For an introduction to Monitored Assets, see What are Managers, Log Sources, and Monitored Assets?.
To add, edit, or delete Monitored Assets:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Resources >Monitored Assets. |
TLC presents your Assets in the workspace table.
Tip |
You can sort, group, and filter the contents of tables. For more information, see Working with Tables). |
---|
3. | To create a new Monitored Asset: |
a. | ClickAdd Monitored Asset. |
b. | In the Monitored Asset properties dialog, enter a Name and Description for the Asset. |
c. | (Optional) To enable the Asset, select the Enabled check box. |
d. | Complete the tabs in the Monitored Asset properties dialog (see Table 50) and click OK. |
Tips |
To create multiple Monitored Assets at once, see Adding Multiple Monitored Assets. To improve performance and simplify management of your TLC environment, Tripwire recommends that you assign Normalization Rules to Asset Groups rather than Monitored Assets (see Assigning Normalization Rules to Asset Groups). In addition, you should only add Normalization Rules that are appropriate for the messages to be collected from the Log Source. To manually create a Monitored Asset with the Advanced Windows Collector, the Enable AutoDiscovery setting in the Advanced Windows Collector tab of your Manager's properties dialog must be disabled (see Working with Managers). |
---|
To edit an existing Monitored Asset:
a. | In the workspace, double-click the Asset. |
b. | Complete the Monitored Asset properties dialog (see Table 50) and click OK. |
Tip |
To edit multiple Monitored Assets at once, see Configuring Multiple Monitored Assets. |
---|
To remove all Normalization Rules from the properties of one or more Monitored Assets, select the Assets and clickRemove all rules from selected Assets.
To enable a disabled Monitored Asset, select the Asset in the workspace and click Enable Monitored Asset.
To disable a Monitored Asset, select the Asset and click Disable Monitored Asset.
Tips |
To select multiple Monitored Assets, select the Assets while pressing the CTRL or SHIFT key. If a Monitored Asset is disabled, TLC will not collect log messages from the Asset's Log Source. |
---|
To delete a Monitored Asset:
a. | In the workspace, select the Asset. |
b. | If a Collector is assigned to the Asset (see the Collector Name column), make a note of it. |
c. | ClickDelete Monitored Asset. |
d. | In the confirmation dialog, click Yes. |
e. | In the Installed Modules tab of your Manager's properties dialog, disable and re-enable the Collector (see Table 42). |
Tip |
To successfully delete a Windows Axon Agent Asset, you must first stop the Tripwire Axon Agent for TLC service on the Agent host system or uninstall the Agent. Otherwise, TLC will auto-discover the Agent and re-create the Monitored Asset. |
---|
If the Save Table Layout feature is enabled (see Saving Table Layouts in the Configuration Manager), you can modify the table in the workspace and click Save Table Layout to save the updated layout for future use.
Tip |
Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers). |
---|
Tab |
Description |
---|---|
Advanced |
For a Network Collector, Cisco IDS Collector, Database Collector, Oracle Database Collector, Advanced File Collector, or Advanced Windows Collector: Generate a log message if no messages received in <n> Minutes/Hours/Days. If you enter a non-zero value in this field, TLC will generate a log message if the specified time period passes without a log message being received from the Monitored Asset's Log Source. This log message simply provides a notification that no messages were received within the specified interval. Time zone. Select the time zone in which the Monitored Asset's Log Source is located. Note: If a Database Collector, WinLog Collector, or Advanced Windows Collector is assigned to the Asset, the Time zone field does not appear in the Advanced tab. For a WinLog Collector or File Collector: Generate a log message if no messages received in <n> Minutes/Hours/Days. If you enter a non-zero value in this field, TLC will generate a log message if the specified time period passes without a log message being received from the Monitored Asset's Log Source. This log message simply provides a notification that no messages were received within the specified interval. Limit collection to log messages from the following Event Logs. To limit the Collector to log messages generated by specific Event Logs, select each applicable check box. If you select the Custom check box, you can specify multiple Windows Event Logs in the associated field. In the field, insert a pipe character (|) between the names of the Windows Event Logs (for example, Log_1|Log_2). Notes: For more information, see Processing EVT and EVTX Files. For a File Collector, the Limit collection to log messages from the following Event Logs region is only available if EVT is selected as an Input Type in the Output Destinations tab. |
Advanced Collector Collection |
Note: This tab only appears if a Advanced Windows Collector is specified in the Collector field of the Settings tab. Collect Windows Event Logs? A read-only setting indicating whether or not TLC collects Windows Event Logs from the Axon Agent. This setting is controlled by the Agent Collection tabs in the properties dialog of the Asset Group(s) containing this Monitored Asset (see Table 52). If this setting is enabled for at least one of these Asset Groups, the setting is enabled here. |
Asset Groups |
This tab lists the Asset Groups to which the Monitored Asset is assigned. To add the Monitored Asset to an Asset Group: 1. ClickAdd. 2. Select the Asset Group from the drop-down and click Add. To view the properties of an Asset Group, double-click the group. For more information, see Working with Asset Groups. To remove the Monitored Asset from an Asset Group, select the group and clickDelete. |
