Advanced Settings

See Changing a Manager's Advanced Settings.

Advanced Windows Collector

Configuration settings for the Manager's Advanced Windows CollectorA type of CollectorA TLC module that gathers or receives log messages from Log Sources. that collects log messages from Windows Event Logs on Axon AgentA system on which Tripwire Axon Agent for TLC software has been installed. systems via the Secure Sockets Layer (SSL) protocol.. (This tab only appears in the Manager dialog if a Advanced Windows Collector has been added to the Installed Modules tab.)

AutoDiscovery Settings

Enable AutoDiscovery. Enables auto-discovery of Windows Axon Agents.  If TLC auto-discovers a Windows Agent, TLC creates a new Monitored AssetAn object in the TLC Configuration Manager that represents a Log SourceAny log-generating application, operating-system service, database instance, or device from which TLC collects log messages. from which TLC collects log messages directly. with the Advanced Windows Collector in the Auto-Discovered Assets Asset GroupA TLC object that may contain one or more Monitored Assets..

Notes: 1) If this setting is enabled, an auto-discovered Monitored Asset will only collect Windows Event Logs if the Asset is i) not assigned to an Asset Group, or ii) assigned to an Asset Group with the Collect Windows Event Logs setting enabled in the group's Advanced Collector CollectionThe gathering or receipt of log messages from Log Sources. tab (see Working with Asset Groups). 2) To manually create a Monitored Asset for a Windows Axon Agent (see Adding a Monitored Asset for a new Log Source), this setting must be disabled.

Output to Correlation EngineThe component of your Primary Manager responsible for identifying events of interest. To correlate events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine.. If enabled, TLC automatically adds the Correlation Engine as an Output DestinationAssigned to a Monitored Asset, an Output Destination is either the Audit Logger, an Event-Management Database, or a Correlation Engine that correlates Normalized Messages. in the Monitored Asset's properties (see Table 48). 

Asset-Configuration Rules

See Working with Asset-Configuration Rules.

Audit Logger

Configuration settings for the Manager's Audit Logger.

Encrypt log messages. If enabled, this setting encrypts log messages saved in the Audit Logger File StoreConsists of a series of compressed flat files containing the log messages collected by the Manager from Log Sources, and an index of terms contained in the log messages. with the 256-AES algorithm. (Note: This setting will affect performance, but will only slightly increase the size of the data in the Audit Logger File Store.)

Save log messages from unknown hosts. If enabled, the Audit Logger will save log messages received from Log Sources for which a Monitored Asset does not exist in the Configuration Manager (see What are Collectors?).

Save log messages for all Monitored Assets. If enabled, the Audit Logger will save all log messages from Log Sources for which a Monitored Asset exists in the Configuration Manager. If disabled, the Audit Logger will only save the log messages if the Monitored Asset specifies the Audit Logger as an Output Destination.

Separate data by LocationA custom category used to classify Monitored Assets by geography.. See About Locations and the Audit Logger.

Audit Logger File Store directory. The directory in which the Audit Logger saves log messages.

Index directory. The directory in which the Audit Logger saves index entries for collected log messages.

Tips: If you change the Index directory or Audit Logger File Store directory, you must restart the TLC ManagerTripwire Log Center Manager is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices. service (see Working with the TLC Manager Interface).

These fields do not support Uniform Naming Convention (UNC) paths. For example:

Correct - E:\AuditLogs\

Incorrect - \\MyAuditLogServer\AuditLogs\

Log rotation configuration

Limit number of archived Audit Logger log files. To limit the number of AuditLogger.log files retained by TLC, select this option and enter the maximum number of files to be retained in the Archived Audit Logger log files to keep field. For example, if this option is enabled, and the number of AuditLogger.log files matches the specified value, TLC will replace the oldest file when a new file is needed.

Asset DiscoveryThe process by which TLC scans a Manager's Audit Logger File Store to identify the IP addresses of Log Sources in your TLC environment for which Monitored Assets have yet to be created in your TLC Console (a.k.a., Discovered Assets).. See Discovered Assets.

Audit Logger Ext

(Secondary Managers only) This tab only appears in the Manager dialog if the Audit Logger Extension has been added to the Installed Modules tab. With the Audit Logger extension, the Manager forwards any collected log messages to another Manager's Audit Logger, rather than saving the messages locally.

Audit Logger. The Audit Logger to which the Manager forwards log messages.

Collection Times. Schedules a time when the Manager forwards collected log messages to the specified Audit Logger.

Start Time. The time of day when the Manager begins sending log messages.

