Configuring Multiple Monitored Assets

For an introduction to Monitored Assets, see What are Managers, Log Sources, and Monitored Assets?.

If the same type of Collector (see What are Collectors?) is assigned to multiple, existing Monitored Assets, you can configure the Assets at the same time.

To configure multiple Monitored Assets:

1. In the side bar, select Resources >Configuration ManagerConfiguration Manager.
2. In the side bar of the Configuration Manager, select ResourcesResources >AssetsMonitored Assets.

TLC presents your Monitored Assets in the workspace table.

Tip

You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

3. Click Add Multiple AssetsConfigure Multiple Monitored Assets.
4. In the Configure Multiple Monitored Assets dialog, select the appropriate Collector from the Collector drop-down.
5. In the Selected column, select the check box for each Monitored Asset to be configured.
6. Complete the tabs at the bottom of the Configure Multiple Monitored Assets dialog (see Table 52).
7. Click OK.

Table 52. Tabs in the Configure Multiple Monitored Assets dialog

Tab

Description

Advanced

Note: If a Database Collector, File Collector, WinLog Collector, or Advanced Windows Collector is selected from the Collector drop-down, the Time zone field does not appear in this tab.

Generate a log message if no messages received in <n> Minutes/Hours/Days. If you enter a non-zero value in this field, TLC will generate a log message if the specified time period passes without a log message being received from the Monitored Asset's Log Source. This log message simply provides a notification that no messages were received within the specified interval.

Time zone. Select the time zone in which the Monitored Asset's Log Source is located.

Limit collection to log messages from the following Event Logs. This region is only available if 1) the WinLog Collector is selected from the Collector drop-down, or 2) the File Collector is selected and EVT is assigned as an Input Type in the Output Destinations tab.

To limit the WinLog Collector to log messages generated by specific Windows Event Logs, select each applicable check box.

To limit the File Collector to log messages generated by specific Windows Event Logs, you must select at least one check box.

If you select the Custom check box, you can specify multiple Windows Event Logs in the associated field. To do so, insert a pipe character (|) between the names of the Event Logs (for example, Log_1|Log_2).

For more information about EVT files, see Processing EVT and EVTX Files.

Asset Groups

In this tab, add the Asset Group(s) to which the Monitored Assets will be assigned.

To add an Asset Group:

1. ClickAddAdd.

2. Select the Asset Group from the drop-down and click Add.

To remove an Asset Group, select the group and clickDelete/RemoveDelete.

Locations

To assign a single Location to the Monitored Assets, select the Location from the drop-down.

To assign multiple Locations: 

1. Select Multiple from the drop-down.

2. ClickAddAdd.

3. In the newly created line, select a Location and enter a .NET regular expression in the Search Criteria field to specify the log messages to which this Location will apply.

4. Repeat the steps above to add other Locations.

To remove a Location, select the Location and clickDelete/RemoveDelete.

For more information, see Working with Locations and About Locations and the Audit Logger.

Output Destinations

Note: This tab does not appear if the Database Collector is selected from the Collector drop-down.

In this tab, add the Output Destinations to be assigned to each of the Monitored Assets. For an introduction to Output Destinations, see How does Log-Message Normalization work?.

To add an Output Destination:

1. ClickAddAdd.

2. From the Input Type drop-down, select the appropriate option for the Monitored Asset's Log Sources (see Table 49).

3. Select the Output Destination and click Add.

To remove an Output Destination, select the destination and clickDelete/RemoveRemove.

Tips: Since saving log messages in an Event-Management Database can overload the database with Events, Tripwire recommends that you exercise discretion when assigning databases as Output Destinations. To maintain a comprehensive record of 'raw' log messages from a Monitored Asset's Log Source, assign the Audit Logger as an Output Destination.

If you do assign an Event-Management Database as an Output Destination, and the database is consequently overloaded with Events, click here for troubleshooting tips.

If the Monitored Assets are scanners (see What are Scanner Events?), Event Databases may be assigned as Output Destinations, but not Firewall Databases or IDS Databases.

You cannot add an EVT Output Destination and an EVTX Output Destination to the same Monitored Asset. For more information about EVT files, see Processing EVT and EVTX Files.

Settings

Note: If the WinLog Collector is selected from the Collector drop-down, the Settings tab includes the Username, Password, and Connection method fields. Otherwise, these fields do not appear in this tab.

Asset type. The type of Log Sources for the Monitored Assets.

Username. The username of the Windows user account to be employed by TLC for authentication with the Monitored Assets' Log Sources.

Password. The password of the user account.

Connection method. The type of WMI Connection to be employed for communication with the Monitored Assets' Log Sources (i.e., Windows systems).

The Asynchronous method uses a constant connection with the Windows Event Log.

The Synchronous method polls the Windows Event Logs for new log messages.

Note: The Username and Password fields are not required if 1) the Windows systems and Manager host system are in the same domain, and 2) the service user running the Manager has permission to collect WMI log messages.