Check Point Options |
Notes: This tab only appears if a Check Point Collector has been added to the Manager. The Client Distinguished Name, Server Distinguished Name, and Activation Key were entered when the Check Point firewall was configured for use with TLC (see Configuring a Check Point Firewall). Tip: When creating a Check Point Monitored Asset, you must enter the host portion of the firewall's Fully-Qualified Domain Name (FQDN) in the Name field of the Monitored Asset properties dialog. For example, if the FQDN is checkpoint1.tripwire.com, the Asset name should be checkpoint1. This tab defines authentication, communication, and log settings for the Monitored Asset's firewall. Firewall port. The port on the Check Point firewall to be used for communication with TLC. Firewall log file. The log file from which TLC will collect log messages. Authentication method. The authentication method for communications between TLC and the firewall. Certificate. The local certificate file. Download certificate. Click this button to download a certificate from the Check Point Logging Server. Distinguished Name of OPSEC Application Object. The distinguished name (case sensitive) for the OPSEC Application Object created for the Check Point firewall. Distinguished Name of Check Point Server. The distinguished name (case sensitive) for the Check Point Management Server. Logging level. The logging level for the Check Point Collector. For more information about logging levels, see Changing a Manager's Log Settings. To initially configure this tab: a. Enter the Client Distinguished Name and Server Distinguished Name. b. From the Authentication Type menu, select SSLCA. c. Click Pull Cert. d. In the Enter Information dialog, enter the Check Point firewall's Activation Key and an IP address for the Certificate Authority. e. Click Start. Tips: If you have to pull the certificate a second time, you must first recreate the OPSEC Application Object in Check Point (see Configuring a Check Point Firewall). To pull a certificate from a command line, enter: Opsec_pull_cert.exe –h <host> –n <opsec> –p <password> Where <host> is the IP address or host name of the Check Point Management Server, <opsec> is the OPSEC Application Object in Check Point, <password> is the Check Point firewall's Activation Key. |
File Collection |
Note: This tab only appears if 1) a File Collector is selected in the Collector field of the Settings tab, and 2) a schedule has been defined in the Schedule tab. This tab defines communication settings for the collection of log messages. For more information, see Configuring a Monitored Asset with a File Collector. |
Locations |
Note: This tab only appears if Multiple is selected from the Locations drop-down in the Settings tab. Lists the Locations to which the Monitored Asset is assigned. For more information, see Assigning Locations to a Monitored Asset. |
Note: This tab only appears if an Oracle Database Collector or Advanced File Collector is selected in the Collector field of the Settings tab. This tab identifies the Log Sources assigned to the Monitored Asset. ID. A unique identifier for a Log Source. (Available only with the Oracle Database Collector.) Enabled. Indicates if TLC is collecting log messages from a Log Source. Name. A descriptive name for a Log Source. Stored Procedure. The stored procedure TLC executes on the Log Source. (Available only with the Oracle Database Collector.) To add a Log Source, clickAdd and complete the Log Source dialog (see Working with Log Sources for an Oracle Database Collector and Working with Log Sources for an Advanced File Collector). To change the properties of a Log Source, double-click the Log Source and complete the Log Source dialog. To remove a Log Source, select the Log Source and clickRemove. To enable or disable a Log Source, select the Log Source and clickEnable orDisable. Tip: You can also access these commands by selecting and right-clicking a Log Source. |
|
Notes: 1) This tab does not appear if a Database Collector is selected in the Collector field of the Settings tab. 2) If the Oracle Database Collector is selected from the Collector drop-down in the Settings tab, you cannot add an Event-Management Database as an Output Destination. However, you can forward log messages of interest to an Event-Management Database by adding the Correlation Engine as an Output Destination, and then creating a Correlation Rule with the database as an Output (see Defining a Correlation Rule). This tab lists the Output Destinations for the Monitored Asset (i.e. the Audit Logger, an Event-Management Database, or the Correlation Engine). For an introduction to Output Destinations, see How does Log-Message Normalization work?. To add an Output Destination to the Monitored Asset: 1. ClickAdd. 2. Select an appropriate Input Type for the Collector selected in the Settings tab (see Table 51). 3. Select the Output Destination and click Add. To remove an Output Destination, select the destination and clickRemove. Tips: Since saving log messages in an Event-Management Database can overload the database with Events, Tripwire recommends that you exercise discretion when assigning databases as Output Destinations. To maintain a comprehensive record of 'raw' log messages from a Monitored Asset's Log Source, assign the Audit Logger as an Output Destination. If you do assign an Event-Management Database as an Output Destination, and the database is consequently overloaded with Events, click here for troubleshooting tips. If the Monitored Asset is a scanner (see What are Scanner Events?), Event Databases may be assigned as Output Destinations, but not Firewall Databases or IDS Databases. You cannot add an EVT Output Destination and an EVTX Output Destination to the same Monitored Asset. For more information about EVT files, see Processing EVT and EVTX Files. |
