With Auto-Discovery, Tripwire Log Center (TLC) automatically creates an Asset for a Log Source. TLC auto-discovers Agents running Windows (see Auto-Discovery of a Windows Agent), as well as Assets for which TLC collects log messages with the File Collector or Network Collector (see Auto-Discovery of an Asset other than an Agent).
An Asset-Configuration Rule applies configuration properties to an auto-discovered Asset if the Asset satisfies criteria specified by the rule. For more information, see Working with Asset-Configuration Rules.
When the Agent software is installed and configured on a Microsoft Windows host system (see Installing the Agent Using a Pre-Shared Key), the Agent notifies its TLC Manager. TLC then creates a new Asset for the Agent (see Figure 32) and assigns the Advanced Windows Collector to the Asset (see Table 27).
Figure 32. Auto-Discovery of a Tripwire Agent
Does the Configuration Manager contain this Asset?
Yes = If the Configuration Manager (on the TLC Manager to which the Agent is connected) contains an Asset with the same universally unique identifier (UUID) as the Agent, no further action is taken.
No = TLC creates a new Asset for the Agent, assigns the Advanced Windows Collector to the Asset, and assigns the Asset to the Discovered Asset Group.
Note |
The Agent installer assigns a UUID to each Agent, and the Agent will change its UUID if: 50% or more of the Media Access Control (MAC) addresses on the Agent host system change (for example, if the system is cloned), or The Agent state files become corrupted and must be recreated. |
---|
If a File Collector or Network Collector receives a log message from a Log Source for which an Asset does not currently exist, TLC initiates the Auto-Discovery process. The steps below explain how TLC determines if an Asset should be created for the Log Source (outlined in red in Figure 33).
Figure 33. Auto-Discovery of an Asset other than an Agent
Is Auto-Discovery enabled?
Yes = If Auto-Discovery is enabled in the Collector's tab of the Manager’s properties dialog (see Working with Managers), TLC proceeds with the Auto-Discovery process.
No = Otherwise, TLC ignores the log message.
Does the IP address match the Collector's IP filter?
Yes = If the IP address of the Log Source matches the 'IP address filter' defined in the Collector's tab of the Manager properties dialog, TLC creates a new Asset for the Log Source. In the Asset's properties dialog, TLC assigns:
All Normalization Rules applicable to this type of Log Source
(Network Collectors only) The Manager's Correlation Engine (see How does Event Correlation work?)
No = Otherwise, TLC ignores the log message.
Note |
File Collectors do not have an 'IP address filter.' Therefore, if the message was collected by a File Collector, TLC creates an Asset for the Log Source regardless of the Log Source's IP address. |
---|