Advanced Collector - Duplicate-Asset Criteria

The Tripwire Axon Agent for TLCA service that may be installed on a Windows or Linux system to collect log messages from any log-generating application running on the system. When installed on a Windows system, this service can also collect the system's Windows Event Logs via the Secure Socket Layer (SSL) protocol. installer assigns a universally unique identifier (UUID) to each Axon AgentA system on which Tripwire Axon Agent for TLC software has been installed. (see Auto-Discovery of a Windows Axon Agent), and the Agent will change its UUID if:

All of the Media Access Control (MAC) addresses on the Axon Agent host system change (for example, if the system is cloned), or

The Axon Agent state files become corrupted and must be recreated.

Whenever an Axon Agent's UUID is first assigned or subsequently changed, the Agent sends the UUID to its TLC Manager. If the UUID is unassociated with any existing Monitored Assets, this setting specifies the criteria employed by TLC to determine if the UUID represents a new Axon Agent or a change for an existing Axon Agent.

Hostname. If the UUID is from an Axon Agent with a host name that matches an existing Monitored AssetAn object in the TLC Configuration Manager that represents a Log Source from which TLC collects log messages directly., TLC updates the Asset's UUID. Otherwise, TLC creates a new Monitored Asset.

Hostname and IP. If the UUID is from an Axon Agent with a host name and IP address that match an existing Monitored Asset, TLC updates the Asset's UUID. Otherwise, TLC creates a new Monitored Asset.

None. TLC creates a new Monitored Asset, regardless of the Axon Agent's host name or IP address.

Asset AutoDiscovery - Assigned Location

Specifies the ID of a LocationA custom category used to classify Monitored Assets by geography. to be assigned to all auto-discovered Monitored Assets. To view the Locations assigned to a Monitored Asset, see Working with Monitored Assets.

Audit Logger - Create Log Files by Asset

If True, TLC writes log messages to a separate log file for each Monitored Asset.

Audit Logger - Buffer Time Limit (in Hours)

Sets the maximum number of hours that log messages will sit in the Audit LoggerThe TLC Console1. Tripwire Log Center Console is the software for the TLC graphic user interface (GUI), or 2. The Tripwire Log Center GUI. Through the TLC Console, you can configure TLC, oversee your TLC environment, and manage log and event data. component in which you can work with the log messages collected by TLC. buffer.

Audit Logger - Custom Term Separators

Specifies characters to be used as term separators in the Audit Logger.

Note: By default, the following characters are defined as term separators.  

' & ; / , \ \ = | ( ) [ ] % { } + \ " `

If you add your own term separators in the Value field, Tripwire Log Center overrides the default separators.

Tripwire Log Center always treats a space character as a term separator.

Audit Logger - Display Hostnames in the PCI Reports

If True, the Audit Logger will use host names to identify and sort Monitored Assets with the Advanced Windows CollectorA type of CollectorA TLC module that gathers or receives log messages from Log Sources. that collects log messages from Windows Event Logs on Axon Agent systems via the Secure Sockets Layer (SSL) protocol. or the Advanced File CollectorA type of Collector that collects log messages from log-generating applications running on an Axon Agent host system via the Secure Sockets Layer (SSL) protocol. (see Table 26) in the output of Tripwire-defined PCI Reports. Otherwise, these Assets will be identified by their IP addresses.

Tip: For a specific report, you can override this setting in the Report Options tab (see Table 84).

Audit Logger - Enable SHA-256 Checksum

If True, the Audit Logger will calculate a SHA-256 hash for each file written to the Audit Logger File StoreConsists of a series of compressed flat files containing the log messages collected by the Manager from Log Sources, and an index of terms contained in the log messages.. TLC stores the hashes in the Audit Logger Index. When an Audit Logger query is run, TLC first verifies the SHA-256 hashes of the queried files before presenting the query results.

Audit Logger - Index Thread Limit

Sets the maximum number of indexing threads that the Audit Logger can sustain at one time.

