For an introduction to the Task Manager and Task types, see What are the Task Manager and Task Scheduler?.
To create, copy, edit, run, or delete a Task in the Task Manager:
1. | In the side bar, select Events >Task Manager. |
2. | In the Task Manager, the side bar groups the Tripwire-defined and user-defined Tasks in your TLC environment. |
To create a copy of an existing Task, right-click the Task in the side bar and select Copy Task.
To create a new Task:
a. | ClickClear Form. |
b. | Complete the static fields at the top of the main pane (see Table 115). |
c. | Select a Task type and complete the dynamic fields for the selected type (see Table 116). |
d. | (Optional) Complete the tabs at the bottom of the Task Manager's main pane (see Table 117). |
e. | ClickSave. |
To change the properties of a Task:
a. | In the side bar, select the Task to open the properties in the main pane. |
b. | As needed, edit the Task's static fields (see Table 115), dynamic fields (see Table 116), and/or tabs (see Table 117). |
c. | ClickSave. |
To define a schedule for a Copy, Delete, or Archive Task, select the Task in the side bar and selectSchedule.
To run a Task, select the Task in the side bar and clickStart. To work with the Task's query results, see:
Running a Copy, Delete, or Archive Task
Generating an Event-Relationship Diagram
To work with a Layout Panel defined by a Layout-Panel Task, see Working with Layout-Panel Tasks
To delete a Task, right-click the Task in the side bar and select Delete Task.
Field |
Description |
---|---|
Name |
The name of the Task. |
Task ID |
A unique ID for the Task assigned by TLC. |
Private Task |
(Optional) To prevent other users from accessing the Task, select this check box. |
Description |
(Optional) A description of the Task. |
Database (or 'Database type') |
If Layout Panel is selected from the 'Task type' drop-down, this field ('Database type') specifies the type of databases from which data can be queried by the Task (e.g. Event Databases, Firewall Databases, etc.). The list of available options is limited to the types of databases in your TLC environment. Otherwise, this field ('Database') indicates the specific database to be queried by the Task. |
Task type |
The type of Task (see Table 33). |
Task Group |
The group in which the Task is saved in the side bar of the Task Manager. |
Time filter |
(Optional) Defines a time filter for the data to be queried by the Task. The Task will only query data saved to the Database within the specified time period. Static Filter. Enter a Begin Date and End Date to define the time period. Dynamic Filter. To define this type of time filter: 1. From the Query data drop-down, select Newer or Older. 2. Enter the time period. For example, to limit the Task to data saved to the database more than 5 days ago, select Older and enter 5 Days. Desktop Time Filter. Applies the value specified by the Time Filter drop-down in the button bar (see Table 36). Note: The Desktop Time Filter option only applies when you run a Task in the Task Manager. If you save and schedule a Task with the Desktop Time Filter option, TLC applies no time filter when the Scheduled Task runs. No Time Filter. Select this option to limit the queried data to the default Time Filter defined in your TLC Settings (see Working with Time Filter Options). |
Task Type |
Dynamic Fields |
---|---|
List Task |
To create a List Task: 1. From the 'Task type' drop-down, select Search. 2. From the Output drop-down, select the type of List Task: List Events queries the database for Events that have been normalized by TLC. List Hosts queries the database for Hosts. (For an introduction to Hosts, see Working with a Host.) List Vulnerabilities queries the database for Scanner Events (see What are Scanner Events?). |
Graph Task |
To create a Graph Task: 1. From the 'Task type' drop-down, select Search. 2. From the Output drop-down, select the type of Graph Task and select a graph type in the associated Type drop-down (if applicable). Graph - Top Events generates a pie chart showing Events with the most common values in the field specified in the associated Type drop-down. Graph - Time Events generates a bar graph showing Events saved in each interval for the time period specified by the associated Type drop-down. For example, if you select 7 Days from the Type drop-down, the graph shows how many Events were saved to the database on each of the last 7 days. Graph - Time of Day Events generates a line graph showing Events saved over the course of each interval (e.g. a day or week) for the time period specified by the associated Type drop-down. Each line represents an interval in the selected time period. For example, if you select TOD over Last 3 Days from the Type drop-down, the graph presents a line for each of the last 3 days. Each line shows how many Events were saved to the database throughout the day. Graph - Diagram Events generates an Event-Relationship Diagram. For more information, see What are Event-Relationship Diagrams? and Generating an Event-Relationship Diagram. |
Report Task |
To create a Report Task: 1. From the 'Task type' drop-down, select Search. 2. From the Output drop-down, select Report and select a report type in the associated Type drop-down (if applicable). For more information about report types, see Working with Report Output. |
Copy Task |
To create a Copy Task: 1. From the 'Task type' drop-down, select Copy. 2. From the Database drop-down, select the Database from which data will be copied. 3. From the Destination Database drop-down, select the destination database for the copied data. 4. (Optional) To expedite the archive process, select Fast mode. With this option, TLC does not store and verify the key for each database row. |
Delete Task |
To create a Delete Task: 1. From the 'Task type' drop-down, select Delete. 2. From the Database drop-down, select the Database from which data will be deleted. 3. (Optional) To reclaim unused space following the deletion of data, select the Optimize database following deletion check box. (For a description of this feature, see About Optimization of Delete Tasks and Archive Tasks.) 4. From the 'Data to be deleted' drop-down, select the type of data to be deleted by the Task. Events deletes Events that have been normalized by TLC. Hosts deletes Hosts. (For an introduction to Hosts, see Working with a Host.) Vulnerabilities deletes Scanner Events (see What are Scanner Events?). |
Archive Task |
To create an Archive Task: 1. From the 'Task type' drop-down, select Archive. 2. From the Database drop-down, select the Database for which data will be archived. 3. From the 'Destination database' drop-down, select the database to which the queried data will be moved. 4. (Optional) To expedite the archive process, select Fast mode. With this option, TLC does not store and verify the key for each database row. 5. (Optional) To reclaim unused space following the archiving of data, select the Optimize check box. (For a description of this feature, see About Optimization of Delete Tasks and Archive Tasks.) |
Layout-Panel Task |
A Layout-Panel Task creates a Layout Panel that can be added to a Manager Layout or Database Layout (see What are the Dashboard, Manager Layouts, and Database Layouts?). To create a Layout-Panel Task: 1. From the 'Task type' drop-down, select Layout Panel. 2. From the 'Database type' drop-down, select System to create a panel for a Manager Layout, or select a type of Event-Management Database to create a panel for a Database Layout (i.e. Event Database, Firewall Database, or IDS Database). 3. From the Output drop-down, select the type of Layout Panel (see Table 31) and specify the data to be displayed in the panel in the associated Type drop-down (if applicable). |
Tab |
Description |
---|---|
Filter Wizard |
Defines conditions to identify Events in the specified database(s) to be included in the Task's query results. Each condition specifies a value in an Event field or Classification Tag (see How does Classification work?). However, a condition can only be defined for a Classification Tag if an Event Database(s) is specified in the Database field. If the Task has one or more conditions, the Task will only query Events that match all of the conditions. For example, if you define two conditions for a List Task that queries Scanner Events (i.e. Type = Search, and Output = List Scanners), the Task's query results will only include Scanner Events that satisfy both conditions. To add a condition to the Task, clickAdd. To define or change the properties of a condition specifying an Event field: 1. Select a field from the Type drop-down. For descriptions of Normalized-Message fields, along with guidelines for appropriate values, click here. If you select Event Priority from the Type drop-down, see How do Event-Priority Filters work? for more information. 2. Select an operator from the Condition drop-down. 3. Enter a Value for the condition. If TLC contains a Correlation List with a 'Field type' that applies to the condition's Type (see Working with Correlation Lists), the Value field presents the Correlation List in a drop-down. To define or change the properties of a condition specifying a Classification Tag: 1. In the Type drop-down field, select the Classification Tag Set containing the Tag. Note: Only the Object, Action, or Status Tag Sets may be selected, and each Tag Set can only be selected for a single condition. 