Getting Started with Tripwire Axon Agent for TLC

The Axon Agent is Tripwire’s new generation of agent technology. Installed on an endpoint to be monitored, Tripwire Axon Agent for TLC is the software that provides data to Tripwire Log Center Manager.

Supported Platforms

Tripwire Axon Agent for TLC software can be installed on a wide and growing range of operating systems. For this release, the Agent is supported on:

Amazon Linux 2016.09, 2017.03 (64-bit)

CentOS Linux 5.3 - 5.11 (32- and 64-bit)

CentOS Linux 6.0 - 6.9 (32- and 64-bit)

CentOS Linux 7.0 - 7.4 (64-bit)

Debian Linux 8.5 - 8.9 (32- and 64-bit)

Oracle Linux RHCK 6, 6.7+ (64-bit)

Oracle Linux RHCK 7, 7.2+ (64-bit)

Oracle Linux UEK 6, 6.7+ (64-bit)

Oracle Linux UEK 7, 7.2+ (64-bit)

Red Hat Enterprise Linux 5.3 - 5.11+ (32- and 64-bit)

Red Hat Enterprise Linux 6.0 - 6.9 (32- and 64-bit)

Red Hat Enterprise Linux 7.0 - 7.4 (64-bit)

SUSE 11.4 (64-bit)

SUSE 12.0 - 12.2 (64-bit)

Ubuntu 14.04.4+ LTS (32- and 64-bit)

Ubuntu 16.04+ LTS (32- and 64-bit)

Microsoft Windows 7, 7 Embedded (32- and 64-bit)

Microsoft Windows 8, 8.1, 8.1 Embedded (32- and 64-bit)

Microsoft Windows 10 (64-bit)

Microsoft Windows Embedded POSReady 7 (32- and 64-bit)

Microsoft Windows Server 2008 SP1, SP2 (32- and 64-bit)

Microsoft Windows Server 2008 R2 (64-bit)

Microsoft Windows Server 2012 (64-bit)

Microsoft Windows Server 2012 R2 (64-bit)

Microsoft Windows Server 2016 R2 (64-bit)

Choosing an Authentication Method for TLC Axon Agents

The Bridge is a component through which Axon Agents deliver data to a Tripwire Log Center Manager. To connect with Axon Agents, the Bridge on a Tripwire Log Center Manager uses the Transport Layer Security (TLS) protocol. Therefore, each Axon Agent needs a set of X.509 certificates in order to communicate with the Bridge.

Axon Agents can use two different methods to obtain the certificates used for securing the connection with the Bridge:

With the registration method, you create a pre-shared key that is used to authenticate a newly-connected Axon Agent while it obtains a certificate to use for subsequent connections. To install an Axon Agent using the registration method, see Installing Tripwire Axon Agent using a Pre-Shared Key.

With the public key infrastructure (PKI) method, you create certificates and build a certificate key store on both the Axon Agent and Bridge systems. To install an Axon Agent using PKI, see Installing Tripwire Axon Agent using PKI.

Tips 

Tripwire strongly recommends using the registration method unless you have an existing centralized public key infrastructure and are comfortable with creating and maintaining certificate keys. The registration method is equally secure, and greatly simplifies the configuration process.

Changing the authentication method after the initial installation will require modifying all existing Axon Agents to configure new certificates.

Comparing the Registration and PKI Authentication Methods

With the registration method, the Axon Agent and Bridge complete the following steps:

1. The Axon Agent establishes an anonymous TLS connection with the Bridge.
2. The Axon Agent sends an X.509 Certificate Signing Request (CSR) to the Bridge. If the Agent has a registration pre-shared-key file, the pre-shared key is included in the request.
3. The Bridge verifies the CSR and pre-shared key, and it sends a set of signed X.509 certificates to the Axon Agent.
4. The Axon Agent reads the response and locally stores copies of 1) the Bridge Certificate Authority (CA), and 2) the signed certificates.
5. The Axon Agent disconnects from the Bridge and deletes its registration_pre_shared_key.txt file.
6. With the signed certificates, the Axon Agent reconnects with the Bridge and establishes a secure TLS session.

With the PKI method, the Axon Agent connects with the Bridge using the signed certificates and establishes a secure TLS session.

Required Ports and Protocols

The tables in this section list the services installed with Tripwire Log Center Manager, and the default ports used. Figure 23 illustrates these connections.

Table 8. Bridge services installed with Tripwire Log Center Manager

Service Name

Listening
Ports

Requires Firewall Access?

Description

TripwireBridge

5670

Y

The Axon Agent's connection port to the Bridge.

Table 9. Required ports for the Bridge service on a Tripwire Log Center Manager

Default Port/Protocol

Configurable During Installation?

Description

5670/TCP/TLS

No

Used for inbound communication received from Axon Agents.

Figure 23.  Agent ports and protocols

Proxied Axon Agent

Migrating your Monitored Assets to Advanced Collectors

Before installing the Axon Agent for use with Tripwire Log Center, we recommend that you follow the steps below.

If your TLC environment includes any Windows systems from which the WinLog Collector has previously collected log messages, Tripwire recommends that you migrate those Monitored Assets to the Advanced Windows Collector.

To identify Monitored Assets that should be migrated to the Advanced Windows Collector, run the Duplicated Assets for Advanced Windows Collectors Report in the Report Center. For instructions, see Running a Report.

To migrate a Monitored Asset from the WinLog Collector to the Advanced Window Collector, install Tripwire Axon Agent for TLC on the Asset's host system, and then assign the Advanced Windows Collector to the Asset in the TLC Console (see Working with Monitored Assets).

If your TLC environment included any Windows and/or Linux systems from which the File Collector has collected log messages, Tripwire recommends that you migrate those Monitored Assets to the Advanced File Collector.

To identify Monitored Assets that should be migrated to the Advanced File Collector, run the File Collector Assets Report in the Report Center. For instructions, see Running a Report.

To migrate a Monitored Asset from the File Collector to the Advanced File Collector, install Tripwire Axon Agent for TLC on the Asset's host system, and then assign 1) the Advanced File Collector and 2) the system's Log Source(s) to the Asset in the TLC Console (see Working with Monitored Assets and Working with Log Sources for an Advanced File Collector).