Getting Started with Tripwire Axon Agent for TLC
The Axon Agent is Tripwire’s new generation of agent technology. Installed on an endpoint to be monitored, Tripwire Axon Agent for TLC is the software that provides data to Tripwire Log Center Manager.
Supported Platforms
Tripwire Axon Agent for TLC software can be installed on a wide and growing range of operating systems. For this release, the Agent is supported on:
Amazon Linux 2016.09, 2017.03 (64-bit)
CentOS Linux 5.3 - 5.11 (32- and 64-bit)
CentOS Linux 6.0 - 6.9 (32- and 64-bit)
CentOS Linux 7.0 - 7.4 (64-bit)
Debian Linux 8.5 - 8.9 (32- and 64-bit)
IBM AIX 7.1 (64-bit)
IBM AIX 7.2 (64-bit)
Microsoft Windows 7, 7 Embedded (32- and 64-bit)
Microsoft Windows 8, 8.1, 8.1 Embedded (32- and 64-bit)
Microsoft Windows 10 (64-bit)
Microsoft Windows Embedded POSReady 7 (32- and 64-bit)
Microsoft Windows Server 2008 SP1, SP2 (32- and 64-bit)
Microsoft Windows Server 2008 R2 (64-bit)
Microsoft Windows Server 2012 (64-bit)
Microsoft Windows Server 2012 R2 (64-bit)
Microsoft Windows Server 2016 R2 (64-bit)
Oracle Linux RHCK 6, 6.7+ (64-bit)
Oracle Linux RHCK 7, 7.2+ (64-bit)
Oracle Linux UEK 6, 6.7+ (64-bit)
Oracle Linux UEK 7, 7.2+ (64-bit)
Red Hat Enterprise Linux 5.3 - 5.11+ (32- and 64-bit)
Red Hat Enterprise Linux 6.0 - 6.9 (32- and 64-bit)
Red Hat Enterprise Linux 7.0 - 7.4 (64-bit)
SUSE 11.4 (64-bit)
SUSE 12.0 - 12.2 (64-bit)
Ubuntu 14.04.4+ LTS (32- and 64-bit)
Ubuntu 16.04+ LTS (32- and 64-bit)
Choosing an Authentication Method for TLC Axon Agents
The Tripwire Axon Access Point is a component through which Axon Agents deliver data to a Tripwire Log Center Manager. To connect with Axon Agents, the Axon Access Point on a Tripwire Log Center Manager uses the Transport Layer Security (TLS) protocol. Therefore, each Axon Agent needs a set of X.509 certificates in order to communicate with the Access Point.
Axon Agents can use two different methods to obtain the certificates used for securing the connection with the Axon Access Point:
With the registration method, you create a pre-shared key that is used to authenticate a newly-connected Axon Agent while it obtains a certificate to use for subsequent connections. To install an Axon Agent using the registration method, see Installing Tripwire Axon Agent using a Pre-Shared Key.
With the public key infrastructure (PKI) method, you create certificates and build a certificate key store on both the Axon Agent and Axon Access Point systems. To install an Axon Agent using PKI, see Installing Tripwire Axon Agent using PKI.
Tips |
Tripwire strongly recommends using the registration method unless you have an existing centralized public key infrastructure and are comfortable with creating and maintaining certificate keys. The registration method is equally secure, and greatly simplifies the configuration process. Changing the authentication method after the initial installation will require modifying all existing Axon Agents to configure new certificates. |
---|
Comparing the Registration and PKI Authentication Methods
With the registration method, the Axon Agent and Axon Access Point complete the following steps:
1. | The Axon Agent establishes an anonymous TLS connection with the Access Point. |
2. | The Axon Agent sends an X.509 Certificate Signing Request (CSR) to the Access Point. If the Agent has a registration pre-shared-key file, the pre-shared key is included in the request. |
3. | The Access Point verifies the CSR and pre-shared key, and it sends a set of signed X.509 certificates to the Axon Agent. |
4. | The Axon Agent reads the response and locally stores copies of 1) the Access Point Certificate Authority (CA), and 2) the signed certificates. |
5. | The Axon Agent disconnects from the Access Point and deletes its registration_pre_shared_key.txt file. |
6. | With the signed certificates, the Axon Agent reconnects with the Access Point and establishes a secure TLS session. |
With the PKI method, the Axon Agent connects with the Access Point using the signed certificates and establishes a secure TLS session.
Required Ports and Protocols
The tables in this section list the services installed with Tripwire Log Center Manager, and the default ports used. Figure 30 illustrates these connections.
Service Name |
Listening |
Requires Firewall Access? |
Description |
---|---|---|---|
TripwireAxonAccessPoint |
5670 |
Y |
The Axon Agent's connection port to the Access Point. |
Default Port/Protocol |
Configurable During Installation? |
Description |
---|---|---|
5670/TCP/TLS |
No |
Used for inbound communication received from Axon Agents. |
Figure 30. Agent ports and protocols
Migrating your Monitored Assets to Advanced Collectors
Before installing the Axon Agent for use with Tripwire Log Center, we recommend that you follow the steps below.
If your TLC environment includes any Windows systems from which the WinLog Collector has previously collected log messages, Tripwire recommends that you migrate those Monitored Assets to the Advanced Windows Collector.
To identify Monitored Assets that should be migrated to the Advanced Windows Collector, run the Duplicated Assets for Advanced Windows Collectors Report in the Report Center. For instructions, see Running a Report.
To migrate a Monitored Asset from the WinLog Collector to the Advanced Window Collector, install Tripwire Axon Agent for TLC on the Asset's host system, and then assign the Advanced Windows Collector to the Asset in the TLC Console (see Working with Monitored Assets).
If your TLC environment included any Windows and/or Linux systems from which the File Collector has collected log messages, Tripwire recommends that you migrate those Monitored Assets to the Advanced File Collector.
To identify Monitored Assets that should be migrated to the Advanced File Collector, run the File Collector Assets Report in the Report Center. For instructions, see Running a Report.
To migrate a Monitored Asset from the File Collector to the Advanced File Collector, install Tripwire Axon Agent for TLC on the Asset's host system, and then assign 1) the Advanced File Collector and 2) the system's Log Source(s) to the Asset in the TLC Console (see Working with Monitored Assets and Working with Log Sources for an Advanced File Collector).