Installing Tripwire Axon Agent using a Pre-Shared Key
This section describes the process to install and configure the Axon Agent using a pre-shared key to authenticate communication with the Axon Access Point. For more information about different authentication methods, see Choosing an Authentication Method for TLC Axon Agents.
Step 1. Configuring the Axon Access Point on a Tripwire Log Center Manager
Note |
The Axon Access Point only needs to be configured on a Tripwire Log Center Manager once, before connecting to an Axon Agent for the first time. If the Axon Access Point has already been configured (that is, the Axon Access Point is already connected to an Axon Agent) proceed to Step 2. (Optional) Configuring a DNS SRV Record for the Axon Agent's Domain. |
---|
To configure the Axon Access Point on a Tripwire Log Center Manager:
1. | Ensure that a supported version of Tripwire Log Center Manager is installed. |
2. | Verify that port 5670 is available on the Tripwire Log Center Manager. |
3. | Open the following file in a text editor: |
<<TLC_Manager_install_dir>\Tripwire Axon Access Point\config\bridge.sample.properties
4. | Save a copy of this file with the name bridge.properties in the same directory. |
5. | In the bridge.properties file, complete the following steps: |
a. | Locate the following line: |
#tw.cap.bridge.port=5670
This entry specifies the port with which the Axon Access Point will 'listen' for incoming log messages from Axon Agents (5670 by default). If you want to use another port, remove the pound sign (#) from the beginning of the line and replace "5670" with the new port number.
b. | Locate the following line: |
#tw.cap.bridge.registrationPreSharedKey=
Remove the pound sign (#) from the beginning of the line and enter a registration pre-shared key of your choice. This pre-shared key is used by the Axon Agent to register with the Tripwire Log Center Manager. The pre-shared key may include the space character and any alphanumeric characters, as well as the following special characters:
"%$'( )*+,-./:;<=>?_
c. | By default, the Axon Access Point uses TLSv1.2 with cipher suites TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. To change these settings, see Configuring TLS Versions and Cipher Suites. |
d. | Save the file. |
6. | At a command prompt, enter the following commands to restart the Axon Access Point service: |
net stop TripwireAxonAccessPoint
net start TripwireAxonAccessPoint
Tip |
If you encounter a problem with the Axon Access Point after configuration, review the Axon Access Point log file to assess the issue: <TLC_Manager_install_dir>/Tripwire Axon Access Point/logs/bridge.log For additional assistance, contact Tripwire Support. |
---|
Step 2. (Optional) Configuring a DNS SRV Record for the Axon Agent's Domain
In a Domain Name System (DNS), an SRV record (or service record) defines the hostnames and port numbers of servers running various services. If you have a DNS Server with an SRV record for the domain(s) containing the Axon Agent host system, no further configuration of the host system will be required following the installation of the Agent software (see Step 3. Installing Tripwire Axon Agent for TLC). Instead, following installation, the Axon Agent will query the DNS Server for any SRV records in the DNS domains associated with any IP addresses assigned to the Agent host system’s interfaces.
If you do not wish to employ DNS SRV records to configure the Axon Agent, proceed to Step 3. Installing Tripwire Axon Agent for TLC.
Otherwise, edit one of the DNS SRV records for the Agent host system's domains as described below.
To edit an SRV record on your DNS server:
1. | Open the SRV record for a domain containing the Axon Agent host system. The name of the SRV record will appear in this format: |
_tw-tlc-agw._tcp.<domain_name>
where <domain_name> is the name of the domain.
2. | To specify the Tripwire Log Center Manager to which the Axon Agent will send data, enter the server's IP address or host name in the Server Hostname field. |
3. | In the Port field, enter the number of the port on the Tripwire Log Center Manager to be used for communications with Axon Agents. To use the default port, enter 5670. |
Step 3. Installing Tripwire Axon Agent for TLC
In this step, you will install the Tripwire Axon Agent for TLC software on an Agent host system. You must install this software on each system that you want to monitor.