Audit Logger - Indexing Limit

Sets the maximum number of log messages that can be indexed by the Audit Logger at one time.

Audit Logger - Maximum Index Size (in MB)

Sets the maximum size (in MB) of the Audit Logger Index. If the index exceeds this size, TLC creates a new partition.

Audit Logger - Maximum Size of Uncompressed Log Files

Sets the maximum size (in MB) of uncompressed log files in an Audit Logger zip file.

Audit Logger - Query Term Limit

Sets the maximum number of terms in the Audit Logger Index that can be queried at one time.

Audit Logger - Zip File Size Limit

Sets the maximum size (in MB) of an Audit Logger zip file. If the size of a zip file exceeds this value, TLC creates a new zip file.

Buffer Size - Actions

Sets the maximum number of Actions that can be cached in the buffer of the ActionA TLC object that initiates a response to Correlated Events created by Correlation Rules. Engine.

Buffer Size - Check Point Collector

Sets the maximum number of log messages that can be cached in the buffer of the Check Point CollectorA type of Collector that listens for log messages from a Check Point Manager..

Buffer Size - Correlation Engine

Sets the maximum number of Normalized Messages that can be cached in the buffer of the Correlation EngineThe component of your Primary ManagerEach TLC environmentConsists of all TLC software, Managers, Log Sources, Monitored Assets, Collectors, and data in your TLC installation. has a single Primary Manager that controls: 1. The storing of log messages in the Audit Logger File Store and Events in Event-Management Databases, 2. The configuration settings for your TLC environment, and 3. User access and license management for TLC. responsible for identifying events of interest. To correlate events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine..

Buffer Size - Event Databases

Sets the maximum number of Normalized Messages that can be cached in the buffer used for Event Databases.

Buffer Size - Firewall Databases

Sets the maximum number of Normalized Messages that can be cached in the buffer of the Clean-Up UtilityA component of the Normalization Engine that standardizes the format of each name-value pair in log messages. used for Firewall Databases.

Buffer Size - IDS Databases

Sets the maximum number of Normalized Messages that can be cached in the buffer of the Clean-Up Utility used for IDS Databases.

Buffer Size - MySQL

Sets the maximum number of Normalized Messages that can be cached in the buffer of any MySQL Event-Management DatabaseAn optional component of your TLC environment, an Event-Management Database stores Events. Types of Event-Management Databases include Event Databases, IDS Databases, and Firewall Databases..

Buffer Size - Normalization Engine

Sets the maximum number of log messages that can be cached in the buffer of the Normalization EngineThe component of your Primary Manager responsible for normalizing log messages..

Buffer Size - WinLog Collector

Sets the maximum number of log messages that can be cached in the buffer of the Windows Collector.

Cisco IDS Collector - Close Subscription on Stop

Closes the subscription to the Cisco IDS when the Manager service stops. When the Manager service is re-started, a new subscription will be created. (Without a subscription, TLC is unable to collect log messages from Cisco IDS systems while the Manager service is stopped.)

Cisco IDS Collector - Collection Interval

Sets the interval (in seconds) for polling of log messages from Cisco IDS systems by the Cisco IDS CollectorA type of Collector that gathers log messages from Cisco IDS sensors..

Cisco IDS Collector - Collection Limit

Sets the maximum number of Cisco IDS log messages that may be collected by the Cisco IDS Collector at one time.

Cisco IDS Collector - Timestamp from Manager

If True, this setting overwrites the timestamp of log messages collected by the Cisco IDS Collector with the Manager's timestamp.

Classification Performance - Log Mode

Determines if TLC will write classification-performance statistics to tlc.log. If this setting is enabled (Slow or All), TLC may write the following statistics for each Normalization RuleDefines a regular expression that can be used to normalize log messages generated by a specific type of Log Source.: 

The average time in which the Normalization Rule classified log messages,

The longest period of time in which the rule classified a log message, and

The shortest period of time in which the rule classified a log message.

