Adding Multiple Monitored Assets

For an introduction to Monitored Assets, see What are Managers, Log Sources, and Monitored Assets?.

For the following Collectors (see What are Collectors?), you can add multiple Monitored Assets with common properties at the same time.

Check Point Collectors

Cisco IDS Collectors

File Collectors

Advanced File Collectors

Network Collectors

WinLog Collectors

To add multiple Monitored Assets:

1. In the side bar, select Resources >Configuration ManagerConfiguration Manager.
2. In the side bar of the Configuration Manager, select ResourcesResources >AssetsMonitored Assets.

TLC presents your Monitored Assets in the workspace table.

Tip

You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

3. In the workspace, right-click a Monitored Asset and select Add Multiple AssetsAdd Multiple Monitored Assets.
4. Complete the tabs in the Add Multiple Monitored Assets wizard (see Table 53).
5. Click Start.

Table 53. Tabs in the Add Multiple Monitored Assets wizard

Tab

Description

Log Sources

Note: This tab only appears if an Advanced File Collector is selected in the Collector field of the Settings tab.

This tab specifies the Log Sources to be assigned to the Monitored Assets.

Enabled. Indicates if TLC is collecting log messages from a Log Source.

Name. A descriptive name for a Log Source.

To add a Log Source, clickAddAdd and complete the Log Source dialog (see Working with Log Sources for an Advanced File Collector).

To change the properties of a Log Source, double-click the Log Source and complete the Log Source dialog.

To remove a Log Source, select the Log Source and clickDelete/RemoveRemove.

To enable or disable a Log Source, select the Log Source and clickEnableEnable orDisableDisable.

Tip: You can also access these commands by selecting and right-clicking a Log Source.

Monitored Assets

To add the Log Sources for the Monitored Assets you want to create, use the buttons at the top of the Monitored Assets tab. You can manually enter the Asset properties, Auto-Discover Assets by querying a domain's Active Directory, or import a comma-separated value (CSV) file with a defined list of Monitored Assets.

Manual Entry

To manually enter the properties of your Monitored Assets:

1. ClickAdd AssetAdd Monitored Asset. TLC adds a table row to the Assets tab.

2. Enter the IP address of a Monitored Asset, along with a Name and Description of your choice.

3. Repeat these steps to add other Monitored Assets.

Auto-Discovery

With Auto-Discovery, TLC retrieves host information from a domain's Active Directory in the following format: 

<hostname>.<domain>

ExampleWindowsServer2003.lab.mydomain.com

To Auto-Discover the Assets in a domain:

1. ClickAdd from DomainAdd from Domain.

2. Complete the Select a Domain dialog and click Start.

Directory Entry. The Active Directory host name, domain name, or domain/location (e.g. corp.mycompany.com/CN=Computers,DC=corp,DC=mycompany,DC=com) from which the Assets will be Auto-Discovered.

Username. The username for a user account with access to the Active Directory.

Password. The password of the user account.

Host Filter. (Optional) A .NET regular expression to limit Auto-Discovery to Assets with specific names.

IP Filter. (Optional) A .NET regular expression to limit Auto-Discovery to Assets with specific IP addresses.

Note: If the domain of an Asset cannot be retrieved, TLC simply saves the host name. If a host's IP address cannot be resolved, TLC will save the entry as 0.0.0.0. In this case, you should either delete the Monitored Asset or manually edit the IP address.

CSV Files

In a CSV file, each line in the file should be formatted as follows:

<name>,<IP_address>,<description>

Where <name> is a name of your choice for the Monitored Asset,

<IP_address> is the IP address of the Monitored Asset's Log Source, and

<description> is a description of the Monitored Asset.

To import a CSV file:

1. ClickAddAdd from File.

2. Click Browse and select the file.

3. Click Start.

To remove a Monitored Asset from the list, select the Asset and clickRemoveRemove.

Output Destinations

In this tab, add the Output Destinations to be assigned to each of the Monitored Assets. For an introduction to Output Destinations, see How does Log-Message Normalization work?.

To add an Output Destination:

1. ClickAddAdd.

2. From the Input Type drop-down, select the appropriate option for the Monitored Asset's Log Sources.

3. Select the Output Destination and click Add.

To remove an Output Destination, select the destination and clickDelete/RemoveRemove.

Tips: Since saving log messages in an Event-Management Database can overload the database with Events, Tripwire recommends that you exercise discretion when assigning databases as Output Destinations. To maintain a comprehensive record of 'raw' log messages from a Monitored Asset's Log Source, assign the Audit Logger as an Output Destination.

If you do assign an Event-Management Database as an Output Destination, and the database is consequently overloaded with Events, click here for troubleshooting tips.

If the Monitored Asset is a scanner (see What are Scanner Events?), Event Databases may be assigned as Output Destinations, but not Firewall Databases or IDS Databases.

Rules

Notes: 1) This tab does not appear if a Cisco IDS Collector or Check Point Collector is selected in the Collector field of the Settings tab. 2) If the Monitored Asset is a scanner (see What are Scanner Events?), the Normalization Rules assigned to this tab will have no affect. Instead, TLC automatically normalizes Scanner Events.

In this tab, add the Normalization Rules to be assigned to the Monitored Assets. When the Normalization Engine receives a log message from the Asset's Collector, TLC will execute the rules in the order in which they appear in this tab.

To assign Normalization Rules:

1. ClickAddAdd.

2. In the Modify Rules for Monitored Asset dialog, select the check box for each rule to be added and click OK.

To change the order of the Normalization Rules, use the buttons on the right of the Rules tab.

Settings

Note: If a Cisco IDS Collector is selected in the Collector field, the Settings tab includes the Username and Password fields. If a WinLog Collector is selected, the Settings tab includes the Username, Password, and Method fields. Otherwise, these fields do not appear in this tab.

This tab defines general settings for the Monitored Assets.

Location. Specifies a Location for the Monitored Assets (see Working with Locations).

Enabled. (Optional) Select this check box to enable log-message collection for the new Monitored Assets.

Type. The type of Log Sources for which you will create Monitored Assets.

Group. Specifies an Asset Group to which the Monitored Assets will be assigned.

Add Normalization Rules to Group. (Optional) Select this check box to have TLC automatically assign the Normalization Rules for the (Log Source) Type to the Asset Group.

Collector. The type of Collector that will gather log messages from the Monitored Asset's Log Source (see What are Collectors?).

Username. The username of the user account to be employed by TLC for authentication with the Monitored Assets' Log Sources (either Windows systems or Cisco IDS devices).

Password. The password of the user account.

Method. The type of WMI Connection to be employed for communication with the Monitored Assets' Log Sources (Windows systems).

The Asynchronous method uses a constant connection with the Windows Event Log.

The Synchronous method polls the Windows Event Logs for new log messages.

Note: The Username and Password fields are not required if 1) the Log Sources are Windows systems with a WinLog Collector, 2) the Monitored Assets' Manager has a WinLog Collector assigned to its Installed Modules tab (see Working with Managers), 3) the Windows systems and Manager host system are in the same domain, and 4) the service user running the Manager has permission to collect WMI log messages.