Installation guide

ManualsBrandsAbit ManualsComputer equipmentLicense Scanner

108

109

110

111

112

113

114

115

116

117

114

Appendix 7: Configuring SecurityCenter and the LCE for Audit Data Selection

SecurityCenter can be configured in conjunction with the LCE to provide for the selection of audit data to be viewed

through the Raw Syslog Data section of SecurityCenter’s Analysis Tool.

To accomplish this, SecurityCenter admin logs must be configured to be sent to an LCE server via an LCE client. Per LCE

documentation, ensure that an LCE client has initially been installed and configured on the SecurityCenter system and is

running:

# ps –ef | grep lce_client

root 3156 1 0 11:42 ? 00:00:00 /opt/lce_client/lce_clientd

Navigate to the /opt/lce_client/lce_client.conf file on the SecurityCenter system and add the following line

under the section “# All files in directories specified with the tail-dir option will be

tailed” to configure the LCE client to send SecurityCenter admin logs to the LCE:

tail-dir /opt/sc4/admin/logs/*.log

Restart the “lce_client” service on the SecurityCenter system:

# service lce_client restart

Per LCE documentation, ensure that the SecurityCenter’s LCE client information has been added to the LCE system’s

lce.conf file in /opt/lce/daemons/:

# Several formats are supported for specifying client information. These

# are (1) a single IP address, (2) an IP address with a CIDR range,

# (3) optional ranges in the third and fourth octets of the IP address,

# and (4) a range specified by start and end addresses.

# Examples of each follow. In every case, the authentication and sensor

# name defined within the block applies to every client covered by the

# chosen notation.

client [SecurityCenter IP address] {

client-auth auth-secret-key [secret key string]

sensor-name SC_LCE_Sensor

}

An additional line will also need to be added to the lce.conf file that will enable the LCE to support multiple plugin

matches per log file:

#Additional line to provide for multiple matches on LCE plugins

multiple-matches

Please refer to the LCE Administration and User Guide for additional information on “multiple-matches” and multiple

plugin matches per log file.

Restart the “lce” service on the LCE system:

# service lce restart

By default, the LCE system comes with a PRM file called “tenable_sc4_logs.prm” that contains events that are

audited by SecurityCenter. To enable the selection of auditable events from the set of events that are audited by default

on SecurityCenter, the tenable_sc4_logs.prm file can be copied to a new PRM file, edited, saved, and then searched

upon through a filter in the SecurityCenter Analysis Tool’s “Raw Syslog Data” selection.

To create and edit the new selection-based PRM file, navigate to /opt/lce/daemons/plugins on the LCE system and

confirm the existence of the tenable_sc4_logs.prm file: