Where does TLC store Data?

The System Database

Installed on your Primary Manager, the System Database stores a record of all user logins and logouts, as well as all TLC objects defined in the TLC Console; for example, Monitored Assets, Normalization Rules, and Event Tickets.

Storing Log Messages

Each Manager in your TLC environment can host an Audit Logger File Store. The Audit Logger is TLC's log-storage tool, and the Audit Logger File Store consists of:

A series of compressed flat files containing the log messages collected by the Manager from Log Sources, and

An index of terms contained in the log messages.

For more information about the Audit Logger, see What is the Audit Logger?.

You can also configure a Manager to forward log messages to a third-party log-archive tool. For further details, see What is Log-Message Forwarding?.

Storing Events

Each Manager also hosts one or more Event-Management Databases. An optional component of your TLC environment, an Event-Management Database stores Events. An Event is either:

A log message that the Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages).

An event or vulnerability imported from a scanner (see What are Scanner Events?).

Table 25 describes each type of Event-Management Database.

By default, the TLC Manager installer creates a single Event Database called 'Events.' With the Database Viewers in the TLC Console, you can review information about the Events in your Event-Management Databases (see The Event-Database Viewer).

Note 

To configure user permissions for an Event-Management Database, see Working with Database Permissions.

Table 25. Types of Event-Management Databases and Database Viewers

Type

Stores Events from ...

Database Viewer

Event Database

... any Log Source and/or scanner (see What are Scanner Events?).

Event-Database Viewer

Firewall Database

... firewalls. These Events involve core firewall functionality and, typically, relate to network traffic.

Firewall-Database Viewer

IDS Database

... IDS and IPS devices. These Events may include detected traffic anomalies, intrusions, etc.

IDS-Database Viewer