End Time. The time of day when the Manager stops sending log messages.

Audit Logger File Store directory. The directory in which the Audit Logger temporarily saves log messages.

Tip: If you change the Audit Logger File Store directory, you must restart the host's TLC Manager service (see Working with the TLC Manager Interface).

Note: In previous versions of TLC, a Secondary Manager configured to forward log messages was known as a Concentrator.

Authentication

Identifies the servers to be used by User Accounts configured for LDAP/Active Directory, Radius, and single sign-on authentication (see Creating and Deleting User Accounts).

LDAP/Active Directory

Directory service. LDAP or Active Directory.

Hostname. The host name, IP address, or domain name of an LDAP Server or Active Directory server.

Authentication method. The method to be used when authenticating a user account.

Basic is basic authentication, the default setting for most LDAP servers.

DPA is Distributed Password Authentication (DPA).

Kerberos is Kerberos authentication.

MSN is the Microsoft Network Authentication Service.

Negotiate uses the best method available between Kerberos and NTLM.

NTLM is Windows NT Challenge/Response (NTLM) authentication.

Sicily indicates that a Sicily negotiation mechanism will be used to choose DPN, MSN, or NTLM. (This option should be selected for LDAPv2 servers only.)

RADIUS server settings

RADIUS host. The host name or IP address of a Radius server.

Secret key and Secret key (confirm). Enter and confirm the shared secret key for the Radius server. The secret key is stored in both the system database and the tlc.config file. In TLC 6.2.1 and later versions, the key is encrypted in both locations.

Note: The RADIUS fields are unavailable if the following policy is enabled in the Windows Local Security Settings on the Manager’s host system (or if TLC cannot determine the setting's status):

System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.

Single sign-on. See Configuring Single Sign-On Authentication.

Notes: TLC saves all authentication errors in the tlc.log file.

DB Collector

Configuration settings for the Manager's Database CollectorA type of Collector that gathers log messages from an application that logs to an External Database.. (This tab only appears in the Manager dialog if a Database Collector has been added to the Installed Modules tab.)

Source. The IP address or host name of an external database from which the Collector will collect log messages.

Destination. The Event DatabaseA type of Event-Management Database that stores Events from any Log Source and/or scannerA device that monitors systems in your TLC environment (for example, a vulnerability scanner).., Correlation Engine, or Audit Logger to which the Collector will forward collected log messages.

To add an external database to the Collector, clickAdd.

To remove an external database from the Collector, select the database and clickRemove.

Email

See Changing a Manager's Email Settings.

File Collector

Configuration settings for the Manager's File CollectorA type of Collector that gathers log messages from Log Sources that store messages in an ASCII log file..

Collect log messages via FTP and SSH. Configures the Manager to receive log messages via FTP over SSH.

Enable AutoDiscovery. If this setting is enabled and a Monitored Asset does not exist for a Log Source from which the Collector receives a log messageA data record generated by a Log Source and collected by TLC., TLC will create a Monitored Asset for the Log Source (see Auto-Discovery of an Asset other than an Axon Agent).

Manager collection port. The port on which the Manager listens for log messages.

Support legacy algorithms for inbound SSH connections. By default, the File Collector will accept log messages collected via SSH connections with the following algorithms:

Encryption algorithms: AES-128-ctr, AES-192-ctr, AES-256-ctr, 3DES-ctr, Blowfish-ctr, Twofish-128-ctr, Twofish-192-ctr, Twofish-256-ctr, Serpent-128-ctr, Serpent-192-ctr, Serpent-256-ctr, IDEA-ctr, CAST-128-ctr

MAC algorithms: SHA-1, RIPEMD160, RIPEMD, RIPEMD openssh, SHA-256, UMAC32, UMAC64, UMAC128, SHA2-256, SHA2-512

If this setting is enabled, the File Collector will also support the following algorithms: 

Encryption algorithms: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc

MAC algorithms: hmac-md5, hmac-sha1, hmac-sha1-96, hmac-md5-96

In the table at the bottom of this tab, you can add SSH keys stored on the TLC Manager. To add a key: 

1. ClickAdd.

2. From the Users drop-down, select the user accounts to which the key will apply.

3. In the KeyPath field, enter the full path to the key file.

4. (Optional) Enter a Description.

Installed Modules

The TLC modules that have been added to the Manager. To activate a module, you must add and enable the module. Modules include:

The Audit Logger (see What is the Audit Logger?)

Collectors (see What are Collectors?)

Correlation Engines (see How does Event Correlation work?)

