE server. Non systemadministrator accounts are used to perform these queries. The trust relationship is only needed from SecurityCenter to the LCE server. Secure the Log Correlation Engine Server System It is recommended that the server operating system be locked down before installation to ensure that no unnecessary services are running. The only service that is required to support remote users is SSH and the LCE administration web GUI. While the LCE daemon is operational, it will listen by default on UDP port 514 for syslog messages, UDP port 162 for SNMP, TCP port 601 for reliable syslog service messages over TCP, TCP port 6514 for Encrypted TCP Syslog messages, TCP port 31300 for the LCE API (needed if LCE clients are operational), TCP port 31302 for load balanced LCE servers, and port 8836 for the LCE administration web GUI. If vulnerability detection features are used with SecurityCenter, the default TCP port 1243 will also be used. The system running the LCE can operate a syslog daemon, but the syslog daemon must not be listening on the same port(s) that the LCE server is listening on. LCE 4.6 Overview LCE 4.6 contains key improvements over previous versions including the ability to receive TCP Encrypted syslog, and the ability to track clients via UUID, which will be beneficial in environments where DHCP is utilized (available in version 4.6 LCE clients). Also, available in LCE 4.6 is an Application Programming Interface (API). The API can potentially be used by thirdparty applications to create custom interfaces to the LCE daemon. To configure LCE 4.6, navigate to the DNS name or the IP address of the LCE server over port 8836 (https://<dns name or IP address>:8836>) in your preferred web browser. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 8 The following image shows what the LCE GUI will look like upon initial login after the LCE has been upgraded. The initial section that is displayed is “Health and Status”. Details on each sub-section are described later in this document. To edit any configuration option select “Configuration”. To add or remove a user, select “Users”. The right side of the screen displays the username of the user that is currently logged in. Clicking on the drop-down arrow beside the username displays a list of options. These options allow the currently signed in user to “Change Password”, view basic “Help & Support” information, or “Sign Out” of the LCE GUI. There is also a red bell shown in the extreme far right hand corner of the LCE GUI that displays the last few notifications generated by the LCE server. These notifications can also be found in the “Alert” section of the “Health and Status” page. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 9 LCE Server Installation Getting Started Before beginning the LCE installation, it is important to understand the high-level steps required to facilitate a successful installation. These steps are typically performed in the following order: 1. Download the LCE server RPM and confirm the integrity of the installation package by comparing the downloaded MD5 checksum with the one listed in the product release notes. 2. Install the LCE server RPM. 3. Copy the activation code from the “Activation Code” section of the Tenable Support Portal (https://support.tenable.com). 4. Using a web browser, navigate to the address or hostname of the LCE server over port 8836 (https://<ip or hostname>:8836), and complete the “Quick Setup” wizard. 5. Add the LCE server to the SecurityCenter, via the SecurityCenter’s web interface as a SecurityCenter Administrator user. Installation Location The installation file may be placed anywhere on the installed system. The installation steps described below assume execution from the same directory where the installation package is located. Installing the Package To ensure consistency of audit record time stamps between the LCE and SecurityCenter, make sure that the underlying OS makes use of the Network Time Protocol (NTP) as described in: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sectDate_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html If you are upgrading from a previous version of LCE, please skip this section and see the section titled “Upgrading the Log Correlation Engine” below. Please follow the instructions in this section for new installations. As the root user, install the LCE RPM using the following command: # rpm -ivh lce-4.6.x-el6.x86_64.rpm An example is shown below: # rpm -ivh /tmp/lce-4.6.0-el6.x86_64.rpm Preparing... ########################################### [100%] 1:lce ########################################### [100%] The installation process is complete. Please refer to /var/log/lce_upgrade.log to review installation messages. This is a new installation. To configure LCE, please direct your browser to: https://l92.168.1.101:8836 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 10 Setup Wizard After the initial installation is complete, navigate to the DNS name or the IP address of the LCE server over port 8836 (https://<dns name or IP address>:8836>) in your preferred web browser. The login screen will be displayed. The default login credentials are User name “admin” and password “admin”. Enter the default information, and select “Sign In To Continue”. Step 1: Change Default Password Upon initial login, the “Quick Setup” will begin. The first step is to change the password. The password complexity is set to 4 alphanumeric characters. The password complexity can be changed, and will be covered in a later section of this guide. Step 2: Proxy Configuration The next section of the configuration wizard requires “Proxy Configuration” information. If a proxy is utilized in the environment where LCE is deployed select “Yes” and enter the required information into the corresponding fields. If a proxy is not required, select “No”. After the appropriate option is selected and any corresponding fields are completed, choose “Next Step”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 11 Step 3: Set Activation Code The “Set Activation Code” section requires a valid activation code. The activation code can be obtained by logging into the Tenable Support Portal (https://support.tenable.com) and then selecting “Activation Codes”. Enter the Activation Code and click “Apply”. A check mark can be seen next to the “Apply” button to confirm the Activation Code is valid. When the Activation Code has been entered correctly, select “Next Step” to proceed. If the LCE is not connected to the Internet, an offline plugin update will need to be periodically performed. Please review the Offline Activation and Plugin Update section of this guide for more information. Step 4: Port Configuration The “Port Configuration” section displays the default ports already assigned for each type of communication. If an alternate port is used for communication for the services listed, it can be changed here. If changes are made, select “Apply” to ensure those changes are enforced. Then select “Next Step” to continue. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 12 Step 5: Database Directory The “Database Directory” section displays the default LCE database location, “/opt/lce/db/”. This can be changed to an alternate directory if needed, but is not recommended. If it is changed after the “Quick Setup” is complete, the database will need to be moved using a manual process. If changes are made, select “Apply” to ensure those changes are enforced. Confirm that there is adequate space available in the directory location for the license that you have uploaded, which is reported in the center of the “Database Directory” window, and then select “Next Step” to continue. Step 6: Network Ranges The “Network Ranges” section specifies the networks to be monitored or ignored by LCE. The network ranges that are to be monitored by LCE will need to be entered in CIDR notation (192.168.0.0/24) or IP/netmask (192.168.0.0/255.255.255.0) into the “Monitored Network” box. The networks that are excluded from LCE will need to be entered in CIDR notation or IP/Netmask in the “Excluded Network” box. After the information is entered select “Next Step”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 13 Setup Complete At this point the “Quick Setup” process is complete, and LCE services will require a restart. If you would like to revisit any step before finalizing the configuration, choose “Previous Step” to edit the desired step. Otherwise select “Restart” to complete setup. Once the LCE has restarted the initial configuration is complete. It is possible to log in to the LCE web interface to address any additional configuration to include syslog forwarding, load balancing across multiple LCE servers, NAT setup for LCE clients, and other advanced settings. For more information on large scale deployments, please refer to the Log Correlation Engine 4.6 High Availability Large Scale Deployment Guide. The installation process will create a user and group named “lce” and install the LCE server to the /opt/lce directory. All files will be installed with the user and group of “lce” except for the actual lced daemon, which is set-user-id root. This must be started as the “root” user, and once the daemon has bound to the appropriate port(s), it will drop privileges. If the lced daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a warning to the LCE logs. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 14 Files and Layout LCE resides in the /opt/lce directory, and contains various sub-directories. The contents of each subdirectory are summarized in the table below. Directory Description admin This directory contains all of the LCE’s log files. There is a subdirectory named log that contains various log files. System log file names are based on the format of year month, and date such as 2015May.log. Log files in the main log directory are general LCE log system files. The log directory contains sub-directories for specific components of LCE such as clientmanager, indexer, stats, queries, reporter, and importer. credentials This directory contains certificates and keys for LCE modules to authenticate remote connections. For example, the syslog sub-directory contains the default keys and certs to authenticate encrypted TCP syslog senders. daemons This directory contains the lced binary (the log engine) and all other helper daemons in LCE. The LCE Client Manager is also located here. The daemons directory also contains sub-directories for plugins, policies, and other items updated automatically via the LCE plugin feed. When LCE starts, it will load all files in the plugins directory unless they are disabled via the configuration. db LCE stores all event data in the db directory. Each silo will be labeled with a lce(number).ndb and log_store and db_index directories. The location of this directory will differ if the configuration was altered at some point. docs This directory contains the LCE Software License Agreement. ha This subdirectory contains the tools utilized if LCE is configured for high availability. For more information on this feature review the Log Correlation Engine 4.6 High Availability Large Scale Deployment Guide. ids IDS signature mappings and host vulnerability information from Security Center is stored here for correlation. reporter This directory and its sub-directories contain certs and keys for the Nessus Transport Protocol interface for SecurityCenter to retrieve report information. reports This directory contains host vulnerability information LCE has discovered by scanning logs. tmp Directory used for temporary data that is utilized by LCE. tools This directory contains various tools that are utilized by LCE, and some can be utilized via the command line if required. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 15 var The db subdirectory under the var directory contains the following databases: lce_alert.db, lce_config.db, lce_status.db, lce_users.db, and pm.db. The www directory contains the web client, and web server information. The users subdirectory contains a directory for each user configured in the LCE GUI. Upgrading the License It is possible to upgrade from your silo license to one with a higher capacity (e.g., 1 TB to 10 TB). A replacement license key will be required. Perform the following steps to upgrade your license: 1. Log in to the LCE user interface (https://<ipaddress or hostname>:8836). 2. Select “Configuration” in the LCE user interface. 3. Choose “Feed Settings” in the “Configuration” menu. 4. Enter the “Activation Code”, and select “Apply”. 5. Select update at the bottom of the “Feed Settings” page. The number of silos can indicate the type of license in use. For example, 103 silos indicate a 1 TB license, 512 silos indicate a 5 TB license, and 1024 silos indicate a 10 TB license, when the maximum silos for a license are used. The total number of silos along with how many silos have been used is displayed in the “Health and Status” section under the “Advanced” section of the LCE GUI as shown below. Navigate to “Health and Status”, and select “Plugins” to verify the "Activation status" is “Licensed”, and the "Feed Expiration does not show “Expired”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 16 System Configuration The LCE system configuration is administered by logging into the LCE web interface and selecting “Configuration” at the top of the page. The sections that are available in “System Configuration” are “Basic”, “Storage”, “IDS”, “Load Balancing”, “Advanced”, “Control”, and “Feed Settings”. Each of these sections is covered in detail below. Each configuration page in the “System Configuration” section has an “Update” option at the bottom that needs to be selected prior to any changes made in that section being applied to the LCE. The updates are applied while the LCE is running, thus removing the need to restart the LCE services. Basic Configuration The Basic Configuration section comprises the essential configuration needed for an LCE server to function. The items in this section are addressed in the initial “Setup Wizard”, but can be changed in this section at a later time if the need arises. Each menu option for the “Basic” section is covered in detail below. Option Description Server Address This option allows you to specify the IP address of the network interface(s) on which lced and lce_report_proxyd will listen. More than one interface may be specified on separate lines: 127.0.0.1 172.0.0.2 By default, or if left blank the above LCE services will listen on all available network addresses. LCE Client Port This option specifies the port number that lced listens on. By default, it is set to 31300, but may be reset to another value. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 17 Syslog Port(UDP) LCE listens for UDP syslog traffic on the standard port of 514 by default. If the environment requires the LCE to listen on a different port, this setting may be changed. Syslog Port(TCP) This setting determines the port to listen on for reliable syslog messages via the TCP protocol. Encrypted TCP Syslog Listen Port This setting determines the port for receiving encrypted TCP syslog traffic. The default port for encrypted syslog over TLS is 6514 per RFC5425, but the port may be altered if required. Include Networks The following sections define your internal network range. All networks specified in the first section are included, while the Exclude Networks option is used to make exceptions. Make sure this range matches IP addresses that are considered “internal” from an event perspective. This range is used by a number of TASL scripts and the Stats daemon to define inbound/outbound/internal specifications for LCE events. This is different from the “Directions” filter on the SecurityCenter events page, which uses the logged-in user’s managed ranges to determine event direction. Exclude Networks Provides exceptions to the “Include Networks” directive ranges specified above. Storage Configuration The storage section of “System Configuration” shows the database location, silo size, and number of silos, and also contains the archiving configuration information. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 18 Option Description Database Directory Specifies the location of the LCE database directory. Silo Size Specifies the maximum amount of data from matched log events that will be stored in one indexed file (silo). Choose the “MB” to specify megabytes. For example, entering 10240, and choosing MB specifies the maximum silo size of 10 Gigabytes. Choosing “GB” specify gigabytes. For example, entering 1, and choose “GB” specifies 1 gigabyte. By default, this is set to 10G. Note that the filesystem must support the file size selected within this setting. When considering silo size: It is suggested that the total number of silos for the license should not be exhausted more than once in a single month. Number of Silos Specifies the number of silos that lced will create. The maximum number of silos that can be created is 1024 for a 10 TB license, 512 for a 5 TB license, and 103 for a 1 TB license. When configuring this setting, consider the silo-size setting and maximum disk space available for storage. Example: 1 TB is available for storage and silos configured for 10 GB would allow for a maximum of 102 silos before disk exhaustion. Enable Archiving This option allows the archive functionality of LCE to be enabled, or disabled. If there is insufficient disk space on the silo archive device, LCE will no longer attempt to save a silo before overwriting. If this occurs, log messages will be generated warning of the event. The event alerting functionality of LCE can be leveraged to automatically notify concerned individuals (e.g., email alert) when this sort of event occurs. Please reference the section of this document titled “Event Rules” for more information. Location If the archive functionality is enabled in LCE a location for the archive files must be specified. An example of an archive location is shown below: Example: /opt/lce/silo_archive Save Index This option specifies if the LCE database index files are to be saved for faster searching of archived silos. The “Save Database” option must be selected for this option to be selectable. Save Raw Logs This option specifies if the LCE raw log files are to be saved. These files contain the original matched log messages before normalization. IDS Configuration LCE has the ability to receive IDS events from multiple sources. In addition to being normalized and stored in the log database, each event will be checked against any SecurityCenter vulnerability databases. If a host is vulnerable to attack, the Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 19 event is marked as such, allowing rules to trigger on this scenario so that the information can be distributed to the affected administrators. For each IDS sensor, a sensor name and type must be defined as in the example below. The supported types are Snort, Bro, RealSecure, Dragon, IntruVert, IntruShield, Juniper, NetScreen, NFR, Fortinet, Cisco, TippingPoint-Sensor, and TippingPoint-SMS. Option Description IDS IP The IP address of the IDS. Sensor Name Name to be used within the SecurityCenter logs. Sensor Type IDS sensor type. Load Balancing Configuration Multiple LCEs may be configured in a tiered system. This allows for one LCE to be designated as the primary LCE, which can send incoming log messages to one or more auxiliary LCE servers (depending on loading, which is calculated on a regular interval). This distributes the storage and processing of the log messages among up to 256 different LCE servers. Taking advantage of this configuration allows for all the LCE clients and log sources to be configured for a single LCE server, and that primary LCE server load balances the incoming requests between itself and its auxiliary servers. Additionally, clients may be configured to send their logs directly to an auxiliary server, bypassing the primary LCE if there is a need to do so. One example would be if you want all firewall logs to go to a specific LCE for storage, then they would have their logs point to that specific LCE, bypassing the primary LCE. Load balancing messages and logs sent between the primary and auxiliary LCEs are encrypted. To provide additional encryption, the encryption passphrase option may be configured. This option can use a phrase between 1-32 characters. When set, all of the connected LCEs must be configured with the same passphrase in their configurations. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 20 When using tiered LCE servers, each one must be configured in SecurityCenter in order to be queried. If SecurityCenter user only has access to three out of four LCE servers in a group, that user will receive incomplete results based only on the data stored in the three LCE servers to which the user has access. Configuring the Primary LCE Server The primary LCE server listens on TCP port 31302 (by default) for status data from auxiliary LCE servers. The listening port of the primary LCE server may be changed by modifying the Local Status Port option on the Load Balancing tab. There may only be one primary LCE server configured in a group, and servers may not play a dual role of primary and auxiliary. Unless the server is specifically configured to be an auxiliary LCE server, it considers itself a primary LCE server and listens on port 31302 (by default). Configuring the Auxiliary LCE Server When configured as an auxiliary LCE, the server will accept log files sent to it by the primary. To enable the auxiliary mode, configure the Load Balancing Auxiliary setting on the Load Balancing tab with the IP address and port number of the primary LCE. If the primary LCE is running on the default port of 31302, adding the port number is not required. Note that when utilizing tiered LCE servers, processing of log-related options such as syslog forwarding, storing not-matched logs, and similar are performed on the server processing the logs. Such options must be configured identically on all the LCE servers for consistent results. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 21 Option Description Load Balancing Local Local Server Address When there is more than one network interface available to receive data from the primary LCE, enter the IP address of the interface to use. Otherwise, the default interface’s IP address will be used. This can be used to balance bandwidth between multiple interfaces. Local Status Port When the LCE server is configured to offload log data to auxiliary servers, TCP port 31302 is the default port used. Change the setting here to change the port on which the LCE server communicates. Encryption Passphrase When load balancing between primary and auxiliary LCE servers, all messages are encrypted. To enhance security, a user-specified key may be added. Enter up to a 32 character encryption phrase. The passphrase must be the same on all connected LCEs. Allowed characters are alphanumeric and the following characters: [].^$()|*+?{}/#_-~!@%=`'<>:|&\", Load Balancing Auxiliary Primary Server Address When used as an auxiliary LCE server, this setting designates the IP address of the primary LCE server. Primary Server Port TCP port 31302 is the default port used when the LCE server is configured to offload log data to auxiliary servers. Change the setting here to change the port on which the LCE server communicates. High Availability Virtual IP Address This is the IP address used by devices such as syslog sensors and clients to send data to LCE. Virtual IP Interface When specifying a Virtual IP Address, also specify an existing network adapter on which the LCE will bind the virtual IP defaults to eth0. Virtual Router ID If you have a VRRP solution deployed or plan on adding one in the future to the same network your LCE is deployed on, use this option to specify a router ID for the LCE cluster, that differs from your other VRRP setup. Mirror Mode Optionally, instead of receiving a subset of logs, this LCE may register itself as a mirror and receive ALL logs processed by the primary LCE, effectively creating a live backup of the primary database. Check the box to enable this mode. For more information Load Balancing and High Availability review the Log Correlation Engine 4.6 High Availability Large Scale Deployment Guide. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 22 Advanced Configuration Options The “Advanced” configuration section is used to fine tune your LCE server configuration. Each section that is changed in the “Advanced” section will require that the “Update” button is selected before the updates are completed. Select “Cancel” to clear any unwanted updates. The exceptions to this would be the “Add Syslog Sensor Name”, “Add New Client Rule”, “Create Debug File”, and “Add New SSH Key”. Reference each section of this documentation when making changes to each of those advanced configuration options. Storage The options available under the “Storage” subsection are “Store Unnormalized Logs” and “Disk Alert Percentage”. These options are described in the table below. Option Description Store Unnormalized Logs If this is enabled, then LCE will store logs even when they are not normalized by existing LCE plugins. These logs will have the type and event set to “unnormalized” and will still be available for text, IP, and sensor-based searches. Disk Alert Percentage When disk utilization in the database directory exceeds the specified percentage (from 1 to 99 percent), an alert will be generated so that the user may take appropriate actions and the LCE does not exhaust disk space for log storage. The default value is 75 percent. LCE Web Server The LCE Web Server section allows you to specify parameters governing login parameters for user access. These options are described in the table below. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 23 Option Description Login Banner Displays a banner (1300 character limit) prior to user login requiring the user to acknowledge a customized statement or warning. Enforce Complex Passwords Requires LCE web server user passwords to have at least 1 uppercase, 1 lowercase, 1 number, and 1 special character. Min Password Length Minimum length of a password for an LCE web server user login. Only passwords that are created or changed after this setting is updated will be affected. Idle Session Timeout Idle login sessions will be logged out after the amount of time specified in minutes. Web Server Port Configures the port that the LCE web server will listen on. By default this is set to 8836. Enable SSL for Web Server When enabled, SSL connections are enforced for connecting to the LCE web server and it is on by default. Disabling this setting is not recommended as it will allow unencrypted traffic to the LCE web server. When this setting is changed and applied, users must reconnect to the server using the newly configured protocol. Enable SSL Client Certificate Authentication When enabled, only SSL client certificates are permitted for user authentication. When disabled (default setting) users authenticate with a username and password. Sensor Names This option allows the administrator to override the discovered name of a syslog sensor with a name that is more identifiable in the environment. For example if the host is “syslogserver06.example.com” but that server resides in the research area of the environment overriding its name to “research_syslog” may be preferred. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 24 The sensor name can be set by the source of the log, the configured sensor name of the client or syslog source, or the plugin that normalizes the log. If this option is enabled, the sensor name will always be that of the configured client or syslog source name. When creating new sensor names, both the “Sensor Name” and “IP Address” fields must be populated. After that is complete select “Add Syslog Sensor Name” to confirm the changes. Option Description Sensor Name Sensor name to be used within the SecurityCenter logs. IP Address The IP address of the configured client or syslog source. Clients This section of the Advanced Configuration is used to further define how clients are able to connect to the LCE, and how they are named when viewed in the “Event” section of SecurityCenter. The configurations are “Public Server Address”, “Auto Authorize Clients”, “Use Client Network Address”, and “Override Sensor Name”, described in the table below. Option Description Public Server Address If the server is run from behind a device performing Network Address Translation (NAT), and the LCE clients that it manages are on the public side of the device, the Public Server Address field must be populated with the NAT address so that the managed clients can connect to it. The LCE Client Manager will use, in order of preference: the Public Server Address setting, the Server Address setting, or the first IP that it finds LCE using that is not 127.0.0.1. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 25 When this setting is used, all managed clients on either side of the NAT device must use this defined address to connect. Auto Authorize Clients LCE Clients version 4 and greater must be authorized by the LCE administrator to send data after the client attempts to connect to the LCE server. Enable this option to automate authorization for a specified number of minutes after LCE server startup or reconfiguration. This automatically authorizes clients that have never previously tried to connect to the LCE server for 10 minutes after startup. Use Client Network Address Override private client IP in events with the NAT / public network peer IP Override Sensor Name Prefer configured name over discovered name The “Client Assignment Rules” subsection allows for specific policies to be applied to specific client ranges along with the IP address and communications port used to communicate with the LCE server. When a Client Assignment Rule is created, a “Policies” window is displayed to add the desired policies for the “Client Network” specified in the rule. Specific LCE policies can be defined for that “Client Network”. Polices are matched by OS type, and if there are multiple policies for a particular OS type, the first available policy for that type will be assigned. If no “Policies” match the OS found on the “Client Network” the default policy for that OS will be used. The “Auto Auth” option can be deselected after all expected clients have been authorized by the LCE. After adding one or more policies to the “Policies” section, select “Update” at the bottom of the “Advanced Configuration” page to confirm the addition of those policies. Option Description Client Network The client network range in CIDR notation LCE IP:port LCE server IP and port it listens on for incoming LCE client data. The default port is 31300. Auto Authorize This enables auto authorization of clients in the defined network range. Policies This section allows multiple policies to be specified. The exact name of the policy must be used. The policy must be OS specific, and if more than one OS is on the “Client Network” a single policy for each OS type is suggested. If specific policies are not entered in this section, the default policy for the OS type of each client will be assigned. