Step 6. Configure your Monitored Assets

As discussed in Step 4. Configure your Asset Groups, TLC automatically created Monitored Assets for your Log Sources in the Configuration Manager. In this step, you will do the following for each of your Monitored Assets:

1. Assign Output Destinations to the Asset. For an introduction to Output Destinations, see How does Log-Message Normalization work?.
2. Review and confirm other Asset properties.

Tip 

To ensure the accuracy of timestamps in log messages collected from a Monitored Asset's Log Source, Tripwire recommends the use of the Network Time Protocol (NTP) on the host system.

To configure each of your Monitored Assets, complete the following steps:

1. In the side bar, select Resources >Configuration ManagerConfiguration Manager.
2. In the side bar of the Configuration Manager, select ResourcesResources >AssetsMonitored Assets.
3. In the workspace, double-click a Monitored Asset. The Monitored Asset properties dialog opens.
4. In the Output Destinations tab, add the appropriate Output Destinations.

If the Monitored Asset is a scanner (see What are Scanner Events?), add an Event Database in which TLC will save the collected Scanner Events. You can either assign the default Events database or another Event Database. (To assign another Event Database, you must first create the database by completing the steps in Creating an Event Database).

For all other Monitored Assets, assign the Correlation Engine and Audit Logger.

To assign an Output Destination:

a. ClickAddAdd.
b. From the Output Destination drop-down, select the destination and click Add.
5. In the Settings tab:
a. Verify that an appropriate Collector is selected for the Asset in the Collector drop-down (see What are Collectors?).
b. Review and, as needed, complete the other fields in the Settings tab. For field and menu descriptions, see Table 48.
c. Click Apply.
6. Depending on the type of Collector you selected in the Settings tab, TLC may have inserted additional tabs in the Monitored Asset properties dialog. As needed, you may configure these tabs by referring to Table 48 and clicking Apply.

If you selected a File Collector or Network Collector, TLC adds a Schedule tab in which you can define a schedule for the collection of log messages from the Asset's Log Source. If the Asset is a scanner (see What are Scanner Events?), define a schedule for the collection of Scanner Events and then complete the File Collection tab (see Configuring a Monitored Asset with a File Collector).

If you selected an Oracle Database Collector, TLC adds a Log Sources tab in which you can assign multiple Log Sources (i.e. database instances) to the Asset. For further instructions, see Working with Log Sources for an Oracle Database Collector.

If you selected a File Collector, Network Collector, or WinLog Collector, TLC adds a Normalization Rules tab containing all Tripwire-defined Normalization Rules for the Asset's Log Source. When the Normalization Engine receives a log message from the Asset's Collector, TLC executes the rules in the order in which they appear in this tab. For more information about Normalization Rules, see How does Log-Message Normalization work?.

If you selected a Check Point Collector, TLC adds a Check Point Options tab in which you configure the authentication, communication, and log settings for a Check Point firewall.

Next 

Once you have configured all of your Monitored Assets, you must push updates to your Managers: 

1. In the side bar of the Configuration Manager, select ResourcesResources >ManagersManagers.
2. In the main pane, select each of your Managers and clickPush Updates to ManagerPush Updates to Manager.