|
Notes: 1) This tab only appears if a File Collector, Advanced File Collector, Network Collector, Oracle Database Collector, WinLog Collector, or Advanced Windows Collector is selected in the Collector field of the Settings tab. To simplify management of your TLC environment, Tripwire recommends that you assign Normalization Rules to Asset Groups rather than Monitored Assets (see Working with Asset Groups). 2) If the Monitored Asset is a scanner (see What are Scanner Events?), the Normalization Rules assigned to this tab will have no affect. Instead, TLC automatically normalizes Scanner Events. This tab contains the Normalization Rules that have been assigned to the Monitored Asset. When the Normalization Engine receives a log message from the Asset's Collector, TLC executes the rules in the order in which they appear in this tab. To change the order of the Normalization Rules, use the buttons on the right of the Rules tab. To assign Normalization Rules to the Monitored Asset: 1. ClickAdd. 2. In the Modify Rules for Asset dialog, select the check box for each rule to be added and click OK. To view or change the properties of a rule, double-click the rule. For further details, see Working with Normalization Rules. To remove a rule from the Monitored Asset: 1. Select the rule in the Rules tab. 2. ClickRemove button, and click Yes in the confirmation dialog. |
|
Schedule |
Note: This tab only appears if a File Collector is selected in the Collector field of the Settings tab. This tab defines a schedule for the collection of log messages. To disable scheduling, select Disabled from the Schedule type drop-down. To define a schedule for the Collector: 1. Select a Schedule type. 2. Enter a Start Time to indicate when the TLC will begin collecting log messages on the days specified by the schedule. 3. Complete the remaining fields to define the schedule. |
Settings |
This tab defines general settings for the Monitored Asset. Collector. The type of Collector that will gather log messages from the Monitored Asset's Log Source (see What are Collectors?). This drop-down determines which fields appear in this tab (details below). Note: When TLC auto-discovers an Axon Agent and creates a Monitored Asset, the Advanced Windows Collector is specified in the Collector field and other Collectors cannot be manually selected. Hostname. The host name of a system with an Axon Agent installed. (Available only with the Advanced File Collector or Advanced Windows Collector.) Note: If you select a host name, TLC auto-populates the IP address field. Conversely, if you enter the IP address of an Axon Agent system, TLC auto-populates the Hostname field. IP address. The IP address of the Monitored Asset's Log Source. Port. The port on the Log Source to be used for communication with TLC. (Available only with the Cisco IDS Collector.) Location. (Optional) Specifies a Location for the Monitored Asset (see Working with Locations). If you select Multiple, TLC adds the Locations tab to the Monitored Asset's properties dialog. Asset type. The type of Log Source. Username. The username of the user account to be employed by TLC for authentication with the Monitored Asset's Log Source (either a Windows system or Cisco IDS). (Available only with the Cisco IDS Collector or WinLog Collector). Password. The password of the user account. (Available only with the Cisco IDS Collector or WinLog Collector). |
Settings (continued) |
Method. The type of WMI Connection to be employed for communication with the Asset's Log Source (a Windows system). The Asynchronous method uses a constant connection with the Windows Event Log. The Synchronous method polls the Windows Event Logs for new log messages. Tips: In the Username and Password fields, do not enter the credentials for a local WMI connection. If the Log Source is a remote system, or you do not have domain access to the Log Source, then the Username should be preceded by the IP address or host name of the Log Source (e.g. 10.32.16.122\administrator). If regulations require the use of a non-Administrator account, you can create another user account with access to all required permissions. For more information, click here. The Username and Password fields are not required if 1) the Monitored Asset's Log Source is a Windows system with a WinLog Collector, 2) the Monitored Asset's Manager has a WinLog Collector assigned to its Installed Modules tab (see Working with Managers), 3) the Windows system and Manager host system are in the same domain, and 4) the service user running the Manager has permission to collect WMI log messages. If you leave the Username and Password fields blank in the Settings tab, TLC will use the login credentials of the TLC Manager Service to access the Windows system. By default, the name of this account is LocalSystem. However, explicit user credentials can be specified with either of the following formats: <machine_name>\<username> <domain_name>\<username> If you just enter a username, then TLC will attempt to connect the user account as a local account on the Windows Log Source. |
Collector |
Input Types |
---|---|
Advanced File Collector |
File - Text File |
Advanced Windows Collector |
Windows Event Log |
Check Point Collector |
Check Point OPSEC |
Cisco IDS Collector |
Cisco SDEE |
File Collector |
File - EVT File - EVTX File - IP360 File - Nessus File - Nmap File - Text File |
Network Collector |
Syslog SNMP |
Oracle Database Collector |
Audit Source |
WinLog Collector |
Windows Event Log |