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 26 If multiple policies are listed in this section for the same OS type the first policy that matches the client OS will be assigned. User Tracking LCE tracks network users on the basis of their usernames. These options set restrictions on which usernames are considered valid. Any usernames failing to match the specified criteria are disregarded and “invalid” is reported as the user for the associated log entries. Option Description User Tracking Plugins Only Plugin IDs in this list are used to apply user tracking. Other plugins will normalize usernames, but no tracking is performed based on the source and destination IP addresses. Only usernames normalized by these plugins are subject to the additional user tracking restrictions in this section. If a username is normalized by these plugins but does not meet the additional restrictions it will not be associated with the log and will not be associated with the subsequent logs from that IP address. Some IDs of plugins that can be used as “User Tracking Plugins” are listed below. Example: 4770 tenable_pvs.prm 5450 mail_imaps.prm 1708 mail_wuimap.prm Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 27 7293 os_win2008_sec.prm 3260,3262, 3294 os_win2k_sec.prm LCE login-failure plugins do not normalize usernames because those logs are not assured to provide a valid username, and it would contaminate the username database. Additionally, it is advised never to add a login-failure plugin ID into the list of User Tracking Plugins. Doing so would invalidate user tracking for hosts that triggered the plugin. Accept Letters This option specifies whether alpha characters [a-zA-Z] are allowed when a plugin normalizes a username. Accept Numbers This option specifies whether numbers [0-9] are allowed when a plugin normalizes a username. Valid Username Characters Specifies which special characters are considered valid for usernames. By default, the following characters are considered valid: The “dash” character, as in “-” The “underscore” character, as in “_” The “dot” character, as in “.” The “at sign” character, as in “@” For example, the following address would be considered valid under the default criteria: b.j-smith@a_b.com Only the special characters that are specified with the Valid Username Characters setting are considered to be valid when a plugin normalizes a username. The semicolon character, “;” is not permitted in this context. Max Username Length Specifies the maximum number of characters allowed in a username. Untracked Usernames The IPs for this list of users are not tracked. The usernames are normalized and will appear with their associated logs, but no alert is generated when the username switches from one IP to another. Some possible considerations for usernames that are not tracked are listed below. Example: root lce admin administrator Administrator SYSTEM INTERACTIVE NETWORKSERVICE LOCALSERVICE ANONYMOUSLOGON Nobody Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 28 NTAUTHORITY DIALUP NETWORK BATCH NO_USER_NAME Host Discovery and Vulnerabilities This section defines the parameters used by LCE to gather vulnerability information from SecurityCenter, as described in the table below. Option Description Enable Host Discovery This option enables or disables host discovery. When set to yes, new hosts on the network will be discovered and reported based on log data. Report Frequency The frequency, in minutes, in which the report file will be generated and updated on disk. The default is 60 minutes. Report Lifetime The lifetime of a report in days. The report will be cleared after this amount of time. The default is 7 days. Learning Period This option determines how many days a host has not been seen before an alert will be generated. A setting of at least 1 or 2 days is recommended. After that, any host that was not discovered during the period will be alerted on as new. Without this setting, LCE would “discover” all of your hosts that are currently running and are not really “new”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 29 Reporter Port The port used by SecurityCenter to retrieve host and vulnerability reports from LCE. Reporter Username The username used by both SecurityCenter, and LCE to exchange vulnerability information. Reporter Password The password used by SecurityCenter and LCE to exchange vulnerability information. Verify Reporter Password This field is used for password verification. Report SSL Key File The LCE server reporter key filename, relative to /opt/lce/reporter/ssl/. Report SSL CA File The LCE server certificate authority filename, relative to /opt/lce/reporter/ssl/. Report SSL Cert File The LCE server certificate filename, relative to /opt/lce/reporter/ssl/. Statistical Alerts There are multiple Statistical anomalies that can occur on a network. Some examples are Social Network, Login Failure, DNS, Virus, and Database anomalies. The LCE stats daemon can track these anomalies, and provide feedback when a specific threshold is reached. Each statistical anomaly is triggered based on a number of deviations. The table below shows what number of standard deviations needs to occur before a statistical anomaly is triggered along with an example event name as it would be seen in the “Events” section of SecurityCenter. Type Minimum number of standard deviations from the mean Maximum number of standard deviations from the mean Example Minor Anomaly 1.0 5.99 Statistics-Login_Minor_Anomaly Anomaly 6.0 9.99 Statistics-USB_Anomaly Medium Anomaly 10.0 99.99 Statistics-SPAM_Medium_Anomaly Large Anomaly 100.00 999999.99 Statistics-Intrusion_Large_Anomaly Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 30 Option Description Min Standard Deviation This specifies the minimum standard deviation that must occur for an event before an alert will be generated for it. The higher this number, the more statistically significant a sequence of events needs to be before an alert is raised. Min Number of Standard Deviations If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation. Min Statistical History This specifies the number of iterations (days) per-event are required before alerts will be generated. If a large amount of LCE data is already present, set this number to a low value or even to zero. The stats daemon can be started to read in all or just part of the existing LCE data. If you have NO LCE data, leave this value around 7 so the stats daemon will not alert on anything until it has 7 days of event data. Max Occurrence Frequency If an event occurs more or less than 5.0 standard deviation units, an alert will be generated. Setting this value higher will cut down on any sequence of events that occur close to the standard deviation. Syslog Alerts The statistics engine will send anomaly alerts to the syslog servers in this list. It is recommended to include 127.0.0.1 for the local LCE service. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 31 Resource Usage and Performance This section of the LCE “Advanced Configuration” is used to tune the performance of the LCE server. Option Description Additional Query Memory By default, 100 megabytes of memory is used for text queries. For systems with large amounts of available memory, the Additional Query Memory option can be used to allocate additional memory for the text string search functionality of the query daemon. This will improve response time during event analysis in SecurityCenter. The option can be specified in megabytes or gigabytes by selecting an “M” or “G” from the “Additional Query Memory” drop-down menu. Max TASL Memory Queue To maximize performance on multi-processor and multi-core systems, correlated TASL events are processed in parallel to receive regular incoming events. Since some TASL scripts can run for an extended period of time, the primary event processor can potentially receive many TASL-triggering events while a TASL script is still being executed. In this case, the TASL job is stored in a queue for later processing. This option defines the maximum size of this queue. On systems with extremely large volumes of data, setting the maximum queue size higher results in increased performance. If a TASL script that can be sampled is triggered while the queue is full, its callback functions will not be executed. Log-Processors This option leverages multicore processors and determines how many threads will be dedicated to log processing. It is recommended that this setting be no higher than the number of CPU cores in the LCE host system. This is an upper-limit, and should not be changed unless you have greater than 8 total cores (e.g., a dual quad-core CPU system). For systems with hyper-threading technology, the value may be scaled accordingly. Sampleable TASLs Sampleable TASL scripts may be skipped to alleviate processor load when the TASL queue is full. DNS Caching When a log message is defined in a plugin, LCE provides the option to specify a hostname instead of an IP address for the srcip and dstip fields. In this case, LCE automatically attempts to resolve the provided hostname to an IP address using Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 32 DNS. Since the same hostname is typically encountered multiple times, caching the results of lookups can greatly increase performance. These options configure DNS caching in LCE. A particular hostname or all domain names with a certain extension can be excluded using the “Always Resolve” section. In this case, the matching hosts are looked up at every occurrence. The “Always Resolve” section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. These host contained in the “Always Resolve” section of DNS Caching is read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the “Update” button at the bottom of the “Advanced Configuration” section of the LCE GUI will need to be selected. Option Description Max Memory for DNS Cache LCE will maintain a cache of hostname-to-IP addresses rather than performing the lookup repeatedly, limited to this amount of memory [MB]. The “Max Memory for DNS Cache” option can go up to 360K domain names. DNS Cache Period The “DNS Cache Period” option specifies the number of days to cache a hostname-to-IP mapping before updating the result with a new lookup. This value can be set between 1 and 30 days. Always Resolve If a host ends with an extension listed here, it will be resolved each time it is encountered rather than being cached. List each host or extension on a new line. A particular hostname or all domain names with a certain extension can be excluded using the “Always Resolve” section. In this case, the matching hosts are looked up at every occurrence. The “Always Resolve” section can be used to maintain a more extensive list of domains to exclude when DNS caching is utilized. The hosts contained in the “Always Resolve” section of DNS Caching are read when LCE starts up, but changes to the list can be made at any time. If changes are made to the section the “Update” button at the bottom of the “Advanced Configuration” section of the LCE GUI will need to be selected. Cache at Startup Hosts listed in the “Cache at Startup” are resolved at startup and cached immediately to reduce runtime DNS resolutions and improve performance. The format for these entries is one hostname per line. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 33 Data Forwarding Sending Syslog Messages to Other Hosts The LCE can be the focal point of your entire log aggregation strategy. If a Storage Area Network, syslog server, or some other type of log aggregation solution is deployed in your network, the LCE can be configured to send a copy of any received message to one or more syslog servers. These messages include any message received from any client. To configure the LCE to forward these messages, go to the “Configuration” section of the LCE GUI. Then select “Advanced”, and in that section locate “Data Forwarding”. In the “Syslog Forwarding” section of “Data Forwarding”, simply enter a line for each syslog server. The actual syslog service is not used to forward the messages. All packet generation is handled by the lced process. The format of each entry into the “Syslog Forwarding” section is IP:port,exclude-header as shown below. The IP is the address of the syslog server to which the messages are sent. The port indicates the UDP port in which the receiving syslog server is listening. The exclude-header option determines if the LCE appends a custom header to indicate if the messages are sent from the LCE server or not. When omitted or set to “0”, the header is appended. When set to “1”, the header is not added and only the original log message is sent without indication that it was forwarded from the LCE server. If “2” is used the log will be sent in CEF format. The following is an example section of the “Syslog Forwarding” section that forwards messages to multiple syslog servers utilizing UDP. The first line forwards to UDP port 1234 and appends a LCE server header to each entry. The second forwards to UDP port 514, and a LCE server header is not appended to each entry. The third forwards to UDP port 514 and the log will be sent in CEF (Common Event Format) format. The following is an example section of the “TCP Syslog Forwarding” section that forwards messages to multiple syslog servers. The first line forwards to TCP port 601 and appends a LCE server header to each entry with an ASCII 10(Line Feed) delimiter. The second forwards to TCP port 601, and a LCE server header is not appended to each entry. The third forwards to TCP port 1234 and the log will be sent in CEF (Common Event Format) format. LCE has the ability to forward logs in CEF format. However, the log is received by LCE whether it is a log message from an LCE Client, Syslog server, IDS or any other compatible log format LCE will convert the original log generated into CEF format. Shown below is a normal syslog message received by a LCE server followed by the forwarded CEF formatted message. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 34 Apr 16 11:05:52 jetjaguar sudo: COMMAND=/bin/bash rongula : TTY=pts/0 ; PWD=/home/rongula ; USER=foo ; CEF:0|Tenable|LCE|4.4.0|1404|Unix-Successful_Sudo|5|dpt=0 dst=192.168.1.23 spt=0 src=172.26.20.66 duser=rongula proto=0 msg=Apr 16 11:05:52 jetjaguar sudo: rongula : TTY\=pts/0 ; PWD\=/home/rongula ; USER\=foo ; COMMAND\=/bin/bash Syslog Compliant Messages Logs forwarded by the LCE will retain the original syslog alert level and facility, if one was present. If one was not present, the LCE assigns a log level of “auth.warning”. Typically, LCE clients do not send syslog compliant messages. If a LCE client were configured to monitor a log file that retained an original message’s syslog alert level and facility, then this would be retained if forwarded by the LCE. This allows for a remote syslog server that is receiving events from the LCE to process the received messages and place them in specific files. Depending on the type of syslog server, it may be possible to place logs from a router into one file, operating system logs into another and so on. Content of Forwarded syslog Messages When the LCE forwards a message, it also adds any matched information to the log file as shown below if configured to do so: Jun 30 17:45:36 lce: [not-matched] 0.0.0.0:0 -> 172.20.1.1:0 :: <37>sshd(pam_unix)[15322]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=172.20.1.1 The “::” characters are used to separate LCE’s heading from the original message. In this case, the message would also have been sent with a syslog facility/severity of <37> since that was the facility of the original message. Additionally, notice that the LCE tagged the example event above with a not-matched keyword. This means that the LCE did not possess a .prm file to process the log. If it did, the matched event name would be present in the same location. If configured to strip the LCE headers from the forwarded syslog messages, only the original log message is sent to the remote syslog server. TCP Syslog Server Reconnect Interval The “TCP Syslog Server Reconnect Interval” sets the interval that the LCE will wait before making a reconnection attempt to the TCP syslog server that lost its connection. Checksum Forwarding When LCE rolls a silo, the checksum of the completed silo .ndb file will be forwarded to each syslog server IP in this list. