Detects traffic that may violate corporate policy such as pornography, questionable software, or the use of third-party services that may be of concern. The LCE tracks all normalized events that have occurred for each host. Using the LCE interface, you can monitor the health and status of the LCE server and clients, configure the LCE server, manage clients, create and assign policies, and manage users. Flags attempts to retrieve objects, files, network shares, and other resources that are denied. Denotes logs that indicate a denial of service event has occurred. LCE can collect event data from many sources, including:.
|Date Added:||2 September 2014|
|File Size:||11.97 Mb|
|Operating Systems:||Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X|
|Price:||Free* [*Free Regsitration Required]|
The LCE can identify hosts that are generating specific event types for periods of 20 minutes or longer. Denotes tenabls type of log from a firewall, an intrusion prevention device, a router, or a firewall or application configured at the local host to specifically deny connections. Event sources include allowed connections through firewalls, established VPN sessions, and connections by some types of applications.
Add a Log Correlation Engine Server
Checks that look for any traffic or vulnerabilities related to mobile devices such as smart phones and tablets. The logs generated by these events are normalized to the USB event type. LCE clients are installed on hosts to monitor and collect events. Each organization can make queries to one or more LCE servers that process tenxble from devices including firewalls, servers, routers, honeypots, mobile device managers, applications, and many other sources.
For reference, each type and a description for it are listed here. TippingPoint’s syslog event format must be modified to use a comma delimiter rather than a tab delimiter before it can be processed by the LCE. The LCE will normalize logs from when applications, services, router, switches, devices, and operating systems reboot, restart, and are shutdown to the restart event type.
As new normalized events are logged for the host, the LCE will generate secondary events based on the event type. Using the LCE interface, you can monitor the health and status of the LCE server and clients, configure the LCE server, manage clients, create and assign policies, and manage users.
Login failures, errors, and application events are logged to other event types. Tdnable IDS, firewall, antivirus, tenabke other log sources that detect port scans, port sweeps, and probes are logged to the LCE scanning event type.
Welcome to Log Correlation Engine (LCE)
Denotes any type of web access event that is denied because the file does not exist, the server responded with an error or a firewall or web application firewall blocked the access. The list of officially supported log sources is frequently updated on the Tenable website. Indicates logs that are normalized from applications designed to simulate networks, hosts, and applications for the purpose of detecting intruders.
Indicates any type of login event to an application, operating system, VPN, firewall, or other type of device. All other products or services are trademarks of their respective owners.
For every unique type of event, the LCE will profile the frequency of events and alert when there is a statistical deviation for any event. LCE summary information as well as Fast Flux detection is also logged here. Logs that indicate crashes and hung process are sent to the process event type. As security issues and new information about systems and networks are reported as part of the vulnerability monitoring process, the LCE normalizes these event types to the vulnerability category.
The Event Vulnerability plugin families below work along with the other Tenable plugin families.
Components of the Log Correlation Engine (LCE)
The normalized data is then analyzed using Tenable. LCE has many lec processing libraries to parse logs and can normalize and correlate most network intrusion detection IDS and intrusion protection systems IPSas well as messages from Tenable.
Logs that indicate the presence of a virus in email, a virus found on a system by an anti-virus agent, virus logs found by network IDS teable and firewalls are normalized to the LCE event type of virus. These events are distinct from authentication failures, blocked firewall connections, and attempts to access web pages that do not exist that are respectively normalized to the login-failure, firewall, and web-error event types.
Denotes any type of authentication log that indicates credentials were presented and were incorrect. Depending on the scale and requirements of your organization, you may utilize multiple LCE lfe instances to collect and normalize data. Denotes any type of sniffed NNM network session or log that indicates that a file was accessed, modified, or likely retrieved.
In llce case, the script will list the unused files. The LCE automatically recognizes many types of system events that indicate change and creates secondary higher level events.
The LCE will normalize operating system, router, switch, or device logs of significance to the event type of system.
Denotes logs from network IDS, firewall, application, and operating systems that indicate some sort of network attack. Events are both stored as raw logs and normalized and correlated with vulnerabilities if applicable.