To install the Agent software, complete the appropriate steps for the Axon Agent host system:
Installing Tripwire Axon Agent for TLC on a Linux System
Installing Tripwire Axon Agent for TLC on a Windows System
Caution |
After installation, the Axon Agent will look for and use any To resolve this issue, before installing the Tripwire Axon Agent for TLC:
Linux:/etc/tripwire-tlc Windows:%PROGRAMDATA%\Tripwire\agent-tlc\config
|
---|
Installing Tripwire Axon Agent for TLC on an IBM AIX System
To install Tripwire Axon Agent for TLC on an IBM AIX system:
1. | See Supported Platforms to make sure that the Axon Agent is supported on the target system. |
2. | Install IBM XL C/C++ Runtime for AIX 16.1.0.0 or newer. For instructions, see the IBM user documentation. |
3. | Log in to the host system with a local administrator account. |
4. | Use the following command to install the software: |
rpm –ivh <installer_rpm_file>
where <installer_rpm_file> is the appropriate installer file (Table 11).
File name |
Target OS |
---|---|
tw-axon-agent-tlc-aix-x64.rpm |
64-bit IBM AIX systems |
Installing Tripwire Axon Agent for TLC on a Linux System
To install Tripwire Axon Agent for TLC on a Linux system:
1. | See Supported Platforms to make sure that the Axon Agent is supported on the target system. |
2. | Log in to the host system with a local administrator account. |
3. | Use the following command to install the software: |
rpm –ivh <installer_rpm_file>
where <installer_rpm_file> is the appropriate installer file (Table 12).
File name |
Target OS |
---|---|
tw-axon-agent-tlc-linux-x86.rpm |
32-bit Linux systems |
tw-axon-agent-tlc-linux-x64.rpm |
64-bit Linux systems |
Installing Tripwire Axon Agent for TLC on a Windows System
To install Tripwire Axon Agent for TLC on a Windows system:
1. | See Supported Platforms to make sure that the Axon Agent is supported on the target system. |
2. | Log in to the host system with a local administrator account. |
3. | To install the software in the default location (C:\Program Files\Tripwire\Agent-TLC), double-click the appropriate installer file (see Table 13) in the directory in which you unzipped the Axon Agent installation package. |
To install the software in a different directory, open a command prompt and enter the following command:
<installer_file> INSTALLDIR=<target_binary_installation_dir>
where
<installer_file> is the name of the appropriate installer file (see Table 13), and
<target_binary_file_directory> is the full path to the target installation directory
File name |
Target OS |
---|---|
tw-axon-agent-tlc-windows-x86.msi |
32-bit Windows systems |
tw-axon-agent-tlc-windows-x64.msi |
64-bit Windows systems |
Step 4. Configuring the Axon Agent
To configure an Axon Agent to communicate with the Tripwire Log Center Manager, you edit the Agent's configuration file twagent.conf. You must edit the configuration file on each system where the Agent software is installed.
To configure the Axon Agent:
1. | Open one of the following files in a text editor: |
AIX or Linux:
/etc/tripwire-tlc/twagent_sample.conf
Windows:
%PROGRAMDATA%\Tripwire\agent-tlc\config\twagent_sample.conf
2. | Save a copy of this file with the name twagent.conf in the same directory. |
3. | If you did not configure an SRV record in Step 2. (Optional) Configuring a DNS SRV Record for the Axon Agent's Domain, you must manually enter the host name or IP address of the Tripwire Log Center Manager as the bridge.host option in the Axon Agent configuration file. |
bridge.host>=<product_server_hostname_or_IP>
For IPv4, bridge.host=192.168.1.55
For IPv6, bridge.host=[2001:0db8:85a3::8a2e:0370:7334%2]
Note |
For systems running older operating systems such as Microsoft Windows 2008, the IPv6 address should exclude '%2,' as follows: bridge.host=[2001:0db8:85a3::8a2e:0370:7334] |
---|
If you did configure an SRV record, the Axon Agent will query the DNS Server when you restart the Agent service (below). This query will attempt to identify an SRV record and use the hostname or IP address and port from the record to connect to the Axon Access Point. If the query is successful, the Axon Agent's running configuration will use these values as the bridge.host and bridge.port options (see Table 15).
