Skip to main content
 
 
Splunk Lantern

Migrating from Tenable LCE to Splunk Enterprise Security

 

Tenable Log Correlation Engine (LCE) is a software module that aggregates, normalizes, correlates, and analyzes event log data from many types of devices within an organization's infrastructure. LCE also has the ability to analyze logs for vulnerabilities.

LCE is now no longer supported. However, the Splunk platform, along with Splunk Enterprise Security, can perform all of the same functionality as LCE and more. The Splunk platform log aggregation process, which operates according to the cycle in diagram below, allows for power log analysis capabilities that your analysts can use to secure your organization.


clipboard_e615032af8640dd21dc9227ee5371f79d.png

Solution comparison

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

Data ingestion

Just as LCE provides many types of data ingestion methods, so too does the Splunk platform, both on-premises and in the cloud.

Splunk platform Tenable LCE
  • Universal forwarder
  • Heavy forwarder
  • Modular inputs that poll external APIs
  • HTTP Event Collector.
  • Direct over TCP/UDP
  • The LCE client collector

Data normalization

After the data is ingested, normalization is critical to being able to search data from a variety of sources.

Splunk platform Tenable LCE

The Splunk platform supports all of the common formats and has custom parsing and add-ons which help to transform incoming data to a normalized format.

The Splunk platform also supports structured data in the form of data models. It offers the Common Information Model (CIM), a set of field names and tags which are expected to define the least common denominator of a domain of interest. You can use these data models to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations with Pivot. Using the CIM is critical for getting the most value from Splunk Enterprise Security threat detections.

LCE supports many log formats, with plugins available to help support more.

Correlation searches

Correlation rules are searches that can identify a series of events that comprise a larger incident, using common fields, values, or time.

Splunk platform Tenable LCE
Using Splunk Enterprise Security, you can perform a correlation search to scan various data sources, and trigger an adaptive response action. Just as LCE provides automated responses, saved searches and alerts in the Splunk platform can be configured to respond automatically to events.
clipboard_eb02c4690e9e2b9f68e120a14b97078ba.png
LCE provides customizable correlation rules for detecting security threats from log data.
clipboard_e2aa3abea00844c74d86001415380eed6.png

Search and visualization

Splunk platform Tenable LCE
  • Splunk search processing language (SPL) offers more sophisticated search tools for statistical analysis, and data visualization.
  • The Splunk platform lets you use saved searches to monitor for events in real time, or on a schedule. It provides even more alert actions via custom add-ons.
  • The Splunk platform provides numerous visualization formats, and custom ones via Splunkbase apps.
  • LCE offers basic text search with boolean operators, such as text='(linux OR nothing) AND process'.
  • LCE offers basic alert capabilities, and alert actions such as email, syslog alerts, and running custom commands on the LCE server.
  • LCE does not have visualization capabilities. Tenable Security center does, but is limited in capability compared to the Splunk platform.

File integrity monitoring

Splunk platform Tenable LCE
The Splunk platform universal forwarder or heavy forwarder supports using OS-based tools such as Windows Audit File System and Linux Auditd. It also offers support for other third-party tools. The LCE Client can run file integrity monitoring on installed systems.

Solution

Ready to migrate to Splunk Enterprise Security? Use the following steps to perform the migration on your own, or skip to Next steps to see how to contact Splunk sales for more information.

Prerequisites

LCE version 6 stores data in Postgres database silos. In order to export all historical data, you must have access to the LCE instance and be able to run a few bash commands.

Procedure

  1. List each silo and its ID.
    # source /opt/lce/tools/source-for-psql-shortcuts.sh
    # psqlf silos.sql
  2. Dump the logs of each silo to a .txt file, or desired output location/format.
    # /opt/lce/tools/rebuild_logs <silo_id> > /tmp/dump_logs.txt
    clipboard_e77d7805fcdf9dbdcac77056c9b3b1e3a.png
  3. After this is done, do one of the following:
    • Use the universal forwarder to read files and send data in chunks.
    • Upload data to the Splunk platform directly:
      1. In the Settings menu, select Add Data.
        clipboard_e1fb8750bf300c8bf646364d32854f929.png
      2. In the "Or get data in with the following methods" section, click Upload files from my computer.
        clipboard_ef69c2118e8ccb7e1e457a23aa17c6726.png
      3. Upload your log file.
        clipboard_e8a83272e6990b35cd28235581dd0cf5e.png
      4. Set the source type, then click Next.
        It might be best to use a source type from the Tenable Add-on for Splunk.

        clipboard_eef4e78983af840a3286766a43b00af92.png
      5. Configure the parsing for the host field and choose an index to store the data. It's ideal to make a new index. Then click Review.
        clipboard_e40feaa779ade00c5032bedeb6a7f4627.png
      6. Review the information, then click Submit. Your file is uploaded and indexed to the Splunk platform.
        clipboard_e5d55529209d2607716b4d24acb290dae.png
  4. Replace the LCE client with Splunk platform forwarders. Using the LCE client as an agent to collect data on various endpoints is a crucial method of getting data into your environment. The Splunk platform offers different types of forwarders to meet your specific needs to collect and send data.

Next steps

Contact us at Splunk to learn more about why the Splunk platform, with Splunk Enterprise Security, is the right tool for your log correlation needs.

In addition, the following resources might help you learn more: