Configuration Manager. If an Event-Management Database does not contain the Events you expect to see for a Log Source, complete the following steps to determine the source of the problem.
Review the following topics to ensure that your TLC environment is properly configured:
Configuring your TLC Environment
Specifically, the following configuration steps must be completed:
The latest Tripwire-defined Normalization Rules for the Log Source must be downloaded from the Tripwire Web site (see Step 3. Import the Latest Normalization Rules).
|
Tip |
The Steps in this topic assume that your TLC environment employs Tripwire-defined Normalization Rules to normalize log messages from the Log Source. If you suspect a custom Normalization Rule may be the reason the expected Events are not being created in your database, please contact Tripwire Technical Support for further assistance. |
|---|
The Monitored Asset for the Log Source should be added to an Asset group (Step 4. Configure your Asset Groups).
In your Manager’s properties, the appropriate Collector must be added to the Installed Modules tab (Step 5. Configure your Collectors).
In the Monitored Asset’s properties, the Collector must be assigned in the Settings tab (Step 6. Configure your Monitored Assets).
|
Tip |
Since you may need to assign the database to the Monitored Asset in Step 2. Assess your Correlation Rules , do not close the Asset's properties dialog. |
|---|
All appropriate Tripwire-defined Normalization Rules must be assigned to the Asset Group (Step 8. Assign Normalization Rules to Asset Groups). If the group lacks a Normalization Rule with a .NET regular expression suitable for a log message, TLC cannot normalize the message and, therefore, the message cannot be saved in an Event-Management Database.
In the properties of your Correlation Engine, you must assign all Correlation Rules with which TLC will correlate Normalized Messages (Step 9. Assign Correlation Rules to the Correlation Engine).
The Authentication tab in the Event-Management Database's properties dialog must specify login credentials for a valid database user account (see Creating an Event Database).
If these configuration steps fail to resolve the issue, proceed to Step 2. Assess your Correlation Rules .
If an Event-Management Database is assigned as an Output Destination in the properties of a Monitored Asset, TLC should create an Event in the database whenever a log message from the Asset's Log Source(s) is normalized. However, this approach can quickly overload the database with Events, so Tripwire recommends against it. If you want TLC to create Events in an Event-Management Database, Tripwire advises that the database be added as an Output in one or more Correlation Rules (How does Event Correlation work?).
For testing purposes in this Step, you will temporarily assign the database directly to your Monitored Asset. If this results in the creation of the expected Events in the database, then your Correlation Rules are the most likely source of the problem.
To assign the Event-Management Database to your Monitored Asset:
| 1. | In the side bar, select Resources >Configuration Manager. |
| 2. | In the side bar of the Configuration Manager, select  Resources > Monitored Assets. |
TLC presents your Assets in the workspace table.
| 3. | In the workspace, double-click the Monitored Asset. |
| 4. | In the Output Destinations tab of the Monitored Asset properties dialog: |
| a. | Click Add. |
| b. | Select the appropriate Input Type. |
| c. | Select the database from the Output Destination drop-down and click Add. |
| 5. | With the Event-Database Viewer, monitor the database (see Working with the Event-Database Viewer). |
If TLC begins creating the expected Events in the database, then you should inspect the Correlation Rules in which the database has been assigned as an Output. Most importantly, review the conditions defined in the Decision Settings tab and the Database Settings tab (see Defining a Correlation Rule and Table 95). In addition, your Correlation Rules must be assigned to the Correlation Engine (see Assigning Correlation Rules to a Correlation Engine).
Otherwise, proceed to Step 3. Query Log Messages in the Audit Logger.
|
Note |
Remember to remove the database Output Destination from the Monitored Asset. |
|---|
In this Step, you will query the log messages collected from the Log Source. In a text file, you will save the IDs of the Normalization Rules used to normalize messages in the query results, along with the contents of any log messages that the query was unable to normalize. In Step 4. Assess the Normalization Rules assigned to the Asset Group, you will use this information to determine if your Normalization Rules are preventing the creation of the expected Events in your Event-Management Database.
To query the Audit Logger:
| 1. | Push updates to your Manager (see Pushing Updates to your Managers). |
| 2. | In the side bar, select Events > Audit Logger. |
| 3. | In the Query tab, specify the following query criteria: |
| a. | In the Assets fields, select Assets and enter the IP address of the Log Source's Monitored Asset. |
| b. | From the Output drop-down, select List Events - Processed. This type of search normalizes the queried log messages with the Normalization Rules assigned to the Asset Group containing the Monitored Asset, as well as any rules assigned directly to the Asset itself. |
|
Note |
As a best practice, Tripwire recommends that Normalization Rules only be assigned to Asset Groups, rather than individual Monitored Assets. |
|---|
| c. | With the Date and Time fields, define a timeframe to narrow the scope of the search. |
| d. | In the Advanced Options tab, select Included log messages. With this setting, the query results will include any log messages that satisfy the query criteria but for which a suitable Normalization Rule is not currently assigned to the Asset Group (or Monitored Asset). Since these rules cannot be normalized, they will appear in their original, 'raw' format. |
| 4. | Click Start. TLC presents the query results in the following tabs: |
The Query Results - Normalized Messages tab displays the queried log messages that were successfully normalized.
