This topic explains how to 1) assign a File Collector to an Asset, and 2) schedule collection of log messages from the Asset's Log Source.
To configure the Asset:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Resources >Assets. |
TLC presents your Assets in the workspace table.
Tip |
You can sort, group, and filter the contents of tables. For more information, see Working with Tables). |
---|
3. | In the workspace, double-click the Asset. |
4. | In the Settings tab of the Asset properties dialog, select the File Collector from the Collector drop-down. |
5. | In the Schedule tab, define a schedule for the collection of log messages from the Log Source. For more information, see Table 48. |
6. | Select and complete the File Collection tab (see Table 55). |
7. | Select and complete the Output Destinations tab (see Table 48). |
8. | If you selected EVT as an Input Type in the Output Destinations tab, complete the Advanced tab (see Table 48). For further details, see Processing EVT and EVTX Files. |
9. | Complete the remaining tabs in the Asset properties dialog (see Table 48) and click OK. |
Field |
Description |
---|---|
Download method |
The communication protocol for the collection of log messages. |
File server |
The IP address or host name of the Log Source system from which to download the file. |
Port |
The port on the Log Source to be used for communication with TLC. |
Username |
The username of the user account with which TLC will authenticate with the Log Source. |
Password |
The password for the user account. |
Log-file path |
This field includes the full path to each log file to be collected from the Asset by the File Collector. Each path should be entered on a separate line, and this field cannot exceed 1,024 characters. If the Asset is a scanner (see What are Scanner Events?), these files are exported from the scanner. The following topics explain how to create these files: Configuring an Nmap Security Scanner Configuring a Tenable Nessus Vulnerability Scanner Configuring a Tripwire VnE Manager To assign a 'friendly name' to a file, use the following syntax: <path>\<filename>|<friendly_name> For example: C:\log_directory\log_file.log|My_Log_File If you assign a friendly name, and the File Collector - Store Log Filename with Event Advanced Setting is enabled in your Manager's properties dialog (see Table 47), TLC will insert the name at the beginning of each related log message displayed in the Audit Logger. You can also use the friendly name when searching for log messages (see Searching for Log Messages). For more information, see Date Syntax for Log Source Timestamps. |
Processing EVT and EVTX FilesIn the Output Destinations tab of the Asset properties dialog (see Table 48) or Configure Multiple Assets dialog (see Table 52), you can select EVT or EVTX as an Input Type. To create an EVT or EVTX file, see: https://msdn.microsoft.com/en-us/library/gg163107%28v=bts.70%29.aspx An EVTX file is an event-log file (.evtx) created by Windows 2008 or later. These log types include Application, Security, Setup, System, and Forwarded Events. To normalize and correlate EVTX files (see How does Log-Message Normalization work? and How does Event Correlation work?), you must manually copy the file and the associated LocaleMetaData folder (and the enclosed .mta file) to the following location on the TLC Manager: C:\<install_dir>\FileCollector\<asset_id>\ Where: <install_dir> is the TLC Manager installation directory, and <asset_id> is the unique ID of the Asset. TLC cannot process EVTX files larger than 20 MB. An EVT file is an event log (.evt) created by Windows 2003 or earlier. For EVT files, you must specify the type of Event Log in the Advanced tab of the Asset properties dialog (see Table 48) or Configure Multiple Assets dialog (see ). These log types include Application, Security, System, DNS Server, File Replication, Directory Service, and Custom. For each selected type of Event Log, TLC creates the following directory for the Asset(s): C:\<install_dir>\FileCollector\<asset_id>\<event_log_type> Where <event_log_type> is the type of Event Log selected in the Advanced tab. For example, if you select Security in the Advanced tab, TLC creates the following directory: C:\<install_dir>\FileCollector\<asset_id>\Security To have TLC normalize and correlate log messages from an EVT event log, you must manually copy an EVT log file to this directory. For example, if you selected the Security check box, you must copy a Security EVT log file to the Asset's Security directory. Note: If you copy an EVT or EVTX log file from another system (i.e., a system other than the TLC Manager), TLC may be unable to process all fields in the log messages due to differences in DLL files, APIs, operating systems, language, and/or Service Packs. |
Some Log Sources produce dated log files. In some TLC Console fields, you can enter variables to specify these dates. For example, in a filename variable (<filename>) entered in the Log-file path field of the File Collection tab in the Asset properties dialog (see Table 55), you can enter a variable with the following format to specify log files with the current date:
<Date:[date_values]-[numerical_value][minus_type]>
Date-format variables include:
mm = Minute
hh = Hour (01-12)
HH = Hour in military time (00-23)
dd = Day (01-31)
ddd = Day of week (MON, TUE, WED, THU, FRI, SAT, or SUN)
MM = Month, numeric (01-12)
MMM = Month, abbreviated (JAN, FEB, MAR, etc.)
yyyy = 4 digit year (e.g. 2010)
yy = 2 digit year (e.g. 10)
Optional values that may be entered in the [minus_type] variable include:
h = Hour
m = Minute
d = Day
M = Month
y = Year
For example, if the current date is October 20, 2010:
ex<Date:yyMMdd>.log = ex101020.log
ex<Date:yyMMdd-1d>.log = ex101019.log
ex<Date:yyyyMMdd>.log = ex20101020.log
D:\IISLogs\W3SVC3012345\ex<Date:yyMMdd-1d>.log = D:\IISLogs\W3SVC3012345\ex101019.log