Configuring a Monitored Asset with a File Collector

This topic explains how to 1) assign a File Collector to a Monitored Asset, and 2) schedule collection of log messages from the Asset's Log Source.

To configure the Monitored Asset:

1. In the side bar, select Resources >Configuration ManagerConfiguration Manager.
2. In the side bar of the Configuration Manager, select ResourcesResources >AssetsMonitored Assets.

TLC presents your Monitored Assets in the workspace table.

Tip

You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

3. In the workspace, double-click the Monitored Asset.
4. In the Settings tab of the Monitored Asset properties dialog, select the File Collector from the Collector drop-down.
5. In the Schedule tab, define a schedule for the collection of log messages from the Log Source. For more information, see Table 49.
6. Select and complete the File Collection tab (see Table 56).
7. Select and complete the Output Destinations tab (see Table 49).
8. If you selected EVT as an Input Type in the Output Destinations tab, complete the Advanced tab (see Table 49). For further details, see Processing EVT and EVTX Files.
9. Complete the remaining tabs in the Monitored Asset properties dialog (see Table 49) and click OK.

Table 56. Fields in the File Collection tab

Field

Description

Download method

The communication protocol for the collection of log messages.

File server

The IP address or host name of the Log Source system from which to download the file.

Port

The port on the Log Source to be used for communication with TLC.

Username

The username of the user account with which TLC will authenticate with the Log Source.

Password

The password for the user account.

Log-file path

This field includes the full path to each log file to be collected from the Monitored Asset by the File Collector. Each path should be entered on a separate line, and this field cannot exceed 1,024 characters.

If the Monitored Asset is a scanner (see What are Scanner Events?), these files are exported from the scanner. The following topics explain how to create these files:

Configuring an Nmap Security Scanner

Configuring a Tenable Nessus Vulnerability Scanner

Configuring a Tripwire VnE Manager

To assign a 'friendly name' to a file, use the following syntax:

<path>\<filename>|<friendly_name>

For example: 

C:\log_directory\log_file.log|My_Log_File

If you assign a friendly name, and the File Collector - Store Log Filename with Event Advanced Setting is enabled in your Manager's properties dialog (see Table 48), TLC will insert the name at the beginning of each related log message displayed in the Audit Logger. You can also use the friendly name when searching for log messages (see Searching for Log Messages).

For more information, see Date Syntax for Log Source Timestamps.

In the Output Destinations tab of the Monitored Asset properties dialog (see Table 49) or Configure Multiple Monitored Assets dialog (see Table 53), you can select EVT or EVTX as an Input Type. To create an EVT or EVTX file, see: 

https://kb.acronis.com/content/8859

An EVTX file is an event-log file (.evtx) created by Windows 2008 or later. These log types include Application, Security, Setup, System, and Forwarded Events. To normalize and correlate EVTX files (see How does Log-Message Normalization work? and How does Event Correlation work?), you must manually copy the file and the associated LocaleMetaData folder (and the enclosed .mta file) to the following location on the TLC Manager: 

C:\<TLC_Manager_install_dir>\FileCollector\<asset_id>\

Where: 

<TLC_Manager_install_dir> is the installation directory for TLC Manager, and

<asset_id> is the unique ID of the Monitored Asset.

TLC cannot process EVTX files larger than 20 MB.

An EVT file is an event log (.evt) created by Windows 2003 or earlier. For EVT files, you must specify the type of Event Log in the Advanced tab of the Monitored Asset properties dialog (see Table 49) or Configure Multiple Monitored Assets dialog (see ). These log types include Application, Security, System, DNS Server, File Replication, Directory Service, and Custom. For each selected type of Event Log, TLC creates the following directory for the Monitored Asset(s): 

C:\<TLC_Manager_install_dir>\FileCollector\<asset_id>\<event_log_type>

Where <event_log_type> is the type of Event Log selected in the Advanced tab. 

For example, if you select Security in the Advanced tab, TLC creates the following directory: 

C:\<TLC_Manager_install_dir>\FileCollector\<asset_id>\Security

To have TLC normalize and correlate log messages from an EVT event log, you must manually copy an EVT log file to this directory. For example, if you selected the Security check box, you must copy a Security EVT log file to the Monitored Asset's Security directory.

Note:  If you copy an EVT or EVTX log file from another system (i.e., a system other than the TLC Manager), TLC may be unable to process all fields in the log messages due to differences in DLL files, APIs, operating systems, language, and/or Service Packs.

Date Syntax for Log Source Timestamps

Some Log Sources produce dated log files. In some TLC Console fields, you can enter variables to specify these dates. For example, in a filename variable (<filename>) entered in the Log-file path field of the File Collection tab in the Monitored Asset properties dialog (see Table 56), you can enter a variable with the following format to specify log files with the current date:

<Date:[date_values]-[numerical_value][minus_type]>

Date-format variables include:

mm = Minute

hh = Hour (01-12)

HH = Hour in military time (00-23)

dd = Day (01-31)

ddd = Day of week (MON, TUE, WED, THU, FRI, SAT, or SUN)

MM = Month, numeric (01-12)

MMM = Month, abbreviated (JAN, FEB, MAR, etc.)

yyyy = 4 digit year (e.g. 2010)

yy = 2 digit year (e.g. 10)

Optional values that may be entered in the [minus_type] variable include:

h = Hour

m = Minute

d = Day

M = Month

y = Year

For example, if the current date is October 20, 2010:

ex<Date:yyMMdd>.log = ex101020.log

ex<Date:yyMMdd-1d>.log = ex101019.log

ex<Date:yyyyMMdd>.log = ex20101020.log

D:\IISLogs\W3SVC3012345\ex<Date:yyMMdd-1d>.log = D:\IISLogs\W3SVC3012345\ex101019.log