API - Tenable SecurityCenter
Tenable Security Center is a comprehensive vulnerability scanner. The LogRhythm System Monitor can import Security Center scan reports for monitoring and analysis. This document provides information about how to collect Security Center data with the LogRhythm System Monitor.
LogRhythm supports collection from Tenable Security Center versions up to and including 5.18.
Prerequisites
Note the following before you start to configure Security Center collection:
- The System Monitor must have Internet access.
- Obtain the following from Tenable:
- Tenable.io Vulnerability Scanner. Access key and the secret key
- Security Center. User name and password for the account
Configure the tenablesecuritycenter.ini File
A LogRhythm System Monitor is used to collect from Security Center. To configure the System Monitor, you will modify the Security Center configuration file (tenablesecuritycenter.ini) on the host where the System Monitor is installed. A default configuration file is available in the System Monitor's config directory.
The tenablesecuritycenter.ini file can be found in the C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ directory. The following configuration settings are available in the file:
| Setting | Default Value | Description |
|---|---|---|
| TenableSecurityCenterHosts | CHANGE_THIS | The host name or IP address of the Security Center host. |
| TenableSecurityCenterXMLRPCPort | 443 | The port where Security Center is running. This port must be opened on any firewalls running on the Security Center server. |
| UserName | CHANGE_THIS | The username to send for logging in to the Security Center server. |
| Password | CHANGE_THIS | The password to send for logging in to the Security Center server. The password must be encrypted using the lrcrypt command line utility. See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] |
| Monday...Sunday | Monday=true | Flags indicating the day of the week to query the Security Center API. For each day that you want to collect, set the corresponding day to true. |
| Time | 13:00 | The time of day when logs are downloaded. Both 12-hour and 24-hour time formats are recognized. For example, 01:00 or 11:00 PM. Scan data can be pulled only once per day. |
| StartupDelayInSeconds | 60 | If the API needs to be queried when the System Monitor is started, it will wait this long before running. |
| Timeout | 100 | The timeout (in seconds) to use when requesting data from the API. The range is 0-300 seconds (0=infinite). |
| ErrorReportRetryTimeSpan | 60 | The amount of time (in minutes) that the System Monitor should wait to retry the connection following an error. |
| ErrorReportRetryCount | 3 | The number of times the agent tries to fetch data for reports that throw an error during read. |
| Version | V6 | Not currently used. |
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Tenable SecurityCenter. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
File Path. <path to log file, including the file name and extension>
For multiple users, you can create multiple tenablesecuritycenter.ini files and multiple Security Center log sources.