How does Auto-Discovery work?

With Auto-DiscoveryAn automated process by which TLC creates a Monitored AssetA Log Source in your TLC environment. See Monitored Assets and Discovered Assets. for an unknown Log SourceAny log-generating application, operating-system service, database instance, or device from which TLC collects log messages. that generated a log messageA data record generated by a Log Source and collected by TLC. collected by TLC., Tripwire Log Center (TLC) automatically creates a Monitored AssetAn object in the TLC Configuration Manager that represents a Log Source from which TLC collects log messages directly. for a Log Source. TLC auto-discovers Axon Agents running Windows (see Auto-Discovery of a Windows Axon Agent), as well as Assets for which TLC collects log messages with the File CollectorA type of CollectorA TLC module that gathers or receives log messages from Log Sources. that gathers log messages from Log Sources that store messages in an ASCII log file. or Network CollectorA type of Collector that listens for Syslog and SNMP-based log messages from network devices. (see Auto-Discovery of an Asset other than an Axon Agent).

An Asset-Configuration RuleApplies configuration properties to an auto-discovered Monitored Asset if the Asset satisfies criteria specified by the rule. applies configuration properties to an auto-discovered Monitored Asset if the Asset satisfies criteria specified by the rule. For more information, see Working with Asset-Configuration Rules.

Auto-Discovery of a Windows Axon Agent

When Tripwire Axon Agent for TLCA service that may be installed on a Windows or Linux system to collect log messages from any log-generating application running on the system. When installed on a Windows system, this service can also collect the system's Windows Event1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected from a Log Source. Logs via the Secure Socket Layer (SSL) protocol. software is installed and configured on a Microsoft Windows host system (see Installing Tripwire Axon Agent using a Pre-Shared Key), the Axon AgentA system on which Tripwire Axon Agent for TLC software has been installed. notifies its TLC ManagerTripwire Log Center Manager is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices.. TLC then creates a new Monitored Asset for the Agent (see Figure 32) and assigns the Advanced Windows CollectorA type of Collector that collects log messages from Windows Event Logs on Axon Agent systems via the Secure Sockets Layer (SSL) protocol. to the Asset (see Table 26).

Figure 32.  Auto-Discovery of a Tripwire Axon Agent (click to enlarge)

Does the Configuration Manager contain this Monitored Asset?

Yes = If the Configuration ManagerIn the Configuration Manager, you can create and configure TLC Resources (Monitored Assets, Asset Groups, Managers, Locations, Event-Management Databases), normalization objects (NormalizationThe process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Rules, Aliases, and Normalized-Message Filters), and correlation objects (CorrelationThe examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients. Engines, Rules, Lists, and Actions). (on the TLC Manager to which the Agent is connected) contains a Monitored Asset with the same universally unique identifier (UUID) as the Axon Agent, no further action is taken.

No = TLC creates a new Monitored Asset for the Axon Agent, assigns the Advanced Windows Collector to the Asset, and assigns the Asset to the Auto-Discovered Assets Group.

Auto-Discovery of an Asset other than an Axon Agent

If a File Collector or Network Collector receives a log message from a Log Source for which a Monitored Asset does not currently exist, TLC initiates the Auto-Discovery process. The steps below explain how TLC determines if a Monitored Asset should be created for the Log Source (outlined in red in Figure 33).

Figure 33.  Auto-Discovery of an Asset other than an Axon Agent (click to enlarge)

Is Auto-Discovery enabled?

Yes = If Auto-Discovery is enabled in the Collector's tab of the Manager’s properties dialog (see Working with Managers), TLC proceeds with the Auto-Discovery process.

No = Otherwise, TLC ignores the log message.

Does the IP address match the Collector's IP filter?

Yes = If the IP address of the Log Source matches the 'IP address filter' defined in the Collector's tab of the Manager properties dialog, TLC creates a new Monitored Asset for the Log Source. In the Asset's properties dialog, TLC assigns:

All Normalization Rules applicable to this type of Log Source

(Network Collectors only) The Manager's Correlation EngineThe component of your Primary ManagerEach TLC environmentConsists of all TLC software, Managers, Log Sources, Monitored Assets, Collectors, and data in your TLC installation. has a single Primary Manager that controls: 1. The storing of log messages in the Audit Logger File Store and Events in Event-Management Databases, 2. The configuration settings for your TLC environment, and 3. User access and license management for TLC. responsible for identifying events of interest. To correlate events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine. (see How does Event Correlation work?)

No = Otherwise, TLC ignores the log message.