Setting up the Log Correlation Engine & Splunk
Tenable has recently released a new Log Correlation Engine (LCE) client that allows you to collect log data from Splunk installations to send to LCE, Tenable’s solution for log storage, normalization and correlation. If you have instances of Splunk in your environment, it’s a simple process to configure the integration. Below is an overview of the traffic flow:
- The Splunk server collects logs and has the ability to forward them to other sources. It can be configured to send log data and system events to Tenable’s LCE Splunk client on TCP port 9800. The LCE Splunk client will listen on this port and import the information sent to it by Splunk.
- The LCE Splunk client sends the Splunk log data to the LCE server using TCP port 31300 (the default port).
- The LCE server forwards the data to the Security Center over TCP port 22 using SSH. Data can be viewed under the “Analyze Logs” or “Search Raw Logs” selections on the Security Center menu.
Full documentation on the integration can be found in the Tenable Discussion Forums for registered users. If you require further assistance, and to access all of the LCE documentation, please visit the Tenable Customer Support Portal.
Once the integration is complete, you can see normalized logs from Splunk in the Security Center. Tenable recommends that you provide a descriptive name for each LCE source. Once you've done this, a filter can be created to only show alerts from that log source:
You can then view the alerts in the main window, including time-based graphs such as this:
While putting this into practice, there were two events that caught my attention immediately. The "SSH_fatal_error" and "SSH-Accepted_Password" that occurred during the same time period. This is concerning because it could mean that an attacker was trying to brute-force guess the password and was eventually successful. For this blog entry, we only focused on sending logs from Splunk to the LCE, but we could have also enabled a wide variety of correlation rules and statistical profiling. These rules would have automatically alerted on the brute force password guessing. If we review the "SSH-Accpted_Password" alert we can see that indeed a remote user logged in as root:
For Splunk users who may not be familiar with the LCE, it provides several additional (and useful) features, including:
- Normalization of logs
- Full-text searching
- User tracking
- Statistical anomaly detection
- Automatic identification of new events
The new LCE clients are not only available for Splunk, but for several platforms natively, including Red Hat, Mac OS X, FreeBSD, Solaris, Ubuntu and AIX (Refer to the LCE 3.2 release notes for more information about the latest version). Many of these Unix and Windows agents also support full process accounting and Windows event log analysis. This can make forensics analysis of monitored servers very easy, since an audit trail of all commands executed can be easily obtained.
The LCE is also integrated with the Security Center, which provides you with a full suite of vulnerability management tools, including log correlation, managing vulnerability data from Nessus, intrusion detection alerts from Snort and analysis of network packet logging. If you want to see a demo of these products in action, please visit our video demo page.
For Further Information
A recent webinar jointly produced by the 451 Group and Tenable Network Security discussed in detail the benefits of log aggregation and Enterprise Security Information Management (ESIM. The webinar talks in detail about how organizations are using log management, their requirements and how Tenable’s products can help organizations achieve their goals with respects to log management and correlation.
The LCE is sold as an add-on to the Security Center. Each LCE can store an unlimited amount of logs and is only limited by the amount of available hard drive space.