Changing a Manager's Advanced Settings

Caution 

You should only modify your Manager's Advanced Settings if directed to do so by Tripwire Technical Support.

To change the advanced settings for a Manager:

1. In the side bar, select Resources >Configuration ManagerConfiguration Manager.
2. In the side bar of the Configuration Manager, select ResourcesResources >ManagersManagers.
3. In the workspace, double-click the Manager.
4. Select the Advanced Settings tab.
5. To add a setting in the Manager dialog:
a. ClickAddAdd. TLC adds a row to the Advanced Options table.
b. In the new row, mouse over the Advanced Option field to display the drop-down arrow.
c. Select an option from the Advanced Option drop-down (see Table 49).
d. In the Value field, enter a value for the option. Some options require entry of an explicit value, while others provide values in a drop-down list.

To change the value for a setting, select and edit the Value field for the setting's table row.

To remove a setting, click the arrow button to the left of the setting's table row and clickDelete/RemoveRemove.

Tip

Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers).

Table 49. Types of Advanced Options

Option

Description

Advanced Collector - Duplicate-Asset Criteria

The Tripwire Axon Agent for TLC installer assigns a universally unique identifier (UUID) to each Axon Agent (see Auto-Discovery of a Windows Axon Agent), and the Agent will change its UUID if:

All of the Media Access Control (MAC) addresses on the Axon Agent host system change (for example, if the system is cloned), or

The Axon Agent state files become corrupted and must be recreated.

Whenever an Axon Agent's UUID is first assigned or subsequently changed, the Agent sends the UUID to its TLC Manager. If the UUID is unassociated with any existing Monitored Assets, this setting specifies the criteria employed by TLC to determine if the UUID represents a new Axon Agent or a change for an existing Axon Agent.

Hostname. If the UUID is from an Axon Agent with a host name that matches an existing Monitored Asset, TLC updates the Asset's UUID. Otherwise, TLC creates a new Monitored Asset.

Hostname and IP. If the UUID is from an Axon Agent with a host name and IP address that match an existing Monitored Asset, TLC updates the Asset's UUID. Otherwise, TLC creates a new Monitored Asset.

None. TLC creates a new Monitored Asset, regardless of the Axon Agent's host name or IP address.

Asset AutoDiscovery - Assigned Location

Specifies the ID of a Location to be assigned to all auto-discovered Monitored Assets. To view the Locations assigned to a Monitored Asset, see Working with Monitored Assets.

Audit Logger - Create Log Files by Asset

If True, TLC writes log messages to a separate log file for each Monitored Asset.

Audit Logger - Buffer Time Limit (in Hours)

Sets the maximum number of hours that log messages will sit in the Audit Logger buffer.

Audit Logger - Custom Term Separators

Specifies characters to be used as term separators in the Audit Logger.

Note: By default, the following characters are defined as term separators.  

' & ; / , \ \ = | ( ) [ ] % { } + \ " `

If you add your own term separators in the Value field, Tripwire Log Center overrides the default separators.

Tripwire Log Center always treats a space character as a term separator.

Audit Logger - Display Hostnames in the PCI Reports

If True, the Audit Logger will use host names to identify and sort Monitored Assets with the Advanced Windows Collector or the Advanced File Collector (see Table 28) in the output of Tripwire-defined PCI Reports. Otherwise, these Assets will be identified by their IP addresses.

Tip: For a specific report, you can override this setting in the Report Options tab (see Table 86).

Audit Logger - Enable SHA-256 Checksum

If True, the Audit Logger will calculate a SHA-256 hash for each file written to the Audit Logger File Store. TLC stores the hashes in the Audit Logger Index. When an Audit Logger query is run, TLC first verifies the SHA-256 hashes of the queried files before presenting the query results.

Audit Logger - Index Thread Limit

Sets the maximum number of indexing threads that the Audit Logger can sustain at one time.

Audit Logger - Indexing Limit

Sets the maximum number of log messages that can be indexed by the Audit Logger at one time.

Audit Logger - Maximum Index Size (in MB)

Sets the maximum size (in MB) of the Audit Logger Index. If the index exceeds this size, TLC creates a new partition.

Audit Logger - Maximum Size of Uncompressed Log Files

Sets the maximum size (in MB) of uncompressed log files in an Audit Logger zip file.

