SecurityCenter can be configured in conjunction with the LCE to provide for the selection of audit data to be viewed through the Raw Syslog Data section of SecurityCenter’s Analysis Tool.
To accomplish this, SecurityCenter admin logs must be configured to be sent to an LCE server via an LCE client. Per LCE documentation, ensure that an LCE client has initially been installed and configured on the SecurityCenter system and is running:
# ps –ef | grep lce_client
root 3156 1 0 11:42 ? 00:00:00 /opt/lce_client/lce_clientd
Navigate to the /opt/lce_client/lce_client.conf file on the SecurityCenter system and add the following line under the section “# All files in directories specified with the tail-dir option will be tailed” to configure the LCE client to send SecurityCenter admin logs to the LCE:
tail-dir /opt/sc4/admin/logs/*.log
Restart the “lce_client” service on the SecurityCenter system:
# service lce_client restart
Per LCE documentation, ensure that the SecurityCenter’s LCE client information has been added to the LCE system’s lce.conf file in /opt/lce/daemons/:
# Several formats are supported for specifying client information. These
# are (1) a single IP address, (2) an IP address with a CIDR range,
# (3) optional ranges in the third and fourth octets of the IP address,
# and (4) a range specified by start and end addresses.
# Examples of each follow. In every case, the authentication and sensor
# name defined within the block applies to every client covered by the
# chosen notation.
client [SecurityCenter IP address] {
client-auth auth-secret-key [secret key string]
sensor-name SC_LCE_Sensor }
An additional line will also need to be added to the lce.conf file that will enable the LCE to support multiple plugin matches per log file:
#Additional line to provide for multiple matches on LCE plugins multiple-matches
Please refer to the LCE Administration and User Guide for additional information on “multiple-matches” and multiple plugin matches per log file.
Restart the “lce” service on the LCE system:
# service lce restart
By default, the LCE system comes with a PRM file called “tenable_sc4_logs.prm” that contains events that are audited by SecurityCenter. To enable the selection of auditable events from the set of events that are audited by default on SecurityCenter, the tenable_sc4_logs.prm file can be copied to a new PRM file, edited, saved, and then searched upon through a filter in the SecurityCenter Analysis Tool’s “Raw Syslog Data” selection.
To create and edit the new selection-based PRM file, navigate to /opt/lce/daemons/plugins on the LCE system and confirm the existence of the tenable_sc4_logs.prm file:
# ls -la tenable_sc4_logs.prm
-rwxr-x--- 1 lce lce 17191 Oct 17 14:40 tenable_sc4_logs.prm
As a user with permissions to manipulate files in this directory, such as ‘root’ or ‘lce’, copy the tenable_sc4_logs.prm file to a file with a similar but new name:
# cp tenable_sc4_logs.prm tenable_sc4_audit_logs.prm
Open the new file with a text editor to make changes to the new file. The first set of changes will be to create a unique
“type:” for each event listed in the new PRM file in order to facilitate searches through SecurityCenter directly against the new PRM file. In the example shown below, the “id=” is given a unique number, the “type:” for the “name=The Security Center had a successful login.” event has been changed to “loginfo”:
id=8272
name=The Security Center had a successful login.
match= -
regex=Successful login for '([A-Za-z0-9\$\-\_]{1,25})' from ([0-9]+(\.[0-9]+){3}) log=event:SC4-Login user:$1 srcip:$2 type:loginfo
Selection or de-selection of events is accomplished through commenting or uncommenting events within the new PRM file. For example, if your organization does not wish to audit SecurityCenter login events, find the “The SecurityCenter had a successful login” section of the new file and add a “#” character to comment out the “id”, “name”, “match”, “regex” and
“log” lines for that event:
#id=8272
#name=The Security Center had a successful login.
#match= -
#regex=Successful login for '([A-Za-z0-9\$\-\_]{1,25})' from ([0-9]+(\.[0-9]+){3})
#log=event:SC4-Login user:$1 srcip:$2 type:loginfo
When edits are completed, save the new PRM file to its current location. Ensure the file is owned by the lce user and lce group with the correct permissions by running the following commands:
# chmod 750 tenable_sc4_audit_logs.prm
# chown lce:lce tenable_sc4_audit_logs.prm
The original PRM may be disabled by adding the name of the file to the /opt/lce/admin/disabled-prms.txt file. See the section Excluding PRM Files in the LCE documentation.
After ownership and permissions are set, restart the “lce” service:
# service lce restart
To view the current selection and/or de-selection of auditable events through the new PRM file, log into SecurityCenter as a Security Manager (you may wish to create a new unique Security Manager account specifically for this function).
Note that because SecurityCenter administrator accounts do not have access to log data under “Analysis >
Events” in SecurityCenter, a Security Manager account is best suited to perform this function. It is recommended to create a new Security Manager account that is only accessible by SecurityCenter administrators to view the logs in their selected form.
Once logged in, select “Analysis > Events”. Under the Analysis Tool, select “Raw Syslog Data” from the drop-down menu. Note that the filter conditions will need to be applied before the viewability of events in the new PRM file are applied to the overall audit log data set.
To specifically target the SecurityCenter’s LCE client data, select a filter of “Type = [custom_type_name]”, where [custom_type_name] is the unique event type (loginfo in the example above) created for the customized PRM file (tenable_sc4_audit_logs.prm in the example above):
In the example screen capture below, only logout information is displayed for SecurityCenter users because the login section of the newly-created PRM file has been commented out:
Other sections of the custom PRM file can be commented or uncommented by an authorized system administrator to allow for selection of audited events per your organization’s logging requirements. Each change to the custom PRM file will require a restart of the LCE services.