User guide

37
$NETWORK_MONITOR_DIR/$NETWORK_MONITOR_BIN &> /dev/null &
To modify this default setting, add your filter statement after the command statement such as this:
$NETWORK_MONITOR_DIR/$NETWORK_MONITOR_BIN tcp or icmp or udp port 514 &> /dev/null
This particular statement matches on any TCP or ICMP traffic and also collects any UDP based syslog traffic.
Performance Considerations
When running the TNM, it is important to consider how much data you are collecting and what you are doing with the
data. If you are not doing anything with a certain set of data and you do not have a requirement to collect it, you can
improve the performance of your LCE and the total useful storage capacity by not collecting it.
Consider these strategies when collecting logs:
Ignoring UDP traffic in general, or at least UDP protocols to your basic services, can save you many records. For
example, ignoring DNS lookups to your DNS servers will save you logging events that are repetitious.
If you have acceptable logs from your email, web, and other services, consider ignoring port 80, port 443, and
port 25 to these servers.
If you have a long-term requirement to store logs but not necessarily network traffic, consider deploying a single
LCE for log aggregation and then add a secondary LCE to gather network traffic. You might be able to store your
logs much longer than your network traffic. With two LCEs, the LCE host can also query both of these and unify
their results in a user-friendly graphical display.
LCE Linux Client Operations
This section describes the administrative functions of the LCE Linux clients including starting, halting and monitoring.
Starting the LCE Linux Clients
As noted earlier in this document, the LCE Client packages include start-up scripts that are installed in the system start-up
directory (e.g., /etc/init.d) on the respective platform.
The provided start-up scripts are designed to check if the LCE Client is already running and will not start a
second instance. Although it is possible to manually start the LCE Client without using the provided script, it is
not recommended to do so as it could result in multiple instances of the LCE Client daemon running.
If there are errors in the configuration file, they will be displayed in the LCE Client log, which is under the appropriate client
directory (e.g., /opt/lce_client for the LCE Log Agent, /opt/network_monitor for the Tenable Network Monitor
client, etc. by default) in the format of YEARMon.log. At the LCE server, using the “netstat pan | grep 31300
command will list all of the established LCE Client connections.
At any time, the version of the LCE Client can be determined by running it with the -v option, as follows:
# /opt/lce_client/lce_clientd -v
LCE Client 4.0.1
#
Below is a table that displays how to start the client software on the various platforms: