Q-See Remote Client Software V 4.0.1 Guide de l'utilisateur

Log Correlation Engine 4.0 Client Guide February 20, 2013 (Revision 5)

10 After selecting the “r” option from the menu, the user is asked a yes or no question to revoke access to all clients or select the client to revo

11 entered, answer the questions for the OS type, client type, and descriptive name for the policy. Once that information is entered, it will be imp

12 lce_client_manager >> c Policy Filename Client Type OS TNS-MSExchangeServer_windows_tenableclient.lcp

13 * LCE Client Manager 1.0 * Please select an option from the menu below ********************************************** [g] Grant authorization to

14 [q] Exit WITHOUT saving changes lce_client_manager >> a Enter the new key to add to your policy: lce_client_manager >> recursive-d

15 [statistics-frequency] -> [60] [compress-events] -> [1] [recursive-directory-changes] -> [/etc/httpd] ------- END POLICY -------

16 [log-directory] -> [./] [interface] -> [eth0] [syslog-only] -> [no] [include-networks] [filter] -> [192.168.20.5/32]

17 Once saved as a policy file, the converted file may be imported to the LCE Client Manager and assigned to the appropriate client(s). The followin

18 A successful installation is indicated by the return of the command prompt with no errors. See Appendix 1 for example output of several installat

19 # rpm -qa | grep lce_client lce_client-4.x.x-esX # Remove the installed package: # rpm -ev lce_client-4.x.x-esX LCE WMI Monitor Agent Determine

2 Table of Contents Introduction ...

20 LCE Client Configuration File Red Hat / CentOS LCE Client (Log Agent) /opt/lce_client/lce_client.conf LCE WMI Monitor Agent /opt/wmi_monitor/wmi_

21 # The LCE server can be configured to listen on a user-specified # port. The setting below should match the server setting,

22 heartbeat-frequency The number of seconds between each client heartbeat message to the LCE server. If “0”, it will not send heartbeats. A positiv

23 LCE WMI Monitor Agent The LCE WMI Monitor Agent is used to automate the collection of Windows Event Logs from remote Windows systems by using WMI

24 <!-- Each WMI-host block specifies a Windows system to be monitored. It is no longer possible to specify username/password in th

25 <!-- The heartbeat-frequency option defines the number of seconds between each pair of client heartbeat messages that are sent to the

26 Password Password that will be used to perform Windows system login Monitor Specifies which Win32_NTLogEvent log files to track. If “All” is spec

27 When the wmi_config_credentials program is run on its own without options, it will read the default file /opt/wmi_monitor/wmi_monitor LCP policy

28 Following the Warning: section, we have a list of the hosts within the configuration file followed by the total number of hosts in the configurat

29 Selecting 4 will allow the user to delete an existing host from the records. After selecting the option, enter the number of the host to delete.

3 Tenable Network Monitor ...

30 server # is currently supported. lce-server 192.168.1.160 { } # The LCE server can be configured to listen on a

31 include-filter { proto 6; } exclude-filter { port 20; port 21; port 22;

32 Tue Jul 18 13:30:39 - TFM-TCP_Session_Partial[9492|0]:192.168.1.4:21766 -> 192.168.1.5:2832|1153243809|1153243809|0 Tue Jul 18 13:31:05 - TFM

33 # which contains full configuration information. options { # Network Monitor log messages are stored in files named according to the dat

34 <!-- When the below option is set to yes, only syslog messages are reported, and all all other traffic is ignored. --> <sys

35 selects which network packets will be processed. This expression relies on the syslog monitoring settings being enabled. lce-server Directs the T

36  Uploaded bytes  Downloaded bytes  Start time (Unix timestamp)  End time (Unix timestamp)  Length of session (in seconds) Alerts can in

37 $NETWORK_MONITOR_DIR/$NETWORK_MONITOR_BIN &> /dev/null & To modify this default setting, add your filter statement after the command s

38 LCE Client Starting Methods Red Hat / CentOS LCE Client (Log Agent) # service lce_client start or # /etc/init.d/lce_client start LCE WMI Monitor

39 On most Unix or Linux systems, running the command “ps -e | grep lce_clientd” will provide output similar to “32321 ? 00:00:15 lce_clien

4 Introduction This document describes various different clients that are available for Tenable Network Security’s Log Correlation Engine 4.0. Pleas

40 Installing the Windows Client The LCE Windows Log Agent client is installed by clicking on the .msi distribution file, which will launch the Inst

41 Installation Location The next screen allows the user to change the default installation location: Click the “Change…” button and select a new l

42 To facilitate this process, the option exists to set the client’s initial configuration settings at the time of the installation from the same co

43 When connecting to a LCE 4.x server, the only configuration required is the LCE server IP address or DNS name and the port (if the server is con

44 Key Name Description Valid Values event-log The name of a Windows NT Event log to monitor. Each event is sent to LCE as a new log. Any NT event l

45 include Optional sub key. Files at “location” will only be monitored if they match this pattern. Wildcards are allowed. Optional sub key. Files a

46 domain The domain of the remote machine to monitor A valid domain name. user The username of the account on the remote machine that should be use

47  Example Custom LCE Log Parsing - Minecraft Server Logs – describes how to create a custom log parser using Minecraft as an example. Documentat

48 Appendix 1: Sample Installation Output Red Hat The Red Hat distributions are in RPM format, similar to the following (the exact name of the clien

49 Appendix 2: Sample Remove Output Red Hat To uninstall the LCE Log Agent client on a Red Hat platform, use the rpm command to first determine the

5 The Log Correlation Engine (LCE) Clients are agents that are installed on systems whose logs, network traffic, performance and other types of pro

50 Appendix 3: Non-Tenable License Declarations Below you will find third party software packages that Tenable provides for use with the Log Correla

51 The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simpl

52 "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS

53 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistribu

54 About Tenable Network Security Tenable Network Security, the leader in Unified Security Monitoring, is the source of the Nessus vulnerability sca

6 The LCE Clients written for 32-bit platforms will run on 64-bit systems as long as the 32-bit libraries are installed. However, native 64-bit sup

7 Tenable Network Monitor RHEL/CentOS 5, 6 32/64-bit Designed to monitor network traffic and send session information to the LCE server. Sniffs netw

8 LCE Manager and SecurityCenter Client Management Starting with LCE Manager and SecurityCenter versions 4.6, authorization and revocation of client

9 All policy files (*.lcp) are stored on the LCE server in XML format in the /opt/lce/daemons/policies directory. If clients are being upgraded, the