Audit Logger - Query Term Limit

Sets the maximum number of terms in the Audit Logger Index that can be queried at one time.

Audit Logger - Zip File Size Limit

Sets the maximum size (in MB) of an Audit Logger zip file. If the size of a zip file exceeds this value, TLC creates a new zip file.

Buffer Size - Actions

Sets the maximum number of Actions that can be cached in the buffer of the Action Engine.

Buffer Size - Check Point Collector

Sets the maximum number of log messages that can be cached in the buffer of the Check Point Collector.

Buffer Size - Correlation Engine

Sets the maximum number of Normalized Messages that can be cached in the buffer of the Correlation Engine.

Buffer Size - Event Databases

Sets the maximum number of Normalized Messages that can be cached in the buffer used for Event Databases.

Buffer Size - Firewall Databases

Sets the maximum number of Normalized Messages that can be cached in the buffer of the Clean-Up Utility used for Firewall Databases.

Buffer Size - IDS Databases

Sets the maximum number of Normalized Messages that can be cached in the buffer of the Clean-Up Utility used for IDS Databases.

Buffer Size - MySQL

Sets the maximum number of Normalized Messages that can be cached in the buffer of any MySQL Event-Management Database.

Buffer Size - Normalization Engine

Sets the maximum number of log messages that can be cached in the buffer of the Normalization Engine.

Buffer Size - WinLog Collector

Sets the maximum number of log messages that can be cached in the buffer of the Windows Collector.

Cisco IDS Collector - Close Subscription on Stop

Closes the subscription to the Cisco IDS when the Manager service stops. When the Manager service is re-started, a new subscription will be created. (Without a subscription, TLC is unable to collect log messages from Cisco IDS systems while the Manager service is stopped.)

Cisco IDS Collector - Collection Interval

Sets the interval (in seconds) for polling of log messages from Cisco IDS systems by the Cisco IDS Collector.

Cisco IDS Collector - Collection Limit

Sets the maximum number of Cisco IDS log messages that may be collected by the Cisco IDS Collector at one time.

Cisco IDS Collector - Timestamp from Manager

If True, this setting overwrites the timestamp of log messages collected by the Cisco IDS Collector with the Manager's timestamp.

Classification Performance - Log Mode

Determines if TLC will write classification-performance statistics to tlc.log. If this setting is enabled (Slow or All), TLC may write the following statistics for each Normalization Rule

The average time in which the Normalization Rule classified log messages,

The longest period of time in which the rule classified a log message, and

The shortest period of time in which the rule classified a log message.

Options include: 

None. No classification-performance statistics are written to tlc.log.

Slow. Writes a Normalization Rule's classification-performance statistics to tlc.log only if the rule classified at least one log message in a time period exceeding the threshold defined by the Classification Performance - Slow Threshold setting.

All. Writes classification-performance statistics for all Normalization Rules to tlc.log.

Note: For an introduction to classification, see How does Classification work?.

Classification Performance - Log Detail Level

If the Classification Performance - Log Mode setting is enabled, this setting determines the additional level of detail written to tlc.log.

None. No additional detail.

UID. For each Normalization Rule, TLC includes the unique ID (UID) of the log message classified by the rule in the longest period of time.

Text. For each Normalization Rule, TLC includes the unique ID (UID) and the first 300 characters of the log message classified by the rule in the longest period of time.

Classification Performance - Slow Threshold

This setting defines the threshold (in milliseconds) for the classification process. For further details, see Classification Performance - Log Mode.

Correlation Engine - Remote Max Wait (milliseconds)

Sets the maximum number of milliseconds Normalized Messages can be cached in the buffer of the local Manager's Correlation Engine. When a Normalized Message is in the buffer for a duration of time exceeding this value, the local Manager will send all messages in the buffer to another Manager's Correlation Engine.

Correlation Engine - Remote Queue Size

Sets the maximum number of Normalized Messages that can be cached in the buffer of the local Manager's Correlation Engine. When the number of messages exceeds this value, the local Manager will send all messages in the buffer to another Manager's Correlation Engine.

Correlation Engine - State Table Size

Sets the maximum number of state-table items permitted in the state table at one time.

Dashboard - Normalized Message Cache Timeout (in Minutes)

Sets the maximum number of minutes Normalized Messages will be cached for display in the Dashboard.

Database Collector - Collection Limit

Sets the maximum number of log messages that may be collected by the Database Collector at one time.