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 35 TCP Syslog This list of decimal ASCII character codes tells LCE how to delimit TCP syslogs. By default only the standard linefeed character (ASCII decimal 10) is recognized but other products may use special characters. [0-255] Receiving Encrypted Syslog Encrypted TCP Syslog New in LCE 4.6 is the ability to receive encrypted syslog. The configuration to enable this functionality is located in two places. The “Encrypted TCP Syslog Listen Port” can be found by selecting “Configuration” followed by “Basic”, and by default is configured to port 6514. To locate the “Encrypted TCP Syslog” section, select “Configuration” followed by “Advanced”, and scroll down until the “Encrypted TCP Syslog” section is displayed. The “Encrypted TCP Syslog” functionality requires an rsyslog server configured to send encrypted syslog to the LCE server. A self-signed certificate can be used, but it is recommended to use a signed certificate from a trusted CA (Certificate Authority). The only configuration requirement in the “Encrypted TCP Syslog” is the “Senders’ CA Cert. PEM-encoded Path”, and the suggested path is /opt/lce/credentials/syslog/<filename.pem>. A fingerprint can be generated, and used for authentication if it is placed in the “Authorized Fingerprints” section of the “Encrypted TCP Syslog” configuration. It is also suggested to include the IP address or DNS name of authorized hosts that will be forwarding encrypted syslog into the “Authorized Hosts” section of “Encrypted TCP Syslog”. An example configuration is shown below: Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 36 Option Description Senders’ CA Cert PEMencoded Path Path of encrypted syslog senders’ CA cert, PEM-encoded, for validating encrypted syslog senders. If this option is used neither an “Authorized Fingerprint” nor “Authorized Host” is required for the “TCP Encrypted Syslog” configuration. Authorized Fingerprints Fingerprints (SHA-1 hashes of DER-encoded certificates, per RFC4572) of hosts authorized to send encrypted syslog. The length of each fingerprint will be 65 characters. This option can be used alone or in conjunction with “Authorized Hosts” to enable the receipt of “TCP Encrypted Syslog”. Using an “Authorized Fingerprint” will only verify the certificate’s fingerprint against the configured value. It does not check if the certificate is revoked or expired. It does not require the v3extension. Authorized Hosts DNS names or IPs of hosts authorized to send encrypted syslog to the LCE server. This option can be used alone or in conjunction with “Authorized Fingerprints” to enable the receipt of “TCP Encrypted Syslog”. This option is only required if the X509v3 Subject Alternative Name is present in the certificate. Example Encrypted TCP Syslog Configuration How the “Encrypted TCP syslog” is configured depends on the implementation of the rsyslog server that is forwarding the logs to LCE. For this example, certificates generated by the “openssl-utils.sh” script contained in the /opt/lce/tools directory will be used. The certificates generated by the “openssl-utils.sh” script are X509v3 certificates that will require the FQDN (Fully Qualified Domain Name) of each host. The OS used for this example is CentOS 6 64-bit. Configuring TCP syslog will include the following steps: Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 37 1. Generate credentials using /opt/lce/tools/openssl-utils.sh. 2. Copy credentials to /opt/lce/credentials/syslog, and to a directory on the remote rsyslog server. 3. Set file permissions on the certificates. 4. Edit rsyslog.conf, and restart the rsyslog service. 5. Configure the “Encrypted TCP Syslog” settings in the LCE GUI under “Configuration” -> “Advanced”, and update the configuration. Step 1 Generate CA credentials. # ./openssl-utils.sh --generate-CA-creds 'C=US,st=MD,CN=lce01.example.com' /tmp/foocreds/ca/ Generate the certificates for the rsyslog server. # ./openssl-utils.sh --generate-creds devsyslog1.example.com 192.168.1.157 'C=US,st=MD,CN=syslog1.example.com' /tmp/foo-creds/client// /tmp/foo-creds/ca/ Generating a client certificate to revoke followed by the creation of the revocation list certificate is optional. Generate a client certificate to revoke. This is done to create a certificate revocation list. # ./openssl-utils.sh --generate-creds revoke.example.com 192.168.1.47 'C=US,st=MD,CN=revoke.example.com' /tmp/foo-creds/revoked// /tmp/foo-creds/ca/ Generate the revocation list certificate. # ./openssl-utils.sh --revoke /tmp/foo-creds/revoked/cert.pem /tmp/foo-creds/ca/ /tmp/foo-creds/crl.pem Step 2 Copy cert.pem certificates to /opt/lce/credentials/syslog directory on your LCE server. The certificate will need to be renamed to rsyslog-ca.pem so it does not overwrite the LCE cert.pem file that already exists in the same location. Make sure when copying the files to the /opt/lce/credentials directory that you do not overwrite the SSL certificates that were generated at the time of installation. A list of those certificates are shown below: ca-cert.pem ca-privkey.pem cert.pem privkey.pem sorted-cert-chain.pem [root@test01 ca]# cp /tmp/foo-creds/ca/cert.pem /opt/lce/credentials/syslog/rsyslogca.pem Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 38 Copy the certification revocation list (crl.pem) to /opt/lce/credentials/syslog directory on your LCE server. [root@test01 ca]# cp /tmp/foo-creds/crl.pem /opt/lce/credentials/syslog/crl.pem Copy these certificates to a directory on the server running rsyslog. For this example they will be placed in the /root/selfsigned directory of the rsyslog server. /tmp/foo-creds/client/privkey.pem /tmp/foo-creds/client/cert.pem /tmp/foo-creds/ca/cert.pem Notice that two of these certificates have the same name. It is suggested the certificate from the “/tmp/foo-creds/ca/” folder be renamed to rsyslog-ca.pem. Step 3 Verify the file permissions, and ownership on the certificates that were moved to /opt/lce/credentials/syslog. Each file should be read only by user, and group. They should be owned by lce. Use the following commands to change ownership and permissions. # chmod 440 crl.pem # chown lce:lce crl.pem # chmod 440 rsyslog-ca.pem # chown lce:lce ca.pem The files moved to the rsyslog server should have the same file permissions, but should be owned by the root user. # chmod 440 rsyslog-ca.pem # chmod 440 privkey.pem # chmod 440 cert.pem Step 4 User your preferred text editor to add the following lines to the rsyslog server configuration (rsyslog.conf) file if they are not already present. #$MainMsgQueueType Direct # set up the action $DefaultNetstreamDriver gtls # use gtls netstream driver $ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated $ActionSendStreamDriverAuthMode x509/certvalid # rsyslog v5 configuration file # certificate files - just CA for a client $DefaultNetstreamDriverKeyFile /root/self-signed/privkey.pem $DefaultNetstreamDriverCertFile /root/self-signed/cert.pem $DefaultNetstreamDriverCAFile /root/self-signed/rsyslog-ca.pem Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 39 # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @@lce01.example.com:6514 Restart the rsyslog service. # service rsyslog restart The following items will need to be included in the LCE GUI configuration of “Encrypted TCP Syslog. The path for the Senders’ CA Cert, PEM-encoded Path will need to be given, which would be /opt/lce/credentials/syslog/rsyslog-ca.pem. The certificates were generated using X509v3 extensions, which means the FQDN (Fully Qualified Domain Name) will need to be entered into “Authorized Hosts”. After the information has been entered scroll to the bottom of the page, and select “Update”. Correlation LCE normally matches the vulnerability port with the port given in the normalized event to correlate an event with vulnerability. If this option is disabled, LCE will ignore this requirement if the vulnerability port is 0, 22, or 445. TASL and Plugins Excluding TASL Files TASLs may be disabled selectively by adding the TASL script file name (e.g., program_accounting.tasl) to the “Disabled TASL Scripts” section. This option is located under the “TASL and Plugins” portion of the “Advanced” section of the LCE GUI. This is useful for cases where a particular TASL script is not needed by an organization or where the TASL might be causing performance issues and needs to be disabled either temporarily or permanently. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 40 Any disabled TASLs, if removed from the “Disabled TASL Scripts” section, can be re-enabled. Excluding PRM Files In some cases, a user may wish to allow the global updates of PRM files, but specifically exclude some from being run. This can be facilitated by using the “Disabled PRM Scripts” section of the LCE GUI. The PRM files to be processed but not loaded can be specified in this location, one per line. If there is a need to customize a plugin or plugins, rename the original file before making modifications. Once done, include the name of the original plugin in the “Disabled PRM Scripts” section. If an existing PRM file is modified and not renamed, it will be overwritten on the next PRM update. If the original is not disabled, and the Multiple Matches option is not enabled, only one of the two PRM files will match. This option is located under the “TASL and Plugins” portion of the “Advanced” section of the LCE GUI. TASL Parameters Advanced TASL parameters can be entered here. Event Rules This section is used to configure active response operations used by the LCE daemon. LCE rules are configured to analyze LCE event content and fire if preset conditions are met. Active responses include the ability to send automatic emails (msmtp, sendmail), syslog alerts (syslog,cef), or run custom commands on the LCE system. Email Syntax Command: echo "body: $log" | sendmail rgula@example.com "subject: $name" Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 41 Command: echo "This is a test message." | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf bob@example.com Syslog Syntax The following syslog line would forward any log that triggered the rule to the remote syslog server 10.10.10.10, port 514, with the default priority of 36 (severity=4, facility=4): syslog: 10.10.10.10 "Possible password guessing evidence: $log" The following syslog line would forward any log that triggered the rule to two remote syslog servers, 10.10.10.9, and 10.10.10.10, on port 515, with the specified priority of 116 (severity=4, facility=14): syslog: 10.10.10.9, 10.10.10.10 "Your message goes here: $log" -priority 116 -port 515 Custom Command Syntax Command: /path/to/scripts/my_custom_firewall_reconfig_command.sh -block $sip LCE Rule Filters The following fields are optional filters. A plus sign signifies that events matching the specified values will receive rule application, while a minus sign signifies that matching events will not. If no “+” filter is used, all events are matched by default for the field, unless excluded specifically with the minus “-” filter. Multiple values can be specified for any filter. Do not use spaces to precede LCE rules. If there is a space at the beginning of an option, that option will be ignored. Option Description IPS This filter allows for the search of IP addresses that are or are not present as either source or destination. The following five formats are supported for both +IPS and -IPS: SrcIPS This filter will search for source IP addresses that are or are not present. The following five formats are supported for both +SrcIPS and –SrcIPS: DstIPS 172.16.1.1/255.255.255.0 172.16.1.1/32 172.16.1.1-255 172.16.1.1-172.16.1.255 172.16.1.1 172.16.1.1/255.255.255.0 172.16.1.1/32 172.16.1.1-255 172.16.1.1-172.16.1.255 172.16.1.1 This filter will search for destination IP addresses that are or are not present. The following five formats are supported for both +DstIPS and –DstIPS: 172.16.1.1/255.255.255.0 172.16.1.1/32 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 42 172.16.1.1-255 172.16.1.1-172.16.1.255 172.16.1.1 Events Considers both the primary and secondary event names. The “Events” field allows spaces in event names (because Nessus IDS signatures contain spaces), and thus events must only be separated by commas and not spaces. Spaces, commas or both may be used to separate entries in the other fields. Sensors Sensor that detected the LCE event Types LCE event type Ports Source or destination port within the LCE event Protocols Specified by TCP, UDP, ICMP or a number Users Username associated with the event Text Filter on any text token in the log that is or is not present (tokens can include spaces and punctuation but not commas) by using +Text or –Text. IText This is the same filter as above but the token can be case insensitive, and +IText or – IText must be used. Vulnerable “yes” or “no” Ignore Single keyword causes all events matching the rule’s filters to be ignored by LCE. If an event is ignored in this manner, there will be no LCE database entry written for it, no other matching rules will fire and no TASLs filtering on the event will be executed. RateLimit A string indicating the maximum number of event responses per time period that will be allowed. When the quantity of incoming matching logs exceeds this constraint, the remaining logs will be queued or ignored. This string follows the format: (integer) per [second, minute, hour, day, week, month, year] Command Runs the given command at the command line as user “lce” (i.e., echo "log matched" >> /opt/lce/my_log_file.log). See the /opt/lce/tools/ directory for a tool supplied with LCE for emailing logs. When using “Command:” to run a command, you may insert some or portions of the log into your command using the following replacement macros. The following example sends the original log text and the src IP:port dst IP:port via email for network or connection type logs: Name: Example command +Types: network,connection Command: printf "To:auser@example.com \nFrom:buser@example.com Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 43 \nSubject: Network Connection\n\n LOG MATCHED RULE $sip:$sport -> $dip:$dport $log .\n" | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf auser@example.com MaxQueue The maximum number of matching events to queue; those coming in while the queue is full will be ignored. Threshold A string indicating the minimum number of matching events that must occur in a given time period before event responses are generated. This string follows the format: (integer) in a [second, minute, hour, day, week, month, year] Log Forwarding Logs that trigger a rule can be forwarded in syslog or Common Event Format (CEF). The log format for CEF is predetermined and forwarded in a fixed format. The syslog option can be sent with the priority and port specified, but it is not required. The syslog option can also contain LCE shell command options, which are explained in detail in the LCE Shell Command Options section. An example of each is shown below. For CEF forwarding: cef: 192.168.1.4 For syslog forwarding: syslog: 192.168.1.4 " Possible password guessing evidence: $log" -priority 36 -port 514 Additional information and examples are available in Appendix 2: Event Rules Tables. LCE Shell Command Options The following case sensitive variables may be included in the shell command string: Any command using the list of shell command variables below need to be encapsulated in double quotations (""). Option Description $sip Source IP of event $dip Destination IP of event $sport Source port of event $dport Destination port of event Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 44 $proto Protocol of event, displayed as N/A, TCP, UDP, ICMP, or a number for other protocols $vuln “no” if the event was not correlated with a vulnerability, “yes” otherwise $sensor Name of sensor generating the event $event1 Primary event name $event2 Secondary event name $type Type name of event $time Time event was recorded at LCE (format: Mon MM, YYYY H:M:S) $user Username associated with the event $log Raw text of log $queued_logs All logs currently in the event rules queue. Use of this variable has the effect of emptying the rule’s queue Additional examples of event rules and their usage can be found in Appendix 2: Event Rules Tables. Email/Alerting/Execution LCE can be configured with the ability to interpret received log events based on log content and use configurable rules to generate active responses from the LCE server. These rules are configured in the LCE GUI in the “Event Rules” section and can perform three primary responses: email alerting syslog alerting command execution The LCE server will generate email alerts using the settings found msmtp.conf file, which can be found in the /opt/lce/tools/ directory on the LCE server. This file will need to include your email server information for alerting to function correctly. A sample of the msmtp.conf file is also shown in Appendix 1: Sample msmtp.conf File. Examples of practical applications include configuring rules to rate limit certain types of log events, email administrators immediately when an attack is detected, and send customized commands to a firewall when an inbound attack is detected and firewall reconfiguration needs to take place. Various fields within the received log alert are automatically placed in variables that may be used as parameters within the active response. For example, consider the following “Event Rules” entry: Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 45 Name: DMZ Login +IPS: 192.168.20.15,192.168.20.100,192.168.20.110-112 Event: SC4-Login Command: echo "body: $log" | sendmail rgula@example.com "subject: $name" RateLimit: 5m This rule takes LCE events labeled “SC4-Login” to the specified IP addresses and automatically generates an email alert to the specified administrator email addresses. In addition, a rate limit is applied such that only one email would be sent every five minutes to prevent the LCE server from overwhelming the email server system. Configuration possibilities are limited only by the imagination of the LCE server administrator. Debugging Debug Mode It is possible to add various types of debug parameters in the LCE GUI. Information about plugins loaded, LCE client status, and operation can all be written to the current log file. The LCE GUI “Debugging” section can be used to log all remote client authentication attempts by enabling “Log Client Authorization”, which can be helpful when diagnosing remote agent problems. One activity that can be logged is the “Log Silo Rollover”, which logs when a silo is rotated and indexed. Enabling these debug messages is a great way to learn how the LCE operates and troubleshoot issues. However, they can generate a lot of information and can create multi-gigabyte log files when left enabled. If the lced daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a warning to the LCE logs. Storing All Logs with “save-all” Many organizations have regulatory requirements to save all of their log data for a specified length of time. It may also be part of that requirement that the data not be manipulated, normalized, or otherwise processed in case it must be used in a legal proceeding. Any exculpatory evidence in the original logs must not be missing as well. The LCE’s method of storing data in silos for high-speed normalization and analysis by many different administrators is not the best place to keep one central log file. The LCE has means to save every message, even ones that do not match a certain plugin to a central log file. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 46 This log file can be saved by adding the full path to the log file under the “Save All Logs File” section found in the “Debugging” section of the advanced menu in the LCE GUI. The default location of the “Save All Log File” in previous versions of LCE was /opt/lce/db/lce.log, which is in the same directory as the silos, but it can be changed to any desired location that has adequate disk space. In new installations, the path and filename must be specified. As the LCE daemon receives events through the API or from syslog, it will save the message into the file specified in the LCE GUI. This log file will grow very large. Maintain rotation and compression of these logs with the logrotate program that is already installed on all Linux systems supported by the LCE. Different File System Since the file that stores all the log files will grow to extremely large sizes when left enabled, it is highly recommended to place this file on a different physical file system. If the LCE server is placed on a system with two hard drives, consider creating physically separate partitions for both the LCE silo data and the “save-all” files. If your network has use of a Storage Area Network (SAN), consider using this to store the “save-all” file. Many times, these storage devices can be mounted through a network file system (NFS) or Windows file share (SMB) resource. Make sure that write permissions from the LCE server are available and there is sufficient network bandwidth to send the data, if you use a SAN. Multiple Plugin Matches per Log File “multiple-matches” By default, the LCE daemon will stop processing a log file as soon as one match has been made. This behavior may be overridden by selecting “Enable Multiple Matches” in the “Debugging” section of the “Advanced” menu in the LCE GUI. With this feature enabled, the LCE daemon will attempt to exercise the entire plugin set across every log message. This behavior is useful for extracting multiple forms of information out of a log file. For example, there may be a plugin that looks for a generic user login failure and another that looks for a login failure for user “root”. Without the multiple matches option enabled, only one of the plugins will match, even though both are valid. Even more so than with normal LCE operation, be sure to remove unneeded libraries with multiple matches feature enabled, otherwise the LCE’s performance can be diminished. Quick Example Tenable implemented this feature for a customer who had a firewall log with NAT addresses. For each transaction, the firewall logged the external Internet address, the customer’s Internet address and their internal RFC1918 address. What they wanted was the ability to type in any of the IP addresses in question to produce a report of the history. For example, a student may receive 192.168.20.10 via DHCP inside a high school. The school’s public IP address at the firewall may be 64.64.64.64 and the student may have been attacking a web site at 99.99.99.99. These “public” addresses were chosen at random and are in no way intended to be example organizations or potential targets. We did not want to use RFC1918 addresses as example external addresses. A firewall log may have all three IP addresses for any network browsing. Without “Enable Multiple Matches” options selected, there is only one pair of IP addresses that can be matched. However, with “Enable Multiple Matches” enabled, two rules can be used to process the same log file and extract the specific IP addresses. The customer decided to log “external to public IP” and “public IP to internal IP” firewall logs. They generated two LCE events for each firewall log event. However, when they added in the DHCP logs, they were able to use the IP address of a potentially attacked target to get the actual internal IP address and MAC address. When someone outside of their network contacted Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 47 them and complained of a spammer, worm, or malicious activity, they were able to type in the IP address of the target, see which public IP address was in use at the time, and then see which internal IP addresses were related. If any changes are made to the “Debugging” section below, select the “Update” button at the bottom of the “Advanced” page for the changes to go into effect. Option Description Write Unnormalized Logs If this is enabled, LCE will create a file named notmatched.txt in the database directory and fill it with log events that have not matched any LCE plugin. This is an excellent way to analyze events that may be inadvertently ignored. There is a hardcoded limit of 2 GB for this option in addition to the number of events specified. This option is deprecated - users are encouraged to instead enable “Store Unnormalized Logs” above. If non-zero, this is the number of unnormalized logs to write to the rolling notmatched.txt file in the database directory. Save All Logs File Specifics a log file where all events (not just the ones matched with a LCE plugin) are stored. This log file does not rotate and must be managed by the logrotate process. Note that this will require significantly more disk space than just keeping the events that match plugin criteria. This option is most useful when used in conjunction with logrotate and an external storage device. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 48 Deprecated - this should be enabled temporarily for debugging only. The “Save All Logs File” option is only useful if a text version of all incoming logs is desired. Enable Multiple Matches By default, LCE stops evaluating plugins when it encounters a match for a log. If this option is enabled, LCE will evaluate all plugins for each log. Log Client Event Packets LCE server receives an event or event-related message from a LCE Client. Log Client Authorization LCE server receives a login, logout, version info, or related message from a LCE Client. Log Server Client Tracking LCE server connects, disconnects, updates status for, or performs related actions for a LCE Client. Log Plugin Matches (successful) LCE server successfully matches a log with a plugin match statement. Log Plugin Matches (failed) LCE server fails to match a log with a plugin match statement. Log Plugin Matches (attempted) LCE server attempts to match a log with a plugin match statement. Log Plugin Construction LCE server parses the plugins and constructs internal representations Log Plugin Match Organization LCE server sorts and builds the plugin execution structure internally. Log Silo Rollover LCE server fills a silo and prepares to write to the subsequent silo. Log Load Balanced Data LCE server offloads an event to an Auxiliary LCE, or LCE server receives an event from Primary LCE in a load balancing configuration. Log Load Balanced Status LCE server receives a status heartbeat from an Auxiliary LCE, or LCE server sends a status heartbeat to the Primary LCE in a load balancing configuration. Log Load Balance Connections LCE server connects or disconnects to another LCE in a load balancing configuration Log High Availability LCE server connects, disconnects, fails over, or performs a related action in high availability mode. Log Reconfiguration LCE server receives a configuration update from the web-based user interface. Log User Tracking LCE server processes an event with a normalized user name and performs a user tracking action. SSH Keys The SSH key section displays the SSH keys that have already been exchanged between the SecurityCenter, and the LCE server during the setup process that is performed on the SecurityCenter. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 49 However if there is a problem with automatic SSH key exchange that occurs during setup, or if it is preferred to upload the key instead of performing the automatic SSH key exchange, the SSH keys can be uploaded by selecting “Add New SSH Key”. In the “New SSH KEY” window, copy the public key for the SecurityCenter server, and provide a comment if desired. In the example, the username for the public key being uploaded is included in the comments section. When the SSH Key, and Comment fields have been completed select “Create SSH Key”. After the key has been created it will be displayed under “SSH Key”. If the key needs to be removed, hovering over the key will display an “X” next to the key. Clicking on the “X” will open a dialog box asking to confirm the deletion of the key. Service Control The “Control” section of “System Configuration” is used to verify the status of an LCE service. This section can also be used to start and stop each service that is related to LCE if needed. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 50 Option Description All Processes “Stop” or “Start” all LCE daemons Log Engine “Stop” or “Start” the LCE daemon Query Interface “Stop” or “Start” the LCE query daemon Log Indexer “Stop” or “Start” the LCE indexer daemon Vulnerability Reporter “Stop” or “Start” the LCE Vulnerability Reporter daemon Statistics Engine “Stop” or “Start” the Statistics daemon Feed Settings Feed Registration The last section under “System Configuration” is “Feed Settings” that contains the “Feed Registration” section where the activation code is entered, and license key file is uploaded. Once a new code and/or key is selected, click the “Update” button at the bottom of the page to apply the change(s). Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 51 Option Description Activation Code The Activation Code is obtained from the Tenable Support Portal. If an updated code is required, enter it in the field and click the “Apply” button. Plugin Update Updating Plugins (PRM Files) and TASL Scripts This section describes the method for updating LCE plugins (files with a .prm extension) and TASL scripts. Plugin updates occur over a HTTPS connection at a set “Plugin Update Interval”. The default update interval is set to 3 days, but can be increased or reduced if required. The LCE web interface “Plugin Update” section which is found in the “Configuration” section under “Feed Settings” shown below can be easily used to update all plugins along with the HTML client, and LCE web server by simply selecting “Update Plugins”. The directories containing the PRM files and TASL scripts are specified in the /opt/lce/daemons/plugins directory. When “Update Plugins” is invoked, the files contained in the /opt/lce/daemons/plugins directory, which are plugins and correlation scripts (TASL) will be archived to the /opt/lce/daemons/plugins_archive directory. The backups of the files in the TASL directory will appear in the plugins_archive directory as a file such as tasls.tar.gz, and the backups of the files in the plugins directory will appear in the plugins_archive directory as a file such as lce.tar.gz. The backup is only kept until the next plugin update. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 52 Offline Updates The “Offline Plugin Update” section can be found under “Configuration”, “Advanced”, and “Feed Settings” of the LCE GUI. It allows for a tar file of the LCE plugins to be uploaded by browsing to the file, and then selecting “Process Plugins”. Option Description Offline Update File This option allows a user to upload a new set of plugins to the LCE. This option is only needed when an LCE server does not have internet access. Process Update Selecting this option will complete the update process using the plugins file that was uploaded. Details on how offline plugin update can be completed are located in Appendix .5 in the “Offline Plugin Update” section. Web Proxy Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 53 Option Description Proxy Address The IP address of the proxy server to be used with LCE Proxy Username The username for the proxy if it is required Proxy Password The password for the proxy if its required Verify Proxy Password The password entered again for verification Custom Plugin Feed Host If a custom plugin feed is used with the LCE server, that host information is entered here. Custom User Agent Custom user agent string used during plugin update requests. LCE Health and Status Included in the LCE 4.4 web interface is “Health and Status” information. In the “Service Status” section the name of the “Service” of each daemon is shown along with the “Status” of each daemon. It also includes when the daemon was “Last Started” and the “Version” of the daemon. The “Plugins” section displays the “LCE Server Version”, “Web Server Version”, “HTML Client Version”, “Activation Status”, “Plugin Set”, “Plugin Set Loaded”, and the “Feed Expiration” information. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 54 Correlation Statistics In the “Statistics” section the amount of events are displayed by each “Source” of event data. The “LCE” source shows the number of internally generated events from the LCE being administered. The “TCP Syslog”, and “UDP syslog” source displays the number of events received on the configured TCP syslog or UDP syslog listening port. Likewise the “Client” source is the total amount of event data that all the LCE clients produce. The IDS event source type is the total amount of event data from all IDS sources. The “TASL” source type is all the event data created by the LCE TASL scripts. The “Source” data is displayed in “Average Events / Second”, and “Average Bytes / Second since the startup of the LCE server. The “Source” data also displays the “Total Events (today)” for the day, and the “Total Events (since startup)” is the total number of events since the LCE server daemon was last restarted. Runtime statistics pertaining to logging and correlation are collected including: Logs/bytes per second Number/percentage of logs matched/unmatched Number of events correlating with vulnerabilities Number/percentage of logs from clients, syslog, and IDS Number of TASL alerts generated Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 55 This information is logged once per hour and is written both to the application log and to the normalized database under the event name “LCE-Server_Statistics” (type “lce”). Example Correlation Statistics Output found in the LCE admin logs (e.g., /opt/lce/admin/log/2014Jul.log): An average of 50 logs are being received each second. A total of 5,778 logs (521,046 bytes) have been received. 2,232 logs have been matched by plugins (38.63%). 3,546 logs did not match (61.37%). Log source breakdown: 5,774 from clients (99.93%), 2 via syslog (0.07%), 0 from IDS devices (0.00%). No log events have correlated with vulnerabilities. 2 TASL alerts have been generated. Example of Correlation Statistics found in the Health and Status section of the LCE GUI: In the “Data Sensors” section there is a drop-down to select the type of data sources to be displayed. The “Clients” option is selected by default, and each client that has sent events to LCE is displayed. The “Source” column will display the IP address of the client. The “Logs Today” section will show the total number of logs collected by that client in the current day. The “Client Type” column will display the type of client, and the “Last Timestamp” will show when the client last sent an event. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 56 The second option under “Select Data Source” is “Syslog Sensors”, which will display all hosts that are forwarding syslog to the LCE server. The “Source” column displays the IP address of the syslog server, and the “Logs Today” column displays the total number of logs sent in the last day for each syslog server. The “Encrypted” column shows if the logs being forwarded are encrypted. The “Last Timestamp” shows the last time each syslog server sent logs to the LCE server. The “Alerts” page is a simple way to see when a condition on the LCE server requires attention from the LCE administrator. It includes informational alerts, such as when a new LCE client requests authorization to send events to LCE. It also includes warnings, such as login failures to the LCE interface, or license expiration warnings. Finally, it includes error conditions that could prevent LCE from working properly. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 57 Finally the “Advanced” page displays information about the LCE database. The “Current Silo” displays the current silo number, and the total amount of silos that are available. The “Current Silo Size” displays the amount of space that used out of the configured silo size. The “Advanced” page also displays an estimate of how many days it will take to fill the current silo. On the “Advanced” page you will also find the amount of space that is currently being used by the database under “Active DB File System Usage”, and the total amount of space that is being used by the database under “Archive DB File System Usage”. The “Estimated Time to Fill Disk” is also displayed. The “Indexing DB Silo”, “Indexing Text DB silo”, and the “Indexing Log Store” is also included on the “Advanced” page. The current silo number range starts at 0. If you have 103 total silos and see 102/103 silos this indicates the last silo before rolling over and restarting at 0. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 58 LCE Users The LCE GUI can be accessed by two user types: “Administrator” and “Read Only”. An “Administrator” user has the ability to perform all administration of the LCE GUI. The “Read Only” user can only view the “Health and Status” section of the LCE GUI. A user’s privilege can be seen under “User Type”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 59 Add Users To add a new user, log in to the LCE GUI as an “Administrator” user, and then select the “Users” section of the LCE GUI. Choose “+New User” to start the process to add a new user. The “New User” screen is shown below: Enter a “Username”, “Password”, and then “Confirm Password”. Select the “Administrator” box if the user is to be an administrator, and select “Create User”. The maximum username length is 127 characters. The Administrator user “bsmith” that was added is shown in the LCE GUI below: Edit Users A user’s privileges and status can be edited by selecting the username to be edited. The “Edit User” window will open, and the user name will be shown in the window at the top. The user can have “Administrator” privileges added or removed. The user account can also be locked or unlocked. If a user has too many failed login attempts their account will be locked and may be Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 60 unlocked using this setting. If the user is an “Administrator” they can be demoted to a “Read Only” user by deselecting “Administrator” before the account can be locked. After the desired changes are made, select “Update” to complete the edits to the user. Remove Users To remove a user, select the box beside the user to be deleted and choose “Actions” followed by “Delete Users”. The following window will be displayed to confirm the user deletion. Choose “Delete” to remove the user or “Cancel” to abort the process. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 61 Managing Client Configuration Files Starting with version 4.2 of the LCE clients, the client configuration files are managed centrally from the SecurityCenter 4.6 or LCE server using the /opt/lce/daemons/lce_client_manager command line utility. This allows a central server to manage the configuration files of all the deployed LCE clients that are configured for the server. For more information on this option, see the LCE Clients Guide available from http://support.tenable.com. Upgrading LCE The LCE is upgraded simply by using the “rpm” command with the “-U” switch to force an upgrade. The LCE stops and starts the service during the upgrade process, which makes a manual stop/start unnecessary. The suggested upgrade path to LCE 4.6 would be from an activated/licensed version of LCE 4.4.0 or 4.4.1. If an earlier version of LCE is upgraded the LCE license will need to be reactivated. The LCE's “Feed Expiration” and “Activation Status” can be located in the “Health and Status” section under the “Plugins" tab of the LCE. # rpm -Uvh lce-4.6.0-el6.x86_64.rpm Preparing... ########################################### [100%] 1:lce warning: /opt/lce/.ssh/authorized_keys created as /opt/lce/.ssh/authorized_keys.rpmnew ########################################### [100%] Moving deprecated file lce.conf to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file feed.cfg to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file rules.conf to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file excluded_domains.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file trusted_plugins.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file hostlist.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file untracked_usernames.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file disabled-tasls.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file disabled-prms.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file sampleable_tasls.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. Moving deprecated file syslog_sensors.txt to /opt/lce/tmp; OK to delete it once upgrade succeeds. The installation process is complete. Please refer to /var/log/lce_upgrade.log to review installation messages. To configure LCE, please direct your browser to: https://192.168.0.123:8836 After the upgrade changes to the LCE configuration will be done in the LCE GUI. To access the LCE GUI navigate to the IP address or hostname of the LCE server over port 8836 (https://<ip address or hostname>:8836). The previous configuration files are stored in /opt/lce/tmp and may be deleted once the upgrade is determined to be successful. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 62 LCE Command Line Operations The version of the lced binary can be determined in two ways. The version is displayed in the “Service Status” section of the LCE GUI, but it can also be found by running the lced binary with the -v option as shown below: # /opt/lce/daemons/lced -v Log Correlation Engine version 4.4 # Use the following command to see how the LCE is configured during Linux startup and shutdown (installation defaults are shown): # chkconfig --list lce lce 0:off # 1:off 2:on 3:on 4:on 5:on 6:off To change how the LCE will behave during Linux startup and shutdown use the following command: # chkconfig [--level <levels>] lce <on/off/reset>) Please refer to your own Red Hat Linux documentation on how to use chkconfig in conjunction with Linux run levels to configure the LCE startup and shutdown to your requirements. In RHEL 7 / CentOS 7 the usage of chkconfig has been deprecated. To check the status of a service systemctl is used. Each service related to the LCE server (lce_server, lce_query, lce_indexer, lce_report_proxy, stats, lce_www) can be checked individually using systemctl. An example of checking the status of an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below: # systemctl status lce_www.service lce_www.service - SYSV: Starts and stops the LCE web server Loaded: loaded (/etc/rc.d/init.d/lce_www) Active: active (running) since Wed 2015-07-08 16:58:44 EDT; 25min ago Process: 12358 ExecStart=/etc/rc.d/init.d/lce_www start (code=exited, status=0/SUCCESS) CGroup: /system.slice/lce_www.service └─12362 /opt/lce/daemons//lce_wwwd Jul 08 16:58:41 CentOS764 systemd[1]: Starting SYSV: Starts and stops the L..... Jul 08 16:58:44 CentOS764 lce_www[12358]: Starting LCE Web Server[ OK ] Jul 08 16:58:44 CentOS764 systemd[1]: Started SYSV: Starts and stops the LC...r. Hint: Some lines were ellipsized, use -l to show in full. Starting LCE The RPM installation places a LCE start-up (/etc/rc.d) script in /etc/rc.d/init.d. Use the following command to start the LCE: Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 63 # service lce start If the lced daemon terminates abnormally for any reason, the system will automatically restart the daemon and add a warning to the LCE logs. In RHEL 7 / CentOS 7 the usage of service has been deprecated. To start a service systemctl is used. Each service related to the LCE server (lce_server, lce_query, lce_indexer, lce_report_proxy, stats, lce_www) can be started individually using systemctl. An example of starting an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below: # systemctl start lce_www.service Halting LCE Similarly, the /etc/rc.d script can be used to halt the LCE and gracefully exit any log analysis or log writing it is performing. Use the following command to stop the LCE server: # service lce stop An example of stopping an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below: # systemctl stop lce_www.service Restarting LCE The /etc/rc.d script can be used to restart the LCE, gracefully exiting any log analysis or log writing it is performing and starting the LCE again. Use the following command to restart the LCE server: # service lce restart An example of stopping an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below: # systemctl restart lce_www.service Determine LCE Status The /etc/rc.d script can be used to determine the status of the LCE components and their PIDs. Use the following command to acquire the status of the LCE server processes: # service lce status An example of checking the status of an LCE related service in RHEL 7 / CentOS 7 using systemctl is shown below: Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 64 # systemctl status lce_www.service Operating the stats Daemon Although this document does not cover all aspects of the stats daemon, a separate RC script is included in the LCE RPM for starting and stopping the daemon. Use the following commands to stop, start, restart and verify the current status of the stats daemon: # service stats stop # service stats start # service stats restart # service stats status In RHEL 7 / CentOS 7 the systemctl command can be used to control the stats daemon. # systemctl stop stats # service start stats # service restart stats # service status stats Stopping and Starting all Daemons in RHEL 7 / CentOS 7 The systemctl command can’t be used to stop, and start all LCE daemons simultaneously. However, there are two scripts for RHEL 7 / CentOS 7, which can be used to either start or stop all LCE daemons. The scripts can be found in the /opt/lce/tools directory. To stop all LCE related services in RHEL 7 / CentOS 7 use the stop_lce script. # /opt/lce/tools/stop_lce Stopping lce_server (via systemctl): Stopping lce_indexer (via systemctl): Stopping lce_query (via systemctl): Stopping lce_report_proxy (via systemctl): Stopping lce_www (via systemctl): [ [ [ [ [ OK OK OK OK OK ] ] ] ] ] To start all LCE related services in RHEL 7 / CentOS 7 use the start_lce script. