For an introduction to Assets, see What are Managers, Log Sources, and Assets?.
For the following Collectors (see What are Collectors?), you can add multiple Assets with common properties at the same time.
Check Point Collectors
Cisco IDS Collectors
File Collectors
Advanced File Collectors
Network Collectors
WinLog Collectors
To add multiple Assets:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Resources >Assets. |
TLC presents your Assets in the workspace table.
Tip |
You can sort, group, and filter the contents of tables. For more information, see Working with Tables). |
---|
3. | In the workspace, right-click an Asset and select Add Multiple Assets. |
4. | Complete the tabs in the Add Multiple Assets wizard (see Table 51). |
5. | Click Start. |
Tab |
Description |
---|---|
Assets |
To add the Log Sources for the Assets you want to create, use the buttons at the top of the Assets tab. You can manually enter the Asset properties, Auto-Discover Assets by querying a domain's Active Directory, or import a comma-separated value (CSV) file with a defined list of Assets. Manual Entry To manually enter the properties of your Assets: 1. ClickAdd Asset. TLC adds a table row to the Assets tab. 2. Enter the IP address of an Asset, along with a Name and Description of your choice. 3. Repeat these steps to add other Assets. With Auto-Discovery, TLC retrieves host information from a domain's Active Directory in the following format: <hostname>.<domain> Example: WindowsServer2003.lab.mydomain.com To Auto-Discover the Assets in a domain: 1. ClickAdd from Domain. 2. Complete the Select a Domain dialog and click Start. Directory Entry. The Active Directory host name, domain name, or domain/location (e.g. corp.mycompany.com/CN=Computers,DC=corp,DC=mycompany,DC=com) from which the Assets will be Auto-Discovered. Username. The username for a user account with access to the Active Directory. Password. The password of the user account. Host Filter. (Optional) A .NET regular expression to limit Auto-Discovery to Assets with specific names. IP Filter. (Optional) A .NET regular expression to limit Auto-Discovery to Assets with specific IP addresses. Note: If the domain of an Asset cannot be retrieved, TLC simply saves the host name. If a host's IP address cannot be resolved, TLC will save the entry as 0.0.0.0. In this case, you should either delete the Asset or manually edit the IP address. CSV Files In a CSV file, each line in the file should be formatted as follows: <name>,<IP_address>,<description> Where <name> is a name of your choice for the Asset, <IP_address> is the IP address of the Asset's Log Source, and <description> is a description of the Asset. To import a CSV file: 1. ClickAdd from File. 2. Click Browse and select the file. 3. Click Start. To remove an Asset from the list, select the Asset and clickRemove. |
Note: This tab only appears if an Advanced File Collector is selected in the Collector field of the Settings tab. This tab specifies the Log Sources to be assigned to the Assets. Enabled. Indicates if TLC is collecting log messages from a Log Source. Name. A descriptive name for a Log Source. To add a Log Source, clickAdd and complete the Log Source dialog (see Working with Log Sources for an Advanced File Collector). To change the properties of a Log Source, double-click the Log Source and complete the Log Source dialog. To remove a Log Source, select the Log Source and clickRemove. To enable or disable a Log Source, select the Log Source and clickEnable orDisable. Tip: You can also access these commands by selecting and right-clicking a Log Source. |
|
In this tab, add the Output Destinations to be assigned to each of the Assets. For an introduction to Output Destinations, see How does Log-Message Normalization work?. To add an Output Destination: 1. ClickAdd. 2. From the Input Type drop-down, select the appropriate option for the Asset's Log Sources. 3. Select the Output Destination and click Add. To remove an Output Destination, select the destination and clickRemove. Tips: Since saving log messages in an Event-Management Database can overload the database with Events, Tripwire recommends that you exercise discretion when assigning databases as Output Destinations. To maintain a comprehensive record of 'raw' log messages from an Asset's Log Source, assign the Audit Logger as an Output Destination. If you do assign an Event-Management Database as an Output Destination, and the database is consequently overloaded with Events, click here for troubleshooting tips. If the Asset is a scanner (see What are Scanner Events?), Event Databases may be assigned as Output Destinations, but not Firewall Databases or IDS Databases. |
|
Rules |
Notes: 1) This tab does not appear if a Cisco IDS Collector or Check Point Collector is selected in the Collector field of the Settings tab. 2) If the Asset is a scanner (see What are Scanner Events?), the Normalization Rules assigned to this tab will have no affect. Instead, TLC automatically normalizes Scanner Events. In this tab, add the Normalization Rules to be assigned to the Assets. When the Normalization Engine receives a log message from the Asset's Collector, TLC will execute the rules in the order in which they appear in this tab. To assign Normalization Rules: 1. ClickAdd. 2. In the Modify Rules for Asset dialog, select the check box for each rule to be added and click OK. To change the order of the Normalization Rules, use the buttons on the right of the Rules tab. |
Settings |
Note: If a Cisco IDS Collector is selected in the Collector field, the Settings tab includes the Username and Password fields. If a WinLog Collector is selected, the Settings tab includes the Username, Password, and Method fields. Otherwise, these fields do not appear in this tab. This tab defines general settings for the Assets. Location. Specifies a Location for the Assets (see Working with Locations). Enabled. (Optional) Select this check box to enable log-message collection for the new Assets. Type. The type of Log Sources for which you will create Assets. Group. Specifies an Asset Group to which the Assets will be assigned. Add Normalization Rules to Group. (Optional) Select this check box to have TLC automatically assign the Normalization Rules for the (Log Source) Type to the Asset Group. Collector. The type of Collector that will gather log messages from the Asset's Log Source (see What are Collectors?). Username. The username of the user account to be employed by TLC for authentication with the Assets' Log Sources (either Windows systems or Cisco IDS devices). Password. The password of the user account. Method. The type of WMI Connection to be employed for communication with the Assets' Log Sources (Windows systems). The Asynchronous method uses a constant connection with the Windows Event Log. The Synchronous method polls the Windows Event Logs for new log messages. Note: The Username and Password fields are not required if 1) the Log Sources are Windows systems with a WinLog Collector, 2) the Assets' Manager has a WinLog Collector assigned to its Installed Modules tab (see Working with Managers), 3) the Windows systems and Manager host system are in the same domain, and 4) the service user running the Manager has permission to collect WMI log messages. |