Options include: 

None. No classification-performance statistics are written to tlc.log.

Slow. Writes a Normalization Rule's classification-performance statistics to tlc.log only if the rule classified at least one log message in a time period exceeding the threshold defined by the ClassificationThe process of categorizing log messages with Classification Tags. Performance - Slow Threshold setting.

All. Writes classification-performance statistics for all Normalization Rules to tlc.log.

Note: For an introduction to classification, see How does Classification work?.

Classification Performance - Log Detail Level

If the Classification Performance - Log Mode setting is enabled, this setting determines the additional level of detail written to tlc.log.

None. No additional detail.

UID. For each Normalization Rule, TLC includes the unique ID (UID) of the log message classified by the rule in the longest period of time.

Text. For each Normalization Rule, TLC includes the unique ID (UID) and the first 300 characters of the log message classified by the rule in the longest period of time.

Classification Performance - Slow Threshold

This setting defines the threshold (in milliseconds) for the classification process. For further details, see Classification Performance - Log Mode.

Correlation Engine - Remote Max Wait (milliseconds)

Sets the maximum number of milliseconds Normalized Messages can be cached in the buffer of the local Manager's Correlation Engine. When a Normalized MessageA log message that has been normalized by TLC. is in the buffer for a duration of time exceeding this value, the local Manager will send all messages in the buffer to another Manager's Correlation Engine.

Correlation Engine - Remote Queue Size

Sets the maximum number of Normalized Messages that can be cached in the buffer of the local Manager's Correlation Engine. When the number of messages exceeds this value, the local Manager will send all messages in the buffer to another Manager's Correlation Engine.

Correlation Engine - State Table Size

Sets the maximum number of state-table items permitted in the state table at one time.

Dashboard - Normalized Message Cache Timeout (in Minutes)

Sets the maximum number of minutes Normalized Messages will be cached for display in the DashboardA TLC Console component that presents information about a Manager or Event-Management Database in a Layout1. A customizable configuration of panels containing fields, tables, and/or graphs. 2. The configuration and formatting of a table or Event-Relationship Diagram...

Database Collector - Collection Limit

Sets the maximum number of log messages that may be collected by the Database CollectorA type of Collector that gathers log messages from an application that logs to an External Database. at one time.

Database Server - Query Timeout

Sets the timeout (in seconds) for queries of your database server (1 to 2147483). To run queries with no timeout, enter zero (0).

File Collector - Enable SSHD Authentication

If True and a File CollectorA type of Collector that gathers log messages from Log Sources that store messages in an ASCII log file. is configured for use with a Secure FTP server (see Working with Managers), this setting enables the use of SSHD keyboard authentication to send log messages from the server to the File Collector.

File Collector - Concurrent Connections

If a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting defines the maximum number of concurrent connections between the server and the File Collector.

File Collector - Limit FTP Server to One IP Address

If True and a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting limits the server to a single IP address. If this setting is disabled, the Secure FTP server will use all IP addresses.

File Collector - Save Log Name in Message Properties

If True, the File Collector will save the applicable log filename in the properties of each log message saved in the Audit Logger.

FTP SSH Outbound Connections - Support Legacy Algorithms

If True, the SFTP client will use the following algorithms to connect with an SFTP Server:

Encryption algorithms: aes256-ctr, aes256-cbc, 3des-cbc

MAC Algorithms: hmac-sha1, hmac-md5, hmac-sha1-96, hmac-md5-96

Otherwise, the SFTP client will use the following algorithms: 

Encryption algorithms: aes256-ctr

MAC Algorithms: hmac-sha1

Log Message Forwarding - Destinations

Specifies one or more Forwarding Destinations. For more information, see: 

What is Log-Message Forwarding?

