Tasks

Name

The name of the Task.

Task ID

A unique ID for the Task assigned by TLC.

Private Task

(Optional) To prevent other users from accessing the Task, select this check box.

Description

(Optional) A description of the Task.

Database (or 'Database type')

If Layout Panel is selected from the 'Task type' drop-down, this field ('Database type') specifies the type of databases from which data can be queried by the Task (e.g. Event Databases, Firewall Databases, etc.). The list of available options is limited to the types of databases in your TLC environment.

Otherwise, this field ('Database') indicates the specific database to be queried by the Task.

Task type

The type of Task (see Table 33).

Task Group

The group in which the Task is saved in the side bar of the Task Manager.

Time filter

(Optional) Defines a time filter for the data to be queried by the Task. The Task will only query data saved to the Database within the specified time period.

Static Filter. Enter a Begin Date and End Date to define the time period.

Dynamic Filter. To define this type of time filter:

1. From the Query data drop-down, select Newer or Older.

2. Enter the time period.

For example, to limit the Task to data saved to the database more than 5 days ago, select Older and enter 5 Days.

Desktop Time Filter. Applies the value specified by the Time Filter drop-down in the button bar (see Table 36).

Note: The Desktop Time Filter option only applies when you run a Task in the Task Manager. If you save and schedule a Task with the Desktop Time Filter option, TLC applies no time filter when the Scheduled TaskCreated in the Task Scheduler, a Scheduled Task defines a schedule for TLC to run: 1. A Copy Task, Delete Task, Archive Task, or Report TaskA type of Search TaskA type of Task that performs a query of data in an Event-Management Database. Types of Search Tasks include List, Graph, and Report Tasks. that queries an Event-Management Database and compiles the results in a PDF report file.. 2. A Saved Query that generates an Audit Logger Report. runs.

No Time Filter. Select this option to limit the queried data to the default Time Filter defined in your TLC Settings (see Working with Time Filter Options).

List Task

To create a List Task:

1. From the 'Task type' drop-down, select Search.

2. From the Output drop-down, select the type of List Task:

List Events queries the database for Events that have been normalized by TLC.

List Hosts queries the database for Hosts. (For an introduction to Hosts, see Working with a Host.)

List Vulnerabilities queries the database for Scanner Events (see What are Scanner Events?).

Graph Task

To create a Graph Task:

1. From the 'Task type' drop-down, select Search.

2. From the Output drop-down, select the type of Graph Task and select a graph type in the associated Type drop-down (if applicable).

Graph - Top Events generates a pie chart showing Events with the most common values in the field specified in the associated Type drop-down.

Graph - Time Events generates a bar graph showing Events saved in each interval for the time period specified by the associated Type drop-down. For example, if you select 7 Days from the Type drop-down, the graph shows how many Events were saved to the database on each of the last 7 days.

Graph - Time of Day Events generates a line graph showing Events saved over the course of each interval (e.g. a day or week) for the time period specified by the associated Type drop-down. Each line represents an interval in the selected time period. For example, if you select TOD over Last 3 Days from the Type drop-down, the graph presents a line for each of the last 3 days. Each line shows how many Events were saved to the database throughout the day.

Graph - Diagram Events generates an Event-Relationship Diagram. For more information, see What are Event-Relationship Diagrams? and Generating an Event-Relationship Diagram.

Report Task

To create a Report Task:

1. From the 'Task type' drop-down, select Search.

2. From the Output drop-down, select Report and select a report type in the associated Type drop-down (if applicable).

For more information about report types, see Working with Report Output.

Copy Task

To create a Copy Task:

1. From the 'Task type' drop-down, select Copy.

2. From the Database drop-down, select the Database from which data will be copied.

3. From the Destination Database drop-down, select the destination database for the copied data.

4. (Optional) To expedite the archive process, select Fast mode. With this option, TLC does not store and verify the key for each database row.

Delete Task

To create a Delete Task:

1. From the 'Task type' drop-down, select Delete.

2. From the Database drop-down, select the Database from which data will be deleted.

3. (Optional) To reclaim unused space following the deletion of data, select the Optimize database following deletion check box. (For a description of this feature, see About Optimization of Delete Tasks and Archive Tasks.)

4. From the 'Data to be deleted' drop-down, select the type of data to be deleted by the Task. 

Events deletes Events that have been normalized by TLC.

Hosts deletes Hosts. (For an introduction to Hosts, see Working with a Host.)

Vulnerabilities deletes Scanner Events (see What are Scanner Events?).

Archive Task

To create an Archive Task:

1. From the 'Task type' drop-down, select Archive.

2. From the Database drop-down, select the Database for which data will be archived.

3. From the 'Destination database' drop-down, select the database to which the queried data will be moved.

4. (Optional) To expedite the archive process, select Fast mode. With this option, TLC does not store and verify the key for each database row.

5. (Optional) To reclaim unused space following the archiving of data, select the Optimize check box. (For a description of this feature, see About Optimization of Delete Tasks and Archive Tasks.)

Layout-Panel Task

A Layout-Panel Task creates a Layout Panel that can be added to a Manager Layout or Database Layout (see What are the Dashboard, Manager Layouts, and Database Layouts?).

To create a Layout-Panel Task:

1. From the 'Task type' drop-down, select Layout Panel.

2. From the 'Database type' drop-down, select System to create a panel for a Manager Layout, or select a type of Event-Management DatabaseAn optional component of your TLC environment, an Event-Management Database stores Events. Types of Event-Management Databases include Event Databases, IDS Databases, and Firewall Databases. to create a panel for a Database Layout (i.e. Event DatabaseA type of Event-Management Database that stores Events from any Log SourceAny log-generating application, operating-system service, database instance, or device from which TLC collects log messages. and/or scannerA device that monitors systems in your TLC environment (for example, a vulnerability scanner).., Firewall DatabaseA type of Event-Management Database that stores Events from firewalls., or IDS DatabaseA type of Event-Management Database that stores Events from IDS and IPS devices.).