Database Server - Query Timeout

Sets the timeout (in seconds) for queries of your database server (1 to 2147483). To run queries with no timeout, enter zero (0).

File Collector - Enable SSHD Authentication

If True and a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting enables the use of SSHD keyboard authentication to send log messages from the server to the File Collector.

File Collector - Concurrent Connections

If a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting defines the maximum number of concurrent connections between the server and the File Collector.

File Collector - Limit FTP Server to One IP Address

If True and a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting limits the server to a single IP address. If this setting is disabled, the Secure FTP server will use all IP addresses.

File Collector - Save Log Name in Message Properties

If True, the File Collector will save the applicable log filename in the properties of each log message saved in the Audit Logger.

FTP SSH Outbound Connections - Support Legacy Algorithms

If True, the SFTP client will use the following algorithms to connect with an SFTP Server:

Encryption algorithms: aes256-ctr, aes256-cbc, 3des-cbc

MAC Algorithms: hmac-sha1, hmac-md5, hmac-sha1-96, hmac-md5-96

Otherwise, the SFTP client will use the following algorithms: 

Encryption algorithms: aes256-ctr

MAC Algorithms: hmac-sha1

Log Message Forwarding - Destinations

Specifies one or more Forwarding Destinations. For more information, see: 

What is Log-Message Forwarding?

Configuring Log-Message Forwarding

Log Message Forwarding - Forwarding message length

Sets the maximum number of characters (1,024 - 65,000) in log messages that may be forwarded to the Forwarding Destination(s) specified by the Log-Message Forwarding - Destinations setting (above). If a log message contains more characters than this value, the Manager will remove the content exceeding this limit prior to forwarding the message to the Forwarding Destination(s).

MySQL - Bulk Load Data

If True, TLC will bulk load data to a MySQL database by sending multiple inserts at the same time, instead of one at a time. This increases performance.

MySQL - Delayed Insert Function

If True, this setting enables the use of the MySQL Delayed Insert function.

Normalization Engine - Concurrent Text Thread Limit

Sets the maximum number of concurrent text threads for the Normalization Engine.

Normalization Engine - Concurrent Windows Thread Limit

Sets the maximum number of concurrent threads for Windows log messages processed by the Normalization Engine.

Normalization Engine - Display Classification Condition

If True, TLC displays the Classification Condition fields in the Classification tab of the Normalization Rule properties dialog (see Table 88).

Normalization Engine - Parse Log Message Timestamps

If True, the Normalization Engine's Parsing Utility will attempt to parse the timestamp of each log message. Otherwise, the Parsing Utility uses the Manager's timestamp.

Normalization Engine - Time Synchronization Threshold

Defines a time threshold (in minutes). If the difference between the timestamp of a Monitored Asset and the Manager's current time exceeds this value, TLC generates and sends a Normalized Message to the Correlation Engine.

Normalization Performance - Mode

If the Manager's logging level is set to Debug (see Changing a Manager's Log Settings), TLC can write the following normalization-performance statistics for each Normalization Rule to tlc.log

The average time in which the Normalization Rule normalized log messages,

The longest period of time in which the rule normalized a log message, and

The shortest period of time in which the rule normalized a log message.

This setting determines the Normalization Rules for which TLC will write these statistics to tlc.log. Options include: 

Slow. Writes a Normalization Rule's normalization-performance statistics to tlc.log only if the rule normalized at least one log message in a time period exceeding the threshold defined by the Normalization Performance - Slow Threshold setting.

All. Writes normalization-performance statistics for all Normalization Rules to tlc.log.

Normalization Performance - Log Detail Level

This setting determines if TLC includes additional information when writing normalization-performance statistics to tlc.log. For further details, see Normalization Performance - Mode.

None. No additional detail.

UID. For each Normalization Rule, TLC includes the unique ID (UID) of the log message normalized by the rule in the longest period of time.

Text. For each Normalization Rule, TLC includes the unique ID (UID) and the first 300 characters of the log message normalized by the rule in the longest period of time.

Normalization Performance - Slow Threshold

This setting defines the threshold (in milliseconds) for the normalization process. For further details, see Normalization Performance - Mode.

Read Compressed File Block Size

Sets the size (in bytes) of blocks to read from a zip file (default = 8096).