If the Asset Group (or Monitored Asset) does not have a Normalization Rule with a regular expression that can normalize one or more queried log messages, TLC also presents the Query Results - Log Messages tab. This tab presents the log messages in their 'raw,' un-normalized format.
If the query fails to produce a Query Results - Log Messages tab, try adjusting the Date and Time fields. If further queries fail to present this tab, there is no need to proceed further. Contact Tripwire Technical Support.
| 5. | In the Query Results - Normalized Messages tab: |
| a. | Locate the Rule ID column header and click the adjacent filter icon. |
| b. | The filter drop-down presents the ID for each Normalization Rule used to normalize the messages in the query results. In a text file, make a note of each Rule ID in this list. |
| 6. | In the Query Results - Log Messages tab: |
| a. | Select all rows in the query results and click Copy selected items to Clipboard. |
| b. | In the text file, paste the query results after the list of Rule IDs. |
| c. | Save the text file and close the Audit Logger. |
In this Step, you will examine the Tripwire-defined Normalization Rules assigned to the Asset Group containing the Monitored Asset to determine if either of the following issues might explain why your Event-Management Database lacks the expected Events.
The Asset Group may not have a Normalization Rule capable of normalizing log messages from the Monitored Asset's Log Source. In this step, you will test the compatibility of each of the group's rules by searching the log messages in the text file (created in Step 3. Query Log Messages in the Audit Logger) for the rule's 'Quick Match' expression.
Each Tripwire-defined Normalization-Rule Group contains at least one 'generic' Normalization Rule. A generic rule is capable of normalizing any log message from the associated type of Log Source. Generic rules have a low priority (a value of 900 or greater), so they only normalize log messages if other rules assigned to the Asset Group fail to do so. Most importantly, log messages normalized by a generic rule cannot be saved as Events in an Event-Management Database. Here, you will determine if the Asset Group contains a generic rule that is normalizing log messages from the Log Source.
To complete this Step:
| 1. | Open the text file created in Step 3. Query Log Messages in the Audit Logger. |
| 2. | In the side bar, select Resources >Configuration Manager. |
| 3. | In the side bar of the Configuration Manager, select Resources > Asset Groups. |
| 4. | In the workspace, double-click the Asset Group containing the Monitored Asset. |
| 5. | In the Asset Group properties dialog, select the Normalization Rules tab. |
| 6. | Compare the list of Normalization Rule IDs in your text file with those displayed in the Rule IDs column. |
Make a note of all Rule IDs that are not listed in the text file. You will test these rules below.
If the text file contains a Rule ID that does not appear in this column, then the rule is assigned directly to the Monitored Asset, rather than the Asset Group.
If the name of one of these rules includes the term "generic," then it is a generic rule. Therefore, log messages normalized with this rule cannot be saved in Event-Management Databases.
| 7. | For each Normalization Rule with an ID that is not listed in the text file, complete the following steps: |
| a. | In the workspace, double-click the rule. |
| b. | In the rule properties dialog, copy the Quick Match value. |
| c. | Search the contents of the text file for the Quick Match value. |
If the log messages in the text file do not contain the Quick Match value, proceed to the next rule.
If a log message contains the Quick Match value, copy the content of the log message to your clipboard and complete the remaining steps.
| d. | In the Rule Details tab, click the Rule Editor button. |
| e. | In the Test Message tab of the Rule Editor, paste the log message and click Test RegEx. |
If TLC presents column values in the Test Output field, the Normalization Rule is capable of normalizing the log message.
If the Test Output field is void, the rule's regular expression cannot parse the message's content. In this case, you should contact Tripwire Technical Support.
|
Note |
If a log message in the text file does not contain the Quick Match value for any of the Asset Group's rules, the reason is most likely one of the following: The Normalization-Rule Group(s) assigned to the Asset Group is inappropriate for this type of Log Source. You do not have the most recent versions of these Normalization Rules. To download the latest content, see Updating TLC with the Latest Tripwire Content. The Normalization-Rule Group(s) lacks a Normalization Rule for this type of log message. To submit a request for a new Tripwire-defined Normalization Rule, contact Tripwire Technical Support. |
|---|
To determine if your Normalized-Message Filters are the source of the problem:
| 1. | In the side bar, select Resources >Configuration Manager. |
| 2. | In the side bar of the Configuration Manager, select  Normalization > Normalized-Message Filters. |
TLC presents your Normalized-Message Filters in the workspace table. The Filter Type column indicates the Event-Management Database (or Correlation Engine) to which the filter applies.
| 3. | In the workspace, select the row for each filter that has your Event-Management Database specified in the Filter Type column. |
| 4. | Right-click one of the rows and select Disable selected filters. |
| 5. | Monitor the Event-Management Database for the expected Events (see Working with the Event-Database Viewer). If this resolves the issue, the source of the problem is the criteria defined for one or more of your Normalized-Message Filters. To review your filter criteria, see Working with Normalized-Message Filters. |