Configuring Log-Message Forwarding

Log Message Forwarding - Forwarding message length

Sets the maximum number of characters (1,024 - 65,000) in log messages that may be forwarded to the Forwarding DestinationA third-party, log-archive tool to which log messages are forwarded by the Log-Message Forwarding feature.(s) specified by the Log-Message ForwardingA TLC feature used to forward copies of log messages to one or more third-party, log-archive tools (known as Forwarding Destinations). - Destinations setting (above). If a log message contains more characters than this value, the Manager will remove the content exceeding this limit prior to forwarding the message to the Forwarding Destination(s).

MySQL - Bulk Load Data

If True, TLC will bulk load data to a MySQL database by sending multiple inserts at the same time, instead of one at a time. This increases performance.

MySQL - Delayed Insert Function

If True, this setting enables the use of the MySQL Delayed Insert function.

Normalization Engine - Concurrent Text Thread Limit

Sets the maximum number of concurrent text threads for the Normalization Engine.

Normalization Engine - Concurrent Windows Thread Limit

Sets the maximum number of concurrent threads for Windows log messages processed by the Normalization Engine.

Normalization Engine - Display Classification Condition

If True, TLC displays the Classification Condition fields in the Classification tab of the Normalization Rule properties dialog (see Table 87).

Normalization Engine - Parse Log Message Timestamps

If True, the Normalization Engine's Parsing UtilityA component of the Normalization Engine that parses each name-value pair in log messages. will attempt to parse the timestamp of each log message. Otherwise, the Parsing Utility uses the Manager's timestamp.

Normalization Engine - Time Synchronization Threshold

Defines a time threshold (in minutes). If the difference between the timestamp of a Monitored Asset and the Manager's current time exceeds this value, TLC generates and sends a Normalized Message to the Correlation Engine.

Normalization Performance - Mode

If the Manager's logging level is set to Debug (see Changing a Manager's Log Settings), TLC can write the following normalization-performance statistics for each Normalization Rule to tlc.log: 

The average time in which the Normalization Rule normalized log messages,

The longest period of time in which the rule normalized a log message, and

The shortest period of time in which the rule normalized a log message.

This setting determines the Normalization Rules for which TLC will write these statistics to tlc.log. Options include: 

Slow. Writes a Normalization Rule's normalization-performance statistics to tlc.log only if the rule normalized at least one log message in a time period exceeding the threshold defined by the Normalization Performance - Slow Threshold setting.

All. Writes normalization-performance statistics for all Normalization Rules to tlc.log.

Normalization Performance - Log Detail Level

This setting determines if TLC includes additional information when writing normalization-performance statistics to tlc.log. For further details, see Normalization Performance - Mode.

None. No additional detail.

UID. For each Normalization Rule, TLC includes the unique ID (UID) of the log message normalized by the rule in the longest period of time.

Text. For each Normalization Rule, TLC includes the unique ID (UID) and the first 300 characters of the log message normalized by the rule in the longest period of time.

Normalization Performance - Slow Threshold

This setting defines the threshold (in milliseconds) for the normalization process. For further details, see Normalization Performance - Mode.

Read Compressed File Block Size

Sets the size (in bytes) of blocks to read from a zip file (default = 8096).

Schedule Delay

Sets the amount of time between synchronous collections of log messages.

Syslog Collector - Collect IP Addresses from Packets

If True, the Network CollectorA type of Collector that listens for Syslog and SNMP-based log messages from network devices. gathers IP addresses from packets instead of syslog headers (Default= False). 

Syslog Collector - Get Hostnames from Syslog Headers

If True, TLC gathers host names from syslog headers. The host names are then used to resolve the IP address of each Log Source from which the Network Collector receives syslog messages (Default = False).

System Database - Maximum number of Notifications

Sets the maximum number of notifications retained by TLC. Each day, TLC removes the oldest notifications that exceed this threshold. For more information, see Working with Notifications.

Vulnerabilities - IP360 High Risk Score Threshold

Note: This setting only applies to vulnerabilityA potential security weakness identified by a vulnerability scannerA device that monitors systems in your TLC environment (for example, a vulnerability scanner).. In an Event Database, you can import or collect vulnerabilities detected by a scanner. events (i.e., IP360 scan results) collected from Tripwire VnE Managers. To collect IP360 scan results, complete the steps in Integration Guide: Tripwire IP360 and Tripwire Log Center (PDF).