Schedule Delay

Sets the amount of time between synchronous collections of log messages.

Syslog Collector - Collect IP Addresses from Packets

If True, the Network Collector gathers IP addresses from packets instead of syslog headers (Default= False). 

Syslog Collector - Get Hostnames from Syslog Headers

If True, TLC gathers host names from syslog headers. The host names are then used to resolve the IP address of each Log Source from which the Network Collector receives syslog messages (Default = False).

System Database - Maximum number of Notifications

Sets the maximum number of notifications retained by TLC. Each day, TLC removes the oldest notifications that exceed this threshold. For more information, see Working with Notifications.

Vulnerabilities - IP360 High Risk Score Threshold

Note: This setting only applies to vulnerability events (i.e., IP360 scan results) collected from Tripwire VnE Managers. To collect IP360 scan results, complete the steps in Integration Guide: Tripwire IP360 and Tripwire Log Center (PDF).

In Tripwire VnE Manager, a Vulnerability Score is a numerical value indicating the severity or seriousness of a vulnerability event. Vulnerability Scores range from 0 (least severe) to 999,999,999 (most severe).

In TLC, the Risk level (Low, Medium, or High) indicates the severity or seriousness of a vulnerability event. When a vulnerability event is imported from a Tripwire VnE Manager to an Event Database (see Importing Scanner Data to an Event Database), TLC converts the IP360 Vulnerability Score to a Risk level. TLC then displays the Risk level in the Information tab of the Event Details dialog (see Working with a Scanner Event).

This setting specifies the minimum VnE Vulnerability Score for which TLC assigns a High Risk level (default = 3,000). TLC then calculates the minimum VnE Vulnerability Score for the Medium Risk level as one half (1/2) of this value.

For example, if this setting specifies a value of 8,000, then: 

High Risk level = 8,000 to 999,999,999

Medium Risk level = 4,000 to 7,999

Low Risk level = 0 to 3,999

Vulnerabilities - IP360 High Value Host Threshold

Note: This setting only applies to vulnerability events (i.e., IP360 scan results) collected from Tripwire VnE Managers. To collect IP360 scan results, complete the steps in Integration Guide: Tripwire IP360 and Tripwire Log Center (PDF).

In Tripwire VnE Manager, an Asset Value is a numerical value indicating the importance of a host system for which a Tripwire IP360 Device Profiler generated a vulnerability event. Asset Values range from 0 (least important) to 999,999,999 (most important).

In TLC, the Priority level (Low, Medium, or High) indicates the importance of a host system. When you import a vulnerability event from Tripwire VnE Manager to an Event Database (see Importing Scanner Data to an Event Database), TLC converts the IP360 Asset Value to a Priority level. TLC then displays the Priority level in the Overview tab of the Host Details dialog (see Working with a Host),

This setting specifies the minimum IP360 Asset Value for which TLC assigns a High Priority level (default = 100). TLC then calculates the minimum IP360 Asset Value for the Medium Priority level as one half (1/2) of this value.

For example, if this setting specifies a value of 20,000, then: 

High Priority level = 20,000 to 999,999,999

Medium Priority level = 10,000 to 19,999

Low Priority level = 0 to 9,999

WinLog Collector - Asynchronous Status Interval

Sets the time interval for TLC to check the status of Asynchronous connections for the WinLog Collector.

WinLog Collector - Collection Interval

Sets the time interval (in seconds) for TLC to check the WinLog Collector for log messages. (Default = 30 seconds)

WinLog Collector - Duplicate Threshold

Sets the number of log messages that are kept in memory by the WinLog Collector to prevent duplication.

WinLog Collector - Encryption

Enables encryption of log messages collected by the WinLog Collector.

WinLog Collector - Ping Host

Specifies an action taken by TLC prior to establishing WMI connections with Windows Log Sources.

ICMP Ping. TLC pings the Log Source with an Internet Control Message Protocol (ICMP) echo-request packet.

TCP Connect. TLC connects with the Log Source via TCP.

Note: This setting was introduced in TLC 6.1.1.

WinLog Collector - Process Event Threads

Sets the number of processing threads for the conversion of log messages from WMI format to a TLC-compatible format.

WinLog Collector - Startup Threads

Sets the number of threads used to start the WinLog Collector.

WinLog Collector - Status Threads

The number of threads used by TLC to check the status of Windows Monitored Assets.