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 65 # /opt/lce/tools/start_lce Starting lce_server (via systemctl): Starting lce_indexer (via systemctl): Starting lce_query (via systemctl): Starting lce_report_proxy (via systemctl): Starting lce_www (via systemctl): [ [ [ [ [ OK OK OK OK OK ] ] ] ] ] Additional Features Importing LCE Data Manually LCE data can be collected both via real-time logging and manually in batch mode using the “import_logs” tool. These events will show up in the normalized event view along with events collected in real-time. This command-line tool allows data to be imported into the LCE that may not be available in real-time, but is still important for correlation of vulnerability data and for analysis of security posture and events. Usage: # /opt/lce/tools/import_logs <list of log files and directories to import> [-d, -disable-rules] [-a, --approximate-timestamps] [-c, --current-time] [-o, -output-prefix <prefix>] Each item in the <list of log files and directories to import> is a file name or directory name. A directory name may or not end with a slash. For example: # /opt/lce/tools/import_logs /directory1 file1 file2 /directory2/ Directory imports are non-recursive. The following table describes the options available for import_logs: Option Description -d –disable-rules Do not apply LCE event rules to imported logs. -a, --approximatetimestamps If no timestamp can be determined for an event, assign the most recent known timestamp. -c, --current-time Use the current system time for all imported logs rather than the timestamps contained within the event text. -o, --output-prefix <prefix> Use the specified prefix when naming newly generated silos. For example, the “-o Snort” option will generate silos with names like SnortJun142009Aug242009.db.gz. The default prefix is “lce”. This option can aid in the process of searching for logs created by a particular import instance. The log importer tool logs its actions to /opt/lce/admin/log/importer and archives within this directory can be checked in the event that an import does not execute as expected. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 66 The log import tool only supports importing logs into an archived silo. User Tracking The LCE server has a feature that is designed to track users. User tracking can be applied to any event coming into the LCE server, regardless of the source of the event. Events correlated from Windows, Linux, Unix, or other network devices can be monitored. When LCE encounters a log that has no username field, it will assign the username of the user most recently associated with the source IP of the incoming log, or associated with the destination IP of the log if a destination IP (dstip) is provided but a source IP (srcip) is not. If no user was previously tracked at either of the IPs, or if no IP is provided, an “(unknown)” entry is assigned. When a user changes IP addresses (i.e., a LCE receives a log where the user’s srcip differs from the srcip in the previous log tagged with the username), the new IP address is also associated with the user. The last three IP addresses per user are stored for the user, allowing for cases where a single user logs into multiple systems at the same time. For example, the following event shows a user becoming active at a new IP address: Network user IP address change: user someguy94 became active at 169.254.96.232 with event login (169.254.96.232:0) The data used to track usernames is stored in the files usernames.txt, ip_user.dat, and user_ip.dat in the LCE database directory. The .dat files are written when the LCE service is shut down gracefully. In case of a server crash, the data is automatically backed up every 10 minutes. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 67 A maximum of 65,534 unique usernames can be stored. If the maximum is reached, incoming logs with new users will have the user fields marked with the “(unknown)” entry. User tracking in LCE will function if the following conditions are met: The LCE server has plugins that can match the events and pull usernames from the events. For example, plugin 3209 in os_win2k_sec.prm has the following line: log=event:Windows-Account_Used_For_Login sensor:$1 dstip:$2 user:$3 type:login event2:WindowsEvent-680 The “user:$3” directive tells the plugin to add the username to the available event searchable fields. As a result, searches that query this event based on the username will return results. The plugin IDs have been added to the “User Tracking Plugins” in the “User Tracking” section in the configuration section of the LCE GUI (one plugin ID per line). A list of the plugins provided by Tenable that include user information is found at the end of /opt/lce/daemons/plugins/prm_map.prm. The user tracking settings have been properly configured in the LCE GUI under “User Tracking”. Please refer to the Advanced Configuration Options section of this document for a description of the following applicable keywords: - accept-letters - accept-numbers - additional-valid-characters - max-username-characters If these conditions are not met, usernames may still be stored in normalized events; however, they cannot be searched using the event filter “username” parameter. Another way to search for usernames in logs is through the raw log search feature of SecurityCenter described below. Working with SecurityCenter Adding the LCE to SecurityCenter To add your LCE server to SecurityCenter, log into SecurityCenter as the admin user and click on “Resources” and then “Log Correlation Engines”. A screen similar to the one below is displayed with the currently available LCE servers. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 68 The “Add” button displays a dialog box with the following fields: Option Description Name The unique name that this LCE server will be known as. Description Descriptive text for the LCE server. Host The IP address of the LCE server. When the SecurityCenter resides on the same host as the LCE server, it is recommended to use the localhost IP address of 127.0.0.1. Organizations Select the customer that this LCE is assigned to from the drop down menu. Event Vulnerability Data Import Vulnerabilities Selecting this box will allow you to configure your LCE use Event data to detect vulnerabilities. Repositories This will allow you to select which repository you would like to keep the vulnerability data collected from LCE events. Event Vulnerability Host Port This allows you to configure the port used for communication between SecurityCenter and LCE. The default port is 1243.In the LCE GUI this is known as the “Reporter Port”. Username This is the “Reporter Username” that was set in the LCE GUI under the “Configuration”, “Advanced”, “Host Discovery and Vulnerabilities” section. Password This is known as the “Reporter Password” which is found in the “Configuration”, “Advanced”, “Host Discovery and Vulnerabilities” section. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 69 An example of this screen is shown below: After clicking on “Submit”, the LCE admin credentials (“root” user or equivalent) are requested to establish an authenticated session between SecurityCenter and the LCE. After the LCE server is successfully added, highlight the new LCE server to display options pertinent to that server. If you are using DNS in your environment, make sure it is configured for reverse DNS resolution to facilitate query speeds. If you are not using DNS, modify the /etc/hosts file to include your SecurityCenter IP address and hostname. For example: 192.168.1.22 SecurityCenter4.example.com SecurityCenter4 More information about SecurityCenter configuration options is available through the “SecurityCenter Administration Guide” available on the Tenable Support Portal. Configuring Organizations As a SecurityCenter administrator, LCE servers can be associated with various organizations. Through the web interface, SecurityCenter can be configured such that users of specific organizations can make queries to each LCE server. This is documented in the SecurityCenter documentation. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 70 Analyzing Security Events A wide variety of LCE analysis and reporting tools are available to SecurityCenter users. These users can make use of any LCE event that intersects with their range of managed IP addresses. All analysis and reporting options are described in the “SecurityCenter 4 User Guide”. Identifying Vulnerabilities LCE can leverage log data to find vulnerabilities. The Tenable plugins that report this information will have the plugin ID range of 800,000 - 899,999. A sample screen capture of data that can be found is shown below: Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 71 You can filter for the vulnerabilities identified by LCE in SecurityCenter by using the “Filters” and selecting “Plugin ID”, then selecting “≥” and then entering “800000”.The filter setting is pictured below: TASL Scripts After PRM processing normalizes an event, the event is submitted to the LCE TASL engine for advanced processing by TASL scripts. TASL scripts are used for many types of detection events such as thresholds, successful attack detection, and alerting. By default, all TASL scripts are included on the LCE server; however they can be disabled manually in the “TASL and Plugins” section of the LCE GUI described in detail earlier in this document. For more information regarding TASL scripts review the LCE TASL Reference Guide. Full Text Searches Full text searches may be performed on the data stored within the attached LCE servers. When viewing the events page the Search field will accept text strings as valid search criteria. Search terms are case insensitive and Boolean searches may be utilized to further enhance search results. This enables searching the raw logs for details contained in the events. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 72 The LCE text search feature is powerful but requires a bit of knowledge of the available operators as well as the underlying search engine. To summarize, we will explain what it means when we say that LCE can search for compound groups of full text tokens. Tokens What is a token? It's a full word, 2 characters or more, separated by punctuation or whitespace and not including that punctuation or whitespace. In the previous sentence, the tokens are underlined. It doesn’t include single-character strings, and it doesn’t include punctuation (like periods, hyphens, underscores, commas, apostrophes, etc). LCE searches on full tokens, meaning that if you want to find “software” and “Microsoft” because you want to see your Windows software update logs, then you must search for “software AND Microsoft” rather than “soft”, which would be a common substring. Operators These are CASE SENSITIVE. If you do not capitalize the operator, it will be considered a search term. Search for “mike or miked” will actually yield “mike AND or AND miked”, which is probably undesirable. 1. AND Finds logs containing both of the results. 2. OR Finds logs containing either of the results. 3. NOT Finds logs without the subsequent token. 4. XOR Finds logs with exactly one but not both tokens. These can be chained, as well. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 73 Grouping Parentheses may be used to group conditionals together to show evaluation precedence just as in mathematics. This is useful in compound conditionals. Without grouping, this query: text="blocked AND denied AND dropped OR firewall" would return any log with just “firewall” in it because it satisfies the entire query. In reality, we probably wanted the other terms in there and we want something more like: text="blocked AND denied AND (dropped OR firewall)" This requires that the log contains “blocked”, “denied”, and either “dropped” or “firewall”. Because it has additional constraints now on the other terms, we expect that this query would return the same or fewer results. Examples: Putting it All Together Example NonResult Why It Didn't Match LCE Client Heartbeat| 07/23/2014 00:25:00 AM Hostname: lce_demo IP: 192.168.1.106 Revision: LCE Client 4.2.0 build 20131004 Heart does not contain the full term "Heartbeat" by itself, only as a substring Show me logs with the term "linux" and the term "process" This linux host executed process "ls". This linux host executed nothing. missing "process" text="linux NOT process" Show me logs with the term "linux" but NOT the term "process" This linux host executed nothing. This linux host executed process "ls". contains "process" text="linux OR nothing" Show me logs with either term "linux" or term "nothing" This linux host executed process "ls". This nix host did everything. does not contain "linux" and does not contain "nothing" This linux host executed process "ls". This process did everything. The process did nothing. This linux host did nothing. contains "process" but not "linux" and not "nothing" Query String Actual Query What It Means Example Result text="Heartbeat" text="Heartbeat" Show me logs with the term "Heartbeat" text="linux process" text="linux AND process" text="linux NOT process" text="linux OR nothing" This linux host executed nothing. text="(linux OR nothing) AND process" text="(linux OR nothing) AND process" Show me logs that have terms "linux" and "process" or "nothing" and "process" contains "linux" and "nothing" but not "process" Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 74 text="172.26.20.66" text="172 AND 26 AND 20 AND 66" Show me logs with 172 and 26 and 20 and 66. The punctuation in the query string is treated as a delimiter like whitespace and ignored, then the terms and AND'd together by default. This linux host IP is 172.26.20.66. This linux host IP is 172.26.20.100. missing "66" This linux host IP is 66.20.172.26. This linux host IP is 172.26.20.100 and there are 66 users. In general, if you have an IP in your log it is more desirable to filter these using an "ip=", "sourceip=", or "destinationip=" filters, all of which accept an IP (172.26.20.66) or IP/CIDR (172.26.20.0/24). For More Information Tenable has produced a variety of other documents detailing the LCE’s deployment, configuration, user operation, and overall testing. These documents are listed here: Log Correlation Engine Architecture Guide – provides a high-level view of LCE architecture and supported platforms/environments. Log Correlation Engine 4.6 Administrator and User Guide – describes installation, configuration, and operation of the LCE. Log Correlation Engine 4.6 Quick Start Guide – provides basic instructions to quickly install and configure an LCE server. A more detailed description of configuration and management of an LCE server is provided in the “LCE Administration and User Guide” document. Log Correlation Engine 4.4 Client Guide – how to configure, operate, and manage the various Linux, Unix, Windows, NetFlow, and other clients. Log Correlation Engine 4.4 OPSEC Client Guide – how to configure, operate, and manage the OPSEC Client. Log Correlation Engine 4.6 High Availability Large Scale Deployment Guide – details various configuration methods, architecture examples, and hardware specifications for performance and high availability of large scale deployments of Tenable’s Log Correlation Engine (LCE). Log Correlation Engine Best Practices – Learn how to best leverage the Log Correlation Engine in your enterprise. Tenable Event Correlation – outlines various methods of event correlation provided by Tenable products and describes the type of information leveraged by the correlation, and how this can be used to monitor security and compliance on enterprise networks. Tenable Products Plugin Families – provides a description and summary of the plugin families for Nessus, Log Correlation Engine, and the Passive Vulnerability Scanner. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 75 Log Correlation Engine Log Normalization Guide – explanation of the LCE’s log parsing syntax with extensive examples of log parsing and manipulating the LCE’s .prm libraries. Log Correlation Engine TASL Reference Guide – explanation of the Tenable Application Scripting Language with extensive examples of a variety of correlation rules. Log Correlation Engine 4.4 Statistics Daemon Guide – configuration, operation, and theory of the LCE’s statistic daemon used to discover behavioral anomalies. Example Custom LCE Log Parsing - Minecraft Server Logs – describes how to create a custom log parser using Minecraft as an example. Documentation is also available for Nessus, the Passive Vulnerability Scanner, and SecurityCenter through the Tenable Support Portal located at https://support.tenable.com/. There are also some relevant postings at Tenable’s blog located at http://www.tenable.com/blog and at the Tenable Discussion Forums located at https://discussions.nessus.org/community/lce. For further information, please contact Tenable at support@tenable.com, sales@tenable.com, or visit our web site at http://www.tenable.com/. About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and ® integrated view of network health, and Nessus , the global standard in detecting and assessing network data. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, visit tenable.com. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 76 Appendix 1: Sample msmtp.conf File Note that when utilizing the msmtp.conf file a required entry is the password for the mail account. Anyone with read access to the file on the file system will be able to read the password. This will be stored in clear text on the disk so a low-priority email account should be used for this feature. # Example msmtp configuration file # # Please replace the following with the desired settings for mail server, encryp tion and authentication. The full # msmtp documentation is located at http://msmtp.sourceforge.net/doc/msmtp.html. # # msmtp usage example: echo "This is a test message." | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf your_name@your_address.com account provider host smtp.gmail.com tls on tls_certcheck off tls_starttls off from your_username@your_domain.com auth on user your_username password your_password port 465 logfile /opt/lce/tools/msmtp.log # Set the above account to be the default when the -a flag is not used account default : provider Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 77 Appendix 2: Event Rule Table The following table contains all the filter types that can be used for a rule. Each rule created must contain one or more filters, and start with a “Name” and ending with either “ignore”, “Command”, or a log source. If “Command” is used, an action must be given. If the filter is matched, the “Command” will execute. Entering “ignore” at the end of the filter will ignore all events that are matched by that filter. If a log source is used it can be either “cef” or “syslog” and if the rule is matched the log would be forwarded to the log server in either “cef” or “syslog” format. See each example for additional details in the table below. Filters Description Usage IPS Filter on source or destination IP or CIDR. Name: Ignore local logins +Types: login +IPs: 127.0.0.1 ignore Examples: 192.168.1.1, 192.168.0.0/16 SrcIPS Filter strictly on source IP. Examples: 192.168.1.1, 192.168.0.0/16 DstIPS Filter strictly on destination IP. Examples: 192.168.1.1, 192.168.0.0/16 Events Filter on LCE normalized event name. Example: Cisco-IDS_Command_Execution Sensors Filter on sensor name, available in the LCE sensor summary view or specified in the syslog_sensors.txt file. Example: XPmarketing01, Win7payroll02 Types Filter on LCE event type. Example: login, lce, intrusion, scanning, system Ports Filter on the source or destination port. Example: 80, 443, 8080 Protocols Filter on the protocol of the event. Example: 1 for ICMP, 2 for IGMP, 6 for TCP, 17 for UDP Name: Ignore local login failures +Types: login-failure +SrcIPS: 127.0.0.1 ignore Name: Ignore local file access +Types: file-access +DstIPs: 127.0.0.1 ignore Name: Ignore Application Changes +Events: Application_Change +IPs: 192.168.1.0/24 ignore Name: Ignore Application Changes +Events: Application_Change +IPs: 192.168.1.0/24 +Sensors: Exchange-10 ignore Name: Ignore local file access and system +Types: file-access, system +IPs: 127.0.0.1 ignore Name: Ignore lce / login events on port 22 +IPS: 192.168.1.1 +Types: lce,login +Ports: 22 Ignore Name: Ignore DNS Query +Event: PVS-DNS_Client_Query +IPS: 192.168.1.0/24 +Protocols: UDP +Ports: 53 Ignore Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 78 Users Filter on the username in a log. Example: Bob, Phil, Dan Text Filter on any text token in the log (tokens can include spaces and punctuation, but not commas). Name: Ignore System login +IPS: 192.168.1.0/24 +Types: login +Users: SYSTEM ignore Name: Ignore 404 errors +IPS: 192.168.1.0/24 +Text:404 page not found ignore Example: Login, Failure IText Filter on any text token in the log, but the text considered would be case insensitive (tokens can include spaces and punctuation, but not commas). Name: Ignore 404 errors +IPS: 192.168.1.0/24 +IText:404 page not found ignore Example: Login, Failure Vulnerable "yes" or "no" – yes if you want to only match logs that correlate to vulnerable hosts. Example: “yes”, or “no” Threshold The number of events required over a specified length of time to trigger the rule. The timeframe can be expressed in "second", "minute", "hour", "day", "week", "month", or "year". Example: 5 in a minute MaxQueue The number of events that will be placed into the event processing queue before being dropped from rule evaluation. Example: 100 Name: E-mail vulnerability correlations Vulnerable: yes Command: echo “body: $log" | sendmail rgula@example.com "subject: $name” Name: Potential SSH account username/password guessing +Events: SSH-Invalid_User, SSH-Failed_Password +IPs: 10.0.0.0/8 -IPs: 10.0.0.1, 10.0.0.7-15 +Sensors: DMZ-1, DMZ-2 -Users: (unknown) syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100 Name: Potential SSH account username/password guessing +Events: SSH-Invalid_User, SSH-Failed_Password +IPs: 10.0.0.0/8 -IPs: 10.0.0.1, 10.0.0.7-15 +Sensors: DMZ-1, DMZ-2 -Users: (unknown) syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 79 Ratelimit The maximum number of triggers that will occur over a specified length of time regardless of the number of triggering events. The timeframe can be expressed in "second", "minute", "hour", "day", "week", "month", or "year". Example: 1 per minute Name: Potential SSH account username/password guessing +Events: SSH-Invalid_User, SSH-Failed_Password +IPs: 10.0.0.0/8 -IPs: 10.0.0.1, 10.0.0.7-15 +Sensors: DMZ-1, DMZ-2 -Users: (unknown) syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514 Threshold: 5 in a minute RateLimit: 1 per minute MaxQueue: 100 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 80 Appendix 3: Troubleshooting The following are troubleshooting steps for determining LCE client/server functionality: 1. Install and configure the LCE and clients by following the instructions in the documentation. 2. Verify the clients are connecting by viewing the file /opt/lce/admin/log/client.status. 3. 4. 5. 6. 7. a. If the clients never connect, review configuration. b. If the configuration is correct, then there is a network issue. Check for proxies, firewalls or ACLs that may be blocking traffic. c. If the clients connect but do not stay connected, continue to test. The LCE client will not remain connected with the LCE server unless the client has some data to send. To “force” a client to forward data to the LCE server, an observed log on the LCE client machine can be appended with entries that are known to cause alerts within SC4. This gives the LCE client some data to send to the server. It is advised to put “TEST OF FUNCTIONALITY” in the beginning of the log entries to ensure that these tests do not interfere with actual alerts. Check your client logs to ensure communication is taking place. a. Yes? Communication is taking place. Continue to Step 4. b. No? Contact Tenable Support for an LCE Client Issue. Once the logs are appended, check the client.status file. Has it changed? a. Yes? Functionality is working. b. No? Continue with next step. Check SC4 for the IP address in question and the time of the test. Were there entries found? a. Yes? Your LCE is functioning properly. However, there may be an issue with the client.status heartbeat. Notify Tenable Support of the issue. b. No? Continue to the next step. Grep the logs in the LCE’s notmatched.txt file for the IP address in question and the time of test. Were there entries found? a. Yes? Your LCE is functioning and logs are being updated properly. However there may be an issue with the client.status heartbeat. Notify Tenable Support of the issue. b. No? Continue to the next step. Perform a TCPDump on the LCE and capture traffic from the IP address of the client in question. Repeat step 3 to force communications. Did you receive traffic? a. Yes? Notify Tenable Support of the issue for further assistance. b. No? You may have a network issue. Please work with your network support to troubleshoot the issue. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 81 Appendix 4: Manual SC4/LCE Key Exchange A manual key exchange between SecurityCenter and the LCE is normally not required; however, in some cases where remote root login is prohibited or key exchange debugging is required, you will need to manually exchange the keys. For the remote LCE to recognize SecurityCenter, you need to copy the SSH public key of SecurityCenter and append it to the “/opt/lce/.ssh/authorized_keys” file on the LCE server. The “/opt/lce/daemons/lce-install-key.sh” script performs this function. The following steps describe how to complete this process: The LCE server must have a valid license key installed and the LCE daemon must be running before performing the steps below. 1. Download the SSH public key for SecurityCenter by logging in as the SecurityCenter administrator user and navigating to the “Keys” section (“System” -> “Keys”). 2. Click on “Download Key”, choose the desired key format (both DSA or RSA work for this process) and then click on “submit”. 3. Save the key file (SSHKey.pub) to your local workstation. Do not edit the file or save it to any specific file type. 4. From the workstation where you downloaded the key file, use a secure copy program, such as “scp” or “WinSCP” to copy the SSHKey.pub file to the LCE system. You will need to have the credentials of an authorized user on the LCE server to perform this step. For example, if you have a user “bob” configured on the LCE server (hostname “lceserver”) whose home directory is /home/bob, the command on a Linux or Unix system would be as follows: # scp SSHKey.pub bob@lceserver:/home/bob 5. After the file is copied to the LCE server move the file to /opt/lce/daemons by doing the following: # mv /home/bob/SSHKey.pub /opt/lce/daemons 6. On the LCE server, as the root user, change the ownership of the SSH key file to ‘lce’ as follows: # chown lce /opt/lce/daemons/SSHKey.pub 7. Then append the SSH public key to the “/opt/lce/.ssh/authorized_keys” file with the following steps: # su lce # /opt/lce/daemons/lce-install-key.sh /home/bob/SSHKey.pub 8. To test the communication, as the user “tns” on the SecurityCenter system, attempt to run the ‘id’ command: # su tns # ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 82 If a connection has not been previously established, you will see a warning similar to the following: The authenticity of host '192.168.15.82 (192.168.15.82)' can't be established. RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f. Are you sure you want to continue connecting (yes/no)? Answer “yes” to this prompt. If the key exchange worked correctly, a message similar to the following will be displayed: # uid=251(lce) gid=251(lce) groups=251(lce) 9. The IP address of SecurityCenter can be added to the LCE system’s /etc/hosts file. This prevents the SSH daemon from performing a DNS lookup that can add seconds to your query times. 10. The LCE can now be added to SecurityCenter via the normal administrator “LCE add” process documented in the SecurityCenter Administration Guide. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 83 Appendix 5: Offline Activation and Plugin Updates The steps below explain how to activate, and update LCE plugins on an air gapped network. Offline Activation 1. Navigate to https://support.tenable.com, and log in. 1. Select “Activation Codes” from the menu, and select the plus symbol (+) next to “Log Correlation Engine” then copy the “Activation Code” to be used with the offline LCE. 2. Log in to the offline LCE terminal as root user, and execute the command below. # /opt/lce/daemons/lce_wwwd --challenge Challenge: e1e02d38a48603467fb8728b13ada3e29e5e9fd4 Copy the challenge above and paste it (with your Activation Code) into: https://plugins.nessus.org/v2/offline-lce.php 3. Using a web browser go to https://plugins.nessus.org/v2/offline-lce.php and enter the activation code and challenge code obtained in the previous steps. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 84 4. Select the link that is generated to download the current plugin set. Make a copy of the link that is returned. The link provided will be valid until the LCE subscription expires. Save the link, as it will be needed each time the plugins are manually updated. 5. Select the link to download the license key “lce.license”, or create a lce.license file by copying the information returned into a text file from “-----BEGIN TENABLE LICENSE-----” to “-----END TENABLE LICENSE-----”. 6. Upload the lce.license file to /opt/lce/daemons, and run the following command: # /opt/lce/daemons/lce_wwwd --register-offline lce.license 7. Then navigate to https://<ip address of your lce>:8836 and complete the setup, and configuration steps above. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 85 8. To verify the license has been loaded successfully choose “Health and Status” followed by “Plugins”. The “Activation Status” should now show “Licensed” as shown in the image below. Offline Plugin Updates 1 Using the link found in step 5 of the “Activation” section download the newest “lce-combined.tar.gz” file 2 Under the “Offline Plugin Update” section choose “Browse” to upload the “lce-combined.tar.gz” file. The “lcecombined.tar.gz” file contains updates for LCE PRM(s), TASL(s), discoveries, client policies, the web client, and the web server. After the file is uploaded successfully choose “Process Plugins”. The process may take a minute or two to complete. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 86 3 To verify the plugins have been loaded successfully choose “Health and Status” followed by “Plugins”. The “Plugin Set” and the “Plugin Set Loaded” will now be populated as shown in the image below: Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 87 Appendix 6: Non-Tenable License Declarations Below you will find the command that will list all the third-party software packages that Tenable provides for use with the Log Correlation Engine. This command may be run at the command line interface by users with permissions to the lced binary. # /opt/lce/daemons/lced –l For a list of third-party software packages that Tenable utilizes with LCE, see the “Tenable Third-Party License Declarations” document. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 88