2. From the Condition drop-down, select the operator for the condition (see Table 96). 3. In the Value drop-down field, select the Classification Tag. To enable or disable a condition, select or clear the condition's Enabled check box. To delete a condition, select the condition's line and clickDelete. To create a new Correlation Rule Decision with the Task's conditions, clickCreate Correlation-Rule Decision for selected criterion and complete the Enter Decision Information dialog. The Decision will then be available for use when defining Correlation Rules in the Configuration Manager (see Defining a Correlation Rule). To create a new Normalized-Message Filter with the Task's conditions, clickCreate Normalized-Message Filter for selected criterion and complete the Normalized-Message Filter dialog (see Working with Normalized-Message Filters). The filter will then be available in the Configuration Manager. Note: If a condition's Value specifies a Correlation List or Classification Tag, the Create Normalized-Message Filter for selected criterion will exclude the condition from a Normalized-Message Filter. |
Custom Filter |
Defines a .NET regular expression to further specify data to be included in the Task's query results. If a Static Time Filter or Dynamic Time Filter has been defined with the Time filter drop-down (see Table 115), click Copy Time Filter to add a regular expression for the time filter. If one or more conditions have been defined in the Filter Wizard tab, click Copy Filter Wizard to add a regular expression for the conditions. |
Advanced Options |
TLC only presents this tab for: 1. Report Tasks 2. Layout-Panel Tasks with List Events selected from the Output drop-down For a Layout-Panel Task, you can change the number of items displayed by the Layout by changing the value in the Number of items to display field. For a Report Task, this tab includes the following fields. Report logo. The graphic (190 x 48 pixels) displayed in the upper right corner of a report. To add your own logo to a report, save the graphic file in your TLC Console installation directory. The default path is: Program Files\Tripwire\Tripwire Log Center Console If you plan to create a Scheduled Task (see Working with the Task Scheduler), you must save the graphic file in your TLC Manager installation directory in order for the logo to appear in report output generated by the Scheduled Task. The default path for TLC Manager is: Program Files\Tripwire\Tripwire Log Center Manager Resolve IP addresses. Determines if/how TLC will attempt to resolve IP addresses in the output of the Report. To resolve the IP addresses for existing Monitored Assets only, select IP addresses of Assets. To resolve the IP addresses of all systems other than Monitored Assets, select IP addresses of non-Assets. To resolve the IP addresses of all Monitored Assets and non-Assets, select All IP addresses. To disable this feature, select None. Event threshold. For 'Group' Report types, this field specifies a threshold for Events to be included in the output. For example, if the Report identifies the most common Source IP addresses, and you enter a value of 5 in this field, the Report will only present the Source IP addresses that are identified in the properties of 5 or more Events. |
About Optimization of Delete Tasks and Archive TasksThis topic explains how TLC reclaims unused space when you select the Optimize option in the properties of a Delete Task or Archive Task (see Table 116) created for an Event-Management Database. If the Optimize option is enabled and a MySQL database is selected from the Database drop-down, TLC executes the following command after the Task runs: OPTIMIZE TABLE <table_name> Where <table_name> is the name of the database table containing the events to be deleted or archived by the Task. For more information about the OPTIMIZE TABLE command, click here. If the Optimize option is enabled and a Microsoft SQL database is selected from the Database drop-down, TLC executes the following command after the Task runs: DBCC SHRINKDATABASE (<database_name>) ALTER INDEX ALL ON <table_name> REBUILD DBCC SHRINKDATABASE (<database_name>) Where <database_name> is the name of the database, and <table_name> is the name of the database table containing the events to be deleted or archived by the Task. For more information about the DBCC SHRINKDATABASE command, command, click here. If the Optimize option is enabled and a PostgreSQL database is selected from the Database drop-down, TLC executes the following command after the Task runs: VACUUM FULL <table_name> Where <table_name> is the name of the database table containing the events to be deleted or archived by the Task. For more information about the VACUUM command, click here. |