3. From the Output drop-down, select the type of Layout Panel (see Table 31) and specify the data to be displayed in the panel in the associated Type drop-down (if applicable).

Filter Wizard

Defines conditions to identify Events in the specified database(s) to be included in the Task's query results. Each condition specifies a value in an Event field or Classification TagDefines a string to classify similar log messages stored in the Audit Logger File Store. (see How does Classification work?). However, a condition can only be defined for a Classification Tag if an Event Database(s) is specified in the Database field.

If the Task has one or more conditions, the Task will only query Events that match all of the conditions. For example, if you define two conditions for a List Task that queries Scanner Events (i.e. Type = Search, and Output = List Scanners), the Task's query results will only include Scanner Events that satisfy both conditions.

To add a condition to the Task, clickAdd.

To define or change the properties of a condition specifying an Event field:

1. Select a field from the Type drop-down. For descriptions of Normalized-Message fields, along with guidelines for appropriate values, click here.

If you select Event Priority from the Type drop-down, see How do Event-Priority Filters work? for more information.

2. Select an operator from the Condition drop-down.

3. Enter a Value for the condition. If TLC contains a Correlation ListA list of values that may be used to define a condition in a DecisionA component of a Correlation Rule, a Decision defines a condition that determines if the rule continues correlating a log message.. with a 'Field type' that applies to the condition's Type (see Working with Correlation Lists), the Value field presents the Correlation List in a drop-down.

To define or change the properties of a condition specifying a Classification Tag:

1. In the Type drop-down field, select the Classification Tag SetA group of Tripwire-defined or user-defined Classification Tags. containing the Tag.

Note: Only the Object, ActionA TLC object that initiates a response to Correlated Events created by Correlation Rules., or Status Tag Sets may be selected, and each Tag Set can only be selected for a single condition.

2. From the Condition drop-down, select the operator for the condition (see Table 96).

3. In the Value drop-down field, select the Classification Tag.

To enable or disable a condition, select or clear the condition's Enabled check box.

To delete a condition, select the condition's line and clickDelete.

To create a new Correlation RuleConstructed with a flowchart consisting of an Input, Decision(s), and Output(s), a Correlation Rule correlates log messages to identify events of interest. Decision with the Task's conditions, clickCreate Correlation-Rule Decision for selected criterion and complete the Enter Decision Information dialog. The Decision will then be available for use when defining Correlation Rules in the Configuration ManagerIn the Configuration Manager, you can create and configure TLC Resources (Monitored Assets, AssetA Log Source in your TLC environment. See Monitored Assets and Discovered Assets. Groups, Managers, Locations, Event-Management Databases), normalization objects (NormalizationThe process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Rules, Aliases, and Normalized-Message Filters), and correlation objects (Correlation Engines, Rules, Lists, and Actions). (see Defining a Correlation Rule).

To create a new Normalized-Message FilterA TLC object that defines a condition(s) to prevent TLC from forwarding some log messages to a specified Event-Management Database(s) or Correlation EngineThe component of your Primary ManagerEach TLC environment has a single Primary Manager that controls: 1. The storing of log messages in the Audit Logger File Store and Events in Event-Management Databases, 2. The configuration settings for your TLC environment, and 3. User access and license management for TLC. responsible for identifying events of interest. To correlate events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine.(s). with the Task's conditions, clickCreate Normalized-Message Filter for selected criterion and complete the Normalized-Message Filter dialog (see Working with Normalized-Message Filters). The filter will then be available in the Configuration Manager.

Note: If a condition's Value specifies a Correlation List or Classification Tag, the Create Normalized-Message Filter for selected criterion will exclude the condition from a Normalized-Message Filter.

Custom Filter

Defines a .NET regular expression to further specify data to be included in the Task's query results.

If a Static Time Filter or Dynamic Time Filter has been defined with the Time filter drop-down (see Table 115), click Copy Time Filter to add a regular expression for the time filter.

If one or more conditions have been defined in the Filter Wizard tab, click Copy Filter Wizard to add a regular expression for the conditions.

Advanced Options

TLC only presents this tab for:

1. Report Tasks

2. Layout-Panel Tasks with List Events selected from the Output drop-down

For a Layout-Panel Task, you can change the number of items displayed by the Layout by changing the value in the Number of items to display field.

For a Report Task, this tab includes the following fields.

Report logo. The graphic (190 x 48 pixels) displayed in the upper right corner of a report. To add your own logo to a report, save the graphic file in your TLC Console installation directory. The default path is:

Program Files\Tripwire\Tripwire Log Center Console

If you plan to create a Scheduled Task (see Working with the Task Scheduler), you must save the graphic file in your TLC Manager installation directory in order for the logo to appear in report output generated by the Scheduled Task. The default path for TLC Manager is: 

Program Files\Tripwire\Tripwire Log Center Manager

Resolve IP addresses. Determines if/how TLC will attempt to resolve IP addresses in the output of the Report.

To resolve the IP addresses for existing Monitored Assets only, select IP addresses of Assets.

To resolve the IP addresses of all systems other than Monitored Assets, select IP addresses of non-Assets.

To resolve the IP addresses of all Monitored Assets and non-Assets, select All IP addresses.

To disable this feature, select None.

Event threshold. For 'Group' Report types, this field specifies a threshold for Events to be included in the output. For example, if the Report identifies the most common Source IP addresses, and you enter a value of 5 in this field, the Report will only present the Source IP addresses that are identified in the properties of 5 or more Events.