What are Managers, Log Sources, and Assets?

A Manager is a host system for TLC Manager software, and a TLC Console host is a system on which TLC Console software has been installed. If TLC Manager and Console are installed on the same system, the system is referred to as a Manager.

Most systems and devices on a network record information about their operation in a log. A Log Source is any log-generating application, operating-system service, database instance, or device from which TLC collects log messages. An Asset is an object in TLC that represents a Log Source from which TLC collects log messages directly.

Each Asset specifies the IP address of a Log Source and a single Collector. A Collector is a TLC module that gathers or receives log messages from Log Sources. To communicate with a Log Source, a Collector employs a protocol appropriate for the system -- for example, SNMP for network devices or WMI for Windows operating systems. For descriptions of Collector types, see Table 27.

Notes 

An Asset using an Oracle Database Collector can collect log messages from multiple Log Sources (i.e. database instances and views). However, all other Assets collect messages from a single Log Source.

Installed on a Windows or Linux system, an Agent is a service that collects log messages from any log-generating application running on the system. When installed on a Windows system, Agents can also collect the system's Windows Event Logs via the Secure Sockets Layer (SSL) protocol. For more information, see Table 27.

Your Tripwire Log Center (TLC) environment consists of all TLC software, Managers, Log Sources, Assets, Collectors, and data in your TLC installation.

Primary and Secondary Managers

Each Manager may be configured to perform the following core functions:

Collection. The gathering or receipt of log messages from Log Sources (see What are Collectors?).

Classification. The application of 'Tags' to categorize log messages (see How does Classification work?).

Normalization. The process of standardizing log messages for further use by TLC (see How does Log-Message Normalization work?). Standardized messages are known as Normalized Messages.

Correlation. The examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients (see How does Event Correlation work?).

Each TLC environment has a single Primary Manager. In addition to the core Manager functions outlined above, the Primary Manager controls:

The storing of log messages in the Audit Logger File Store (see What is the Audit Logger?) and Events in Event-Management Databases (see Where does TLC store Data?).

The configuration settings for your TLC environment (see About TLC Settings and Global Settings).

User access and license management for TLC (see About User Access and Licensing).

Your TLC environment may also include one or more Secondary Managers. In addition to the core Manager functions, a Secondary Manager may be configured to either:

Store log messages (as with a Primary Manager), or

Forward log messages to another Manager.

By adding one or more Secondary Managers to your TLC environment, you can distribute TLC functionality to meet your organization's needs. The use of Secondary Managers can improve performance while also giving you the ability to partition your TLC data based on geography, business unit, or function. To determine if a Secondary Manager would be helpful in your TLC environment, see Planning your TLC Environment or consult your Tripwire Customer Service Representative.

Notes 

Concentrator is an obsolete term for a Secondary Manager that has been configured to forward log messages.

If you change the IP address of a Manager, you must:

1. Change the IP address in the Settings tab of the Manager's properties dialog (see Working with Managers), and
2. Assign a new certificate to the Manager in the TLC Manager Interface (see Configuring your Manager's SSL Certificate).