Manualshelf

User guide

ManualsBrandsQ-See ManualsComputer equipmentRemote Client Software V 4.0.1
12345678910
5
The Log Correlation Engine (LCE) Clients are agents that are installed on systems whose logs, network traffic,
performance and other types of protocols and technologies are to be monitored by forwarding the data securely to the
LCE server. Once an LCE is installed and configured, one or more LCE Clients can be used to send information back for
normalization and correlation.
This document details available LCE 4.0 Clients along with their installation and configuration.
Various versions of LCE Clients can be configured to gather information and events from the following sources:
Windows Event Logs (collected locally or remotely via WMIC)
Windows/Linux/Unix system and application logs
Check Point OPSEC events
Cisco RDEP events
Cisco SDEE events
NetFlow
Splunk
Sniffed TCP and UDP network traffic (Tenable Network Monitor)
Sniffed syslog messages in motion
File monitoring (Linux, Unix, and Windows)
Many of these agents are required to take advantage of the LCE’s power. For example, to perform “Blacklist” correlation,
the LCE Clients that monitor network traffic via sniffing or NetFlow can be used to identify connections with known hostile
IP addresses even if you do not have firewall or proxy logs.
Running LCE Clients Directly on the LCE Server
LCE Clients can be run directly on the LCE server. They must be configured to connect to either the localhost (127.0.0.1)
or the IP address of the LCE server. Multiple LCE Client types (such as a LCE Log Agent and a Tenable NetFlow Monitor)
can be run at the same time as well. See the section titled “LCE Client Types and Platforms” for a list of available clients.
While using LCE Log Agents to watch LCE log files, be extremely careful to avoid feedback loops. For
example, choosing to tail the lce.log file would cause any log saved by the lced process to be grabbed by
the LCE Log Agent, sent back to lced, and repeated indefinitely.
Running Multiple LCE Clients on One Host
Remote systems can run multiple LCE Clients. When using the LCE Client Manager and LCE 4.0 clients, each client type
is identified and managed appropriately upon connection to the LCE server.
Maximum Number of LCE Clients
A maximum of 8,192 individual LCE Clients can be connected simultaneously to the LCE server. Once 8,192 clients have
connected, the LCE server will stop accepting new connections.
LCE Client Types and Platforms
There are a number of different LCE Client types available. All LCE Clients report performance statistics (memory, disk
space, and CPU usage) on their host regardless of the platform.