How does Auto-Discovery work?

With Auto-Discovery, Tripwire Log Center (TLC) automatically creates a Monitored Asset for a Log Source. TLC auto-discovers Axon Agents running Windows (see Auto-Discovery of a Windows Axon Agent), as well as Assets for which TLC collects log messages with the File Collector or Network Collector (see Auto-Discovery of an Asset other than an Axon Agent).

An Asset-Configuration Rule applies configuration properties to an auto-discovered Monitored Asset if the Asset satisfies criteria specified by the rule. For more information, see Working with Asset-Configuration Rules.

Note 

Auto-Discovery and Asset Discovery are two different processes. For information about Asset Discovery, see What are Discovered Assets?.

Auto-Discovery of a Windows Axon Agent

When Tripwire Axon Agent for TLC software is installed and configured on a Microsoft Windows host system (see Installing Tripwire Axon Agent using a Pre-Shared Key), the Axon Agent notifies its TLC Manager. TLC then creates a new Monitored Asset for the Agent (see Figure 32) and assigns the Advanced Windows Collector to the Asset (see Table 26).

Figure 32.  Auto-Discovery of a Tripwire Axon Agent (click to enlarge)

Auto-Discovery of a Tripwire VIA Agent

Does the Configuration Manager contain this Monitored Asset?

Yes = If the Configuration Manager (on the TLC Manager to which the Agent is connected) contains a Monitored Asset with the same universally unique identifier (UUID) as the Axon Agent, no further action is taken.

No = TLC creates a new Monitored Asset for the Axon Agent, assigns the Advanced Windows Collector to the Asset, and assigns the Asset to the Auto-Discovered Assets Group.

Note 

The Axon Agent installer assigns a UUID to each Axon Agent, and the Agent will change its UUID if:

50% or more of the Media Access Control (MAC) addresses on the Axon Agent host system change (for example, if the system is cloned), or

The Axon Agent state files become corrupted and must be recreated.

Auto-Discovery of an Asset other than an Axon Agent

If a File Collector or Network Collector receives a log message from a Log Source for which a Monitored Asset does not currently exist, TLC initiates the Auto-Discovery process. The steps below explain how TLC determines if a Monitored Asset should be created for the Log Source (outlined in red in Figure 33).

Figure 33.  Auto-Discovery of an Asset other than an Axon Agent (click to enlarge)

uto-Discovery of an Asset other than a Tripwire VIA Agent

Is Auto-Discovery enabled?

Yes = If Auto-Discovery is enabled in the Collector's tab of the Manager’s properties dialog (see Working with Managers), TLC proceeds with the Auto-Discovery process.

No = Otherwise, TLC ignores the log message.

Does the IP address match the Collector's IP filter?

Yes = If the IP address of the Log Source matches the 'IP address filter' defined in the Collector's tab of the Manager properties dialog, TLC creates a new Monitored Asset for the Log Source. In the Asset's properties dialog, TLC assigns:

All Normalization Rules applicable to this type of Log Source

(Network Collectors only) The Manager's Correlation Engine (see How does Event Correlation work?)

No = Otherwise, TLC ignores the log message.

Note 

File Collectors do not have an 'IP address filter.' Therefore, if the message was collected by a File Collector, TLC creates a Monitored Asset for the Log Source regardless of the Log Source's IP address.