Log Correlation Engine Rules Update
Several new PRM libraries and one TASL script have been updated and are available for download and use with the Log Correlation Engine. The list below shows what has changed. Each PRM or TASL links to the URL for downloading.
- detect_change tasl Support for Windows and FreeBSD system time change events.
- os_freebsd.prm Support for FreeBSD system time change, disk errors and more types of user login events.
- os_linux.prm Support for Linux named logs.
- os_win2k_app.prm Uses the Windows server name as the 'sensor' name.
- os_win2k_sec.prm Uses the Windows server name as the 'sensor' name.
- os_win2k_sys.prm Uses the Windows server name as the 'sensor' name.
- web_squid.prm Support for more Squid logging formats.
- virus_symantec.prm Support for Symantec anti-virus 'virus removed' messages.
To install these files, simply download them and place them in the /usr/thunder/daemons/plugins directory and then restart the thunderd process.
Customers are encouraged to periodically monitor their notmatched.txt file, which contains a list of all logs that were collected, but did not match a known pattern. Please contact Tenable if one of the supported applications or products is missing logs in your environment.