Searching for Log Messages

With these procedures, TLC queries log messages in the Audit Logger File Store.

To run a basic search, see Querying the Audit Logger for 'Raw' Log Messages.

To have TLC normalize the queried log messages, see Querying the Audit Logger for Normalized Messages. In this case, the query results consist of Normalized Messages.

With the first procedure, the query results consist of raw log messages. With the second procedure, the Audit Logger normalizes the queried log messages, and the Normalized Messages are presented in the list.

Tip 

These procedures explain how to configure and run a new query. However, you can also run a Saved Query (see Saving an Audit Logger Query) or a previous query listed in the Query History tab of the Audit Logger's Search tab (see Working with Audit Logger Queries).

Querying the Audit Logger for 'Raw' Log Messages

To query the Audit Logger File Store for log messages:

1. In the side bar, select Events >Audit LoggerAudit Logger.
2. In the Audit Logger, select the Query tab.
3. From the Output drop-down, select List Events - Raw.
4. Enter your criteria for the query in the Query Criteria tab (see Table 78) and click Start.

TLC presents the query results in the Query Results - Log Messages tab (see Table 83). With the buttons along the top of the tab, you can modify and work with the query results (see Table 84).

Tip

You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

Tip

If the query results seem inaccurate or invalid, and you're unable to resolve the issue, you can save the query results in a log file and then forward the file to Tripwire Support for troubleshooting. For more information, see Troubleshooting an Audit Logger Query.

Table 83. Columns in the Query Results - Log Messages tab

Column

Description

Timestamp

The date and time when a log message was created by a Log Source.

Host

The IP address of the Log Source that created the log message.

Event

The content of a log message.

Table 84. Buttons in the Query Results - Log Messages tab

Button

Description

Previous Next

Previous and Next. Scrolls through pages of query results.

Email Selected Rows

Email selected rows. To email one or more log messages:

1. Select the row for the log message in the query results.

2. Click the arrow to the left of the row. To select multiple log messages, use the CTRL and SHIFT keys.

3. Click Email selected rows.

4. In the Email dialog, enter an email address (in the To field) and a Subject line.

5. Click Send.

Copy Selected Rows to Clipboard

Copy selected rows to Clipboard. Copies selected log messages.

Find

Find. Searches for specific log messages in the query results.

View Time Chart

Show/hide Graph. Displays or hides the chart at the top of the query results.

Quick Report Creator

Generate Report. Compiles an Audit Logger Report for the query results. For more information, see Generating an Audit Logger Report.

Add selected Log Source to filter

Add selected Log Source to filter. To add a Monitored Asset to the query's Monitored Assets criterion (see Table 78), select the Host field for a log message created by the Monitored Asset and click this button.

Replace filter with selected Log Source

Replace filter with selected Log Source. To replace the query's Monitored Assets criterion with the Monitored Asset that created a log message (see Table 78), select the Host field for the log message and click this button.

Add selected log message to filter

Add selected message content to Terms criterion. To revise the query's command to specify the content of a log message (see Table 78), select the log message's Event column and click this button.

Assign selected message timestamp as Start Time

Assign selected message timestamp as Start Time. To assign a log message's Timestamp as the Start Time in the Search tab (see Table 78), select the Timestamp in the query results and click this button.

Assign selected message timestamp as End Time

Assign selected message timestamp as End Time. To assign a log message's Timestamp as the End Time in the Search tab (see Table 78), select the Timestamp in the query results and click this button.

Querying the Audit Logger for Normalized Messages

To query the Audit Logger File Store for log messages to be normalized by TLC:

1. In the side bar, select Events >Audit LoggerAudit Logger.
2. In the Audit Logger, select the Query tab.
3. From the Output drop-down, select List Events - Processed.

TLC presents some query-criteria tabs at the bottom of the Search tab.

4. Enter your criteria for the query.

For default criteria, see Table 78.

For guidance in completing the query-criteria tabs, see Table 85.

Notes 

To normalize a log message in query results, TLC uses the Normalization Rules assigned to the Monitored Asset representing the message's Log Source (see Table 50).

If your criteria specify a value(s) for a log-message field, the query results will exclude any log messages for which the field has a null value (i.e. no value).

5. Click Start.

TLC presents the query results in the Query Results - Normalized Messages tab. The results consist of Audit Logger log messages that have been normalized by TLC. With the buttons along the top of the this tab, you can modify and work with the query results (see Table 86). The available buttons depend upon which cell (if any) is selected in the query results.

Tip

You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

Tip 

To refresh the query results and limit the new query to log messages with the value of a column displayed in the current results, double-click the value's table cell.

Tip

If the query results seem inaccurate or invalid, and you're unable to resolve the issue, you can save the query results in a log file and then forward the file to Tripwire Support for troubleshooting. For more information, see Troubleshooting an Audit Logger Query.

Table 85. Advanced tabs for Audit Logger query criteria

Tab

Description

Processed Filter

Defines conditions to limit query results to Normalized Messages that satisfy those conditions. Each condition either specifies a value in a Normalized-Message field or a Classification Tag (see How does Classification work?). For field descriptions, click here.

To add a condition, clickAddAdd.

