How does Auto-Discovery work?

With Auto-DiscoveryAn automated process by which TLC creates an AssetAn object in TLC that represents a Log Source from which TLC collects log messages directly. for an unknown Log SourceAny log-generating application, operating-system service, database instance, or device from which TLC collects log messages. that generated a log messageA data record generated by a Log Source and collected by TLC. collected by TLC., Tripwire Log Center (TLC) automatically creates an Asset for a Log Source. TLC auto-discovers Agents running Windows (see Auto-Discovery of a Windows Agent), as well as Assets for which TLC collects log messages with the File CollectorA type of CollectorA TLC module that gathers or receives log messages from Log Sources. that gathers log messages from Log Sources that store messages in an ASCII log file. or Network CollectorA type of Collector that listens for Syslog and SNMP-based log messages from network devices. (see Auto-Discovery of an Asset other than an Agent).

An Asset-Configuration RuleApplies configuration properties to an auto-discovered Asset if the Asset satisfies criteria specified by the rule. applies configuration properties to an auto-discovered Asset if the Asset satisfies criteria specified by the rule. For more information, see Working with Asset-Configuration Rules.

Auto-Discovery of a Windows Agent

When the Agent software is installed and configured on a Microsoft Windows host system (see Installing the Agent Using a Pre-Shared Key), the Agent notifies its TLC ManagerTripwire Log Center Manager is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices.. TLC then creates a new Asset for the Agent (see Figure 32) and assigns the Advanced Windows CollectorA type of Collector that collects log messages from Windows Event1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected from a Log Source. Logs on Agent systems via the Secure Sockets Layer (SSL) protocol. to the Asset (see Table 27).

Figure 32.  Auto-Discovery of a Tripwire Agent (click to enlarge)

Does the Configuration Manager contain this Asset?

Yes = If the Configuration ManagerIn the Configuration Manager, you can create and configure TLC Resources (Assets, Asset Groups, Managers, Locations, Event-Management Databases), normalization objects (NormalizationThe process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Rules, Aliases, and Normalized-Message Filters), and correlation objects (CorrelationThe examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients. Engines, Rules, Lists, and Actions). (on the TLC Manager to which the Agent is connected) contains an Asset with the same universally unique identifier (UUID) as the Agent, no further action is taken.

No = TLC creates a new Asset for the Agent, assigns the Advanced Windows Collector to the Asset, and assigns the Asset to the Discovered Asset Group.

Auto-Discovery of an Asset other than an Agent

If a File Collector or Network Collector receives a log message from a Log Source for which an Asset does not currently exist, TLC initiates the Auto-Discovery process. The steps below explain how TLC determines if an Asset should be created for the Log Source (outlined in red in Figure 33).

Figure 33.  Auto-Discovery of an Asset other than an Agent (click to enlarge)

Is Auto-Discovery enabled?

Yes = If Auto-Discovery is enabled in the Collector's tab of the Manager’s properties dialog (see Working with Managers), TLC proceeds with the Auto-Discovery process.

No = Otherwise, TLC ignores the log message.

Does the IP address match the Collector's IP filter?

Yes = If the IP address of the Log Source matches the 'IP address filter' defined in the Collector's tab of the Manager properties dialog, TLC creates a new Asset for the Log Source. In the Asset's properties dialog, TLC assigns:

All Normalization Rules applicable to this type of Log Source

(Network Collectors only) The Manager's Correlation EngineThe component of your Primary ManagerEach TLC environmentConsists of all TLC software, Managers, Log Sources, Assets, Collectors, and data in your TLC installation. has a single Primary Manager that controls: 1. The storing of log messages in the Audit LoggerThe TLC Console1. Tripwire Log Center Console is the software for the TLC graphic user interface (GUI), or 2. The Tripwire Log Center GUI. Through the TLC Console, you can configure TLC, oversee your TLC environment, and manage log and event data. component in which you can work with the log messages collected by TLC. File Store and Events in Event-Management Databases, 2. The configuration settings for your TLC environment, and 3. User access and license management for TLC. responsible for identifying events of interest. To correlate events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine. (see How does Event Correlation work?)

No = Otherwise, TLC ignores the log message.