What are Managers, Log Sources, and Monitored Assets?

A Manager is a host system for TLC Manager software, and a TLC Console host is a system on which TLC Console software has been installed. If TLC Manager and Console are installed on the same system, the system is referred to as a Manager.

Most systems and devices on a network record information about their operation in a log. A Log Source is any log-generating application, operating-system service, database instance, or device from which TLC collects log messages. A Monitored Asset (or Asset) is an object in TLC that represents a Log Source from which TLC collects log messages directly. (See also What are Discovered Assets?.)

Each Monitored Asset specifies the IP address of a Log Source and a single Collector. A Collector is a TLC module that gathers or receives log messages from Log Sources. To communicate with a Log Source, a Collector employs a protocol appropriate for the system -- for example, SNMP for network devices or WMI for Windows operating systems. For descriptions of Collector types, see Table 26.

Notes 

A Monitored Asset using an Oracle Database Collector can collect log messages from multiple Log Sources (i.e. database instances and views). However, all other Monitored Assets collect messages from a single Log Source.

Installed on a Windows or Linux system, Tripwire Axon Agent for TLC is a service that collects log messages from any log-generating application running on the system (a.k.a., an Axon Agent). When installed on a Windows system, this service can also collect the system's Windows Event Logs via the Secure Sockets Layer (SSL) protocol. For more information, see Table 26.

In the Audit Logger tab of the Manager properties dialog (see Table 40), you can schedule the discovery of IP addresses in a TLC Manager's Audit Logger File Store to identify Log Sources in your TLC environment for which Monitored Assets have yet to be created in your TLC Console (i.e., Discovered Assets). This process is known as Asset Discovery.

In Asset Discovery, if TLC locates the IP address of one of these Assets in at least one log message collected from a Monitored Asset, it adds the Discovered Asset to the following file:

C:\ProgramData\Tripwire\LogCenterManager\Data\

DiscoveredAssets.db

TLC does not perform Asset Discovery on log messages collected from Monitored Assets via Internet Protocol Version 6 (IPv6).

For more information:

To schedule Asset Discovery, see Scheduling Asset Discovery for a Manager.

To view your Discovered Assets, see Working with Discovered Assets.

Your Tripwire Log Center (TLC) environment consists of all TLC software, Managers, Log Sources, Monitored Assets, Collectors, and data in your TLC installation.

Primary and Secondary Managers

Each Manager may be configured to perform the following core functions:

Collection. The gathering or receipt of log messages from Log Sources (see What are Collectors?).

Classification. The application of 'Tags' to categorize log messages (see How does Classification work?).

Normalization. The process of standardizing log messages for further use by TLC (see How does Log-Message Normalization work?). Standardized messages are known as Normalized Messages.

Correlation. The examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients (see How does Event Correlation work?).

Each TLC environment has a single Primary Manager. In addition to the core Manager functions outlined above, the Primary Manager controls:

The storing of log messages in the Audit Logger File Store (see What is the Audit Logger?) and Events in Event-Management Databases (see Where does TLC store Data?).

The configuration settings for your TLC environment (see About TLC Settings and Global Settings).

User access and license management for TLC (see About User Access and Licensing).

Your TLC environment may also include one or more Secondary Managers. In addition to the core Manager functions, a Secondary Manager may be configured to either:

Store log messages (as with a Primary Manager), or

Forward log messages to another Manager.

By adding one or more Secondary Managers to your TLC environment, you can distribute TLC functionality to meet your organization's needs. The use of Secondary Managers can improve performance while also giving you the ability to partition your TLC data based on geography, business unit, or function. To determine if a Secondary Manager would be helpful in your TLC environment, see Planning your TLC Environment or consult your Tripwire Customer Service Representative.

Notes 

Concentrator is an obsolete term for a Secondary Manager that has been configured to forward log messages.

If you change the IP address of a Manager, you must:

1. Change the IP address in the Settings tab of the Manager's properties dialog (see Working with Managers), and
2. Assign a new certificate to the Manager in the TLC Manager Interface (see Configuring your Manager's SSL Certificate).