To define or change the properties of a condition specifying a Normalized-Message field:

1. From the Type drop-down, select the Normalized-Message field. For descriptions of Normalized-Message fields, along with guidelines for appropriate values, click here.

2. From the Condition drop-down, select an operator for the condition (see Table 96).

3. In the Value field, enter an alpha-numeric value, Correlation List, or .NET regular expression. (For more information about Correlation Lists, see Working with Correlation Lists).

Tip: When selecting a Normalized-Message field from the Type drop-down, select a field that exists in the Normalized Messages to be queried.

If you select Event Priority from the Type drop-down, see Searching for Log Messages for more information.

To define or change the properties of a condition specifying a Classification Tag:

1. In the Type drop-down field, type: 

tag_set_<Tag_Set_name>

where <Tag_Set_name> is the name of the Classification Tag Set containing the Tag.

2. From the Condition drop-down, select the Contains or Not Contains operator for the condition (see Table 96).

3. In the Value drop-down field, type the name of the Classification Tag.

To delete a condition, select the condition and clickDelete/RemoveDelete.

Columns

Specifies table columns to be used in the query results. If no columns are specified, all columns are used to display the Normalized Messages in the query results.

Group

Note: This tab is only available if you select Graph Events - Processed in the Output field (see Table 78).

Specifies table columns by which to sort the query results.

Report Options

Note: This tab is only available if you select Report in the Output field (see Table 78).

Report logo. The graphic (190 x 48 pixels) displayed in the upper right corner of a report. To add your own logo to a report, save the graphic file in your TLC Console installation directory. The default path is:

Program Files\Tripwire\Tripwire Log Center Console

If you plan to create a Saved Query, and then assign Saved Query to a Scheduled Task (see Working with the Task Scheduler), you must save the graphic file in your TLC Manager installation directory in order for the logo to appear in report output generated by the Scheduled Task. The default path for TLC Manager is: 

Program Files\Tripwire\Tripwire Log Center Manager

Resolve IP addresses. Determines if/how TLC will attempt to resolve IP addresses in the query results.

To resolve the IP addresses for existing Monitored Assets only, select For Assets only.

To resolve all IP addresses by DNS, select For all hosts.

To have TLC first resolve IP addresses for existing Monitored Assets, and the remaining IP addresses by DNS, select Resolve both.

To disable this feature, select None.

Watermark. To add a watermark to the report output, enter the text of the watermark.

Display Hostnames. (Applies to Tripwire-defined PCI reports only) Determines how Monitored Assets with the Advanced Windows Collector or Advanced File Collector (see Table 28) are identified and sorted in the output of a report.

Default uses the setting specified by the Audit Logger - Display Hostnames in the PCI Reports advanced setting (see Table 49).

To identify Monitored Assets by their host names, select True.

To identify Monitored Assets by their IP addresses, select False.

Report Variables. If Compliance is selected from the Report Class drop-down, you can click AddAdd to define a custom title or description to be displayed in the report output.

Advanced Options

Include log messages. If enabled, the query results include log messages that match the query's default criteria (see Table 78) but could not be normalized.

Return Limit. Limits the number of un-normalized log messages in the query results.

Table 86. Buttons in the Query Results - Normalized Messages tab

Button

Description

Run Query

Re-run query. Re-runs the query and refreshes the query results.

Add to Processed Filter

Add Message-Field Filter for selected column. To add a column value for a log message to the query's Processed Filter criteria (see Table 85), select the value's table cell in the query results and click this button.

Add to Query Filter

Add selected value to Terms criterion. To add a column value for a log message to the Terms criterion (see Table 78), select the value's table cell in the query results and click this button.

Add to Query Filter

Add selected value to Classification Tags criterion. To add a Tag to the query's Classification Tags criterion (see Table 78), select a field containing the Tag and click this button.

Email Selected Rows

Email selected rows. To email one or more log messages:

1. Select the row for the log message in the query results.

2. Click the arrow to the left of the row. To select multiple log messages, use the CTRL and SHIFT keys.

3. Click Email selected rows.

4. In the Email dialog, enter an email address (in the To field) and a Subject line.

5. Click Send.

Copy Selected Rows to Clipboard

Copy selected rows to Clipboard. Copies selected log messages.

Export

Export to CSV. Exports the queried log messages to a CSV file.

Notes: 1) Only visible columns are exported to the CSV file. 2) If one or more columns are grouped in the Query Results - Normalized Messages tab, this button is disabled.

Tripwire Enterprise Query

Tripwire Enterprise Query. Queries your Tripwire Enterprise Server for 1) nodes with an IP address selected in the displayed list of Normalized Messages, or 2) elements with an Object Identifier (OID) selected in the displayed messages.

Note: To use this feature, at least one Tripwire Enterprise Server must be added to TLC (see Working with Tripwire Enterprise Servers). 

For more information about this feature, see the Integration Guide: Tripwire Enterprise & Tripwire Log Center PDF on the Tripwire Customer Center:

https://tripwireinc.force.com/customers

Commands

Run Custom Command on selected IP address. If you select the IP address of a Log Source in a log message's host column, this button presents a list of commands that can be run on the Log Source.

Internet Tools

Internet Tools. If you select the IP address in a log message's Host column or Sensor IP column, this button opens the Internet Tools tab (see What are Internet Tools?).