4. | The Axon Agent spools data to be sent to the Tripwire Log Center Manager's Axon Access Point (see Getting Started with Tripwire Axon Agent for TLC). Based on the speed with which the Axon Agent collects data from the Agent host system, edit the spool.size.max option to adjust the size of the spool (see Table 14). |
Note |
When the Axon Agent sends data to the Tripwire Log Center Manager, it first copies the data to the spool. If the connection is dropped, transmitted data may be lost. In this case, the server will ask the Axon Agent to re-send the spooled data. A spool size that is too small will limit the Axon Agent's ability to respond to such requests, while a spool size that is too large will needlessly fill the Agent's disk space with old data. |
---|
Spool Size |
If the Axon Agent collects ... |
Recommended value for spool.size.max |
---|---|---|
Small |
... 1 to 5 events (i.e., log messages) per second (EPS) |
100 MB |
Medium |
... 6 to 10 events per second (EPS) |
500 MB |
Large |
... 11 or more events per second (EPS) |
1 GB |
5. | As needed, edit the values of the other options in the Axon Agent configuration file (see Table 15). |
6. | (Optional) To configure the Axon Agent to communicate through a SOCKS5 proxy, edit the values for the SOCKS5 settings. For more information, see Table 16. |
7. | (Optional) By default, the Axon Agent uses TLSv1.2 with cipher suites DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384. To change these settings, see Configuring TLS Versions and Cipher Suites. |
8. | Create a text file named registration_pre_shared_key.txt and save the file in the following directory: |
AIX or Linux: /etc/tripwire-tlc
Windows: %PROGRAMDATA%\Tripwire\agent-tlc\config\
9. | In the text file, enter the same registration pre-shared key (value only) that you specified in the bridge.properties file in Step 1. Configuring the Axon Access Point on a Tripwire Log Center Manager. |
10. | At a command prompt, enter one of the following sets of commands to restart the Axon Agent Service: |
AIX:
stopsrc -s tw-axon-agent-tlc
startsrc -s tw-axon-agent-tlc
Linux:
/sbin/service tw-axon-agent-tlc stop
/sbin/service tw-axon-agent-tlc start
Windows:
net stop TripwireAxonAgentTLC
net start TripwireAxonAgentTLC
11. | After completing these steps, you should see an Auto Discovery message for the Axon Agent in the TLC Manager log. For information on using the Axon Agent with Tripwire Log Center, see the Tripwire Log Center User Guide. |
Tip |
If you encounter a problem with the Axon Agent after configuration, review the Agent log file to assess the issue: AIX/Linux: /var/log/tripwire-tlc/twagent.log Windows: %PROGRAMDATA%\Tripwire\agent-tlc\log\twagent.log For information on interpreting error messages, see Axon Agent Error Messages. For additional assistance, contact Tripwire Support. |
---|
Option |
Description |
---|---|
bridge.host |
The host name or IP address of the TLC Manager to which this Axon Agent will connect. For more information, see Step 1. Configuring the Axon Access Point on a Tripwire Log Center Manager. If the Axon Agent is hosted by a Linux system that supports Internet Protocol Version 6 (IPv6), you must include the network adapter. Example: bridge.host=[2001:0db8:85a3::8a2e:0370:7334%ens33] In this example: Axon Access Point IPv6 Address = 2001:0db8:85a3::8a2e:0370:7334 Linux system IPv6 Address with interface name= Linux system IPv6 Interface name = ens33 |
bridge.port |
The port on the TLC Manager used for communication between the Axon Access Point and the Axon Agent. (Default = 5670) |
dns.service.domain |
Specifies a DNS domain other than the Axon Agent host system's domain for SRV record lookup. |
dns.service.name |
Specifies a DNS service name. (Default = _tw-tlc-agw) |
registration.file.name |
The name of the file containing the registration pre-shared key (defined in Step 1. Configuring the Axon Access Point on a Tripwire Log Center Manager) for the Axon Agent to register with the Axon Access Point. (Default = registration_pre_shared_key.txt) The Agent searches for the specified file name in the following directory: Linux: /etc/tripwire-tlc
|
spool.size.max |
The maximum size of the spool with which the Agent collects data from the Axon Agent host system. (Default = 1GB) For sizing guidelines, see Table 14. |
Option |
Description |
---|---|
tls.version |
The TLS version used to connect with the Axon Access Point. Valid options are TLSv1, TLSv1.1, and TLSv1.2. Only one TLS version can be specified here. For information on changing the TLS version and cipher suites, see Configuring TLS Versions and Cipher Suites. Default value: TLSv1.2 |
tls.cipher.suites |
A colon-delimited list of cipher suites used by the Axon Agent when it connects to the Axon Access Point. Only OpenSSL FIPS-compatible cipher suites which utilize RSA keys are supported. Default value: DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384 |