The License Service (see About User Access and Licensing)

The Schedule Engine (see What are the Task Manager and Task Scheduler?)

By default, the TLC Manager Configuration Wizard adds the Advanced File CollectorA type of Collector that collects log messages from log-generating applications running on an Axon Agent host system via the Secure Sockets Layer (SSL) protocol., Advanced Windows Collector, File Collector, Network CollectorA type of Collector that listens for Syslog and SNMP-based log messages from network devices., and WinLog CollectorA type of Collector that collects log messages from Windows Event Logs via the Windows Management Instrumentation (WMI) protocol. to each Manager.

To enable a disabled module, select the module and clickEnable.

To disable an enabled module, select the module and clickDisable.

To create and add a new module, clickCreate new module.

To change the name of a module, select the module and clickEdit selected module.

To delete a module from your TLC environment, select the module and clickDelete selected module.

To add an existing module to the Manager, clickAssign existing module.

To remove a module from the Manager, select the module and clickUnassign selected module. (The module is still available for use by other Managers.)

To open a list of all modules in your TLC environment, clickView all modules.

Logging

See Changing a Manager's Log Settings.

Network Collector

Configuration settings for the Manager's Network Collector.

Tip: Tripwire recommends that you select the Enabled check box for the UDP, TCP, and SNMP protocols.

UDP Settings for Syslog Collection:

Enabled. Enables the collection of Syslog messages on a UDP port.

Port. The port on which the Manager listens for Syslog messages.

TCP Settings for Syslog Collection:

Enabled. Enables the collection of Syslog messages on a TCP port.

Port. The port on which the Manager listens for Syslog messages.

SNMP Server Settings:

Enabled. Enables the collection of SNMP messages.

Port. The port on which the Manager listens for SNMP messages.

Community string. A public or group password for SNMP. 

Version 1. Enables SNMP version 1.

Version 2c. Enables SNMP version 2c.

Version 3. Enables SNMP version 3.

If you select Version 3, you must configure the following SNMP v3 Authentication settings:

SNMP v3 User. The name of a user account to be used by the Manager when authenticating with SNMP version 3.

Security Level. For Cisco Adaptive Security Appliances (ASA), this field specifies the Security Level of the Cisco user account(s) with which TLC collects log messages.

None - TLC will collect all Cisco ASA log messages.

Auth Only - TLC only collects log messages if the user account has the AuthNoPriv Security Level.

Auth and Priv - TLC only collects log messages if the user account has the AuthPriv Security Level.

Password. The password for the user account.

Encryption password. 1) The password of a user account to be used by the Manager when transferring SNMP messages, and 2) the encryption algorithm to be used.

Note: SNMP v3 supports the MD5 and SHA(1) authentication protocols. However, TLC can only collect log messages with the SHA(1) protocol.

AutoDiscovery Settings

Enable AutoDiscovery. If this setting is enabled and a Monitored Asset does not exist for a Log Source from which the Collector receives a log message, TLC will create a Monitored Asset for the Log Source (see Auto-Discovery of an Asset other than an Axon Agent).

Output to Correlation Engine. If a Monitored Asset is created for an Auto-Discovered Log Source, TLC automatically adds the Correlation Engine as an Output Destination in the Asset's properties (see Table 48). 

IP address filter. A .NET regular expression that identifies IP Addresses to be included or excluded in/from Auto-Discovery. To prevent TLC from Auto-Discovering an IP address, insert a ! before the regular-expression value. All values are comma delimited.

Example:

192.168.*, !192.168.1.*

This regular expression will attempt to Auto-Discover all 192.168.x.x IP addresses, with the exception of those in the 192.168.1.x range.

Permissions

Sets permissions for users to view and change the Manager's properties in the Manager dialog (i.e. this dialog).

To add a User AccountA TLC object that provides a user with a collection of User Permissions to work with TLC. to the Manager, clickAdd User Account.

To add a User GroupA collection of User Accounts. to the Manager, clickAdd User Group.

To remove a User Account or Group, select the item and clickRemove selected items.

To configure permissions, select the appropriate check boxes for each user account and group. For more information, see Working with Manager Permissions.

Proxy

See Changing Internet-Access Settings for a Proxy Server.

Settings

Communication settings for the Manager.

Host1. A Log Source or a system involved in an Event. 2. A system on which TLC Manager, TLC Console, or Event-Management Database software is installed. Address. The IP address of the Manager host system.

Port. The port on which the Manager listens for log messages from Log Sources.

Location. (Optional) A Location of your choosing.