In Tripwire VnE Manager, a Vulnerability Score is a numerical value indicating the severity or seriousness of a vulnerability event. Vulnerability Scores range from 0 (least severe) to 999,999,999 (most severe).

In TLC, the Risk level (Low, Medium, or High) indicates the severity or seriousness of a vulnerability event. When a vulnerability event is imported from a Tripwire VnE Manager to an Event DatabaseA type of Event-Management Database that stores Events from any Log Source and/or scanner. (see Importing Scanner Data to an Event Database), TLC converts the IP360 Vulnerability Score to a Risk level. TLC then displays the Risk level in the Information tab of the Event Details dialog (see Working with a Scanner Event).

This setting specifies the minimum VnE Vulnerability Score for which TLC assigns a High Risk level (default = 3,000). TLC then calculates the minimum VnE Vulnerability Score for the Medium Risk level as one half (1/2) of this value.

For example, if this setting specifies a value of 8,000, then: 

High Risk level = 8,000 to 999,999,999

Medium Risk level = 4,000 to 7,999

Low Risk level = 0 to 3,999

Vulnerabilities - IP360 High Value Host Threshold

Note: This setting only applies to vulnerability events (i.e., IP360 scan results) collected from Tripwire VnE Managers. To collect IP360 scan results, complete the steps in Integration Guide: Tripwire IP360 and Tripwire Log Center (PDF).

In Tripwire VnE Manager, an Asset Value is a numerical value indicating the importance of a host system for which a Tripwire IP360 Device Profiler generated a vulnerability event. Asset Values range from 0 (least important) to 999,999,999 (most important).

In TLC, the Priority level (Low, Medium, or High) indicates the importance of a host system. When you import a vulnerability event from Tripwire VnE Manager to an Event Database (see Importing Scanner Data to an Event Database), TLC converts the IP360 Asset Value to a Priority level. TLC then displays the Priority level in the Overview tab of the Host1. A Log Source or a system involved in an Event. 2. A system on which TLC Manager, TLC Console, or Event-Management Database software is installed. Details dialog (see Working with a Host),

This setting specifies the minimum IP360 Asset Value for which TLC assigns a High Priority level (default = 100). TLC then calculates the minimum IP360 Asset Value for the Medium Priority level as one half (1/2) of this value.

For example, if this setting specifies a value of 20,000, then: 

High Priority level = 20,000 to 999,999,999

Medium Priority level = 10,000 to 19,999

Low Priority level = 0 to 9,999

WinLog Collector - Asynchronous Status Interval

Sets the time interval for TLC to check the status of Asynchronous connections for the WinLog CollectorA type of Collector that collects log messages from Windows Event Logs via the Windows Management Instrumentation (WMI) protocol..

WinLog Collector - Collection Interval

Sets the time interval (in seconds) for TLC to check the WinLog Collector for log messages. (Default = 30 seconds)

WinLog Collector - Duplicate Threshold

Sets the number of log messages that are kept in memory by the WinLog Collector to prevent duplication.

WinLog Collector - Encryption

Enables encryption of log messages collected by the WinLog Collector.

WinLog Collector - Ping Host

Specifies an action taken by TLC prior to establishing WMI connections with Windows Log Sources.

ICMP Ping. TLC pings the Log Source with an Internet Control Message Protocol (ICMP) echo-request packet.

TCP Connect. TLC connects with the Log Source via TCP.

Note: This setting was introduced in TLC 6.1.1.

WinLog Collector - Process Event Threads

Sets the number of processing threads for the conversion of log messages from WMI format to a TLC-compatible format.

WinLog Collector - Startup Threads

Sets the number of threads used to start the WinLog Collector.

WinLog Collector - Status Threads

The number of threads used by TLC to check the status of Windows Monitored Assets.