Reports

Running a Report

This topic explains how to run a Report in the Report Center, or with a Report Task in the Task Manager.

In the Report Center, you can run the Tripwire-defined Reports created by the TLC Manager installer, as well as Reports defined by Report Tasks in the Task Manager.

To create, copy, change, or delete a Report Task, see Working with the Task Manager.

To run a Report in the Report Center:

1. In the side bar, select Events >Report CenterReport Center.
2. From the Database drop-down in the side bar of the Report Center, select the database to be queried by the Report.

In the Report Center's side bar, TLC presents the available report groups for the database.

3. Expand the group containing the Report and select the Report.

For descriptions of Tripwire-defined Reports that query your System Database, see Table 121 and Table 122.

For Tripwire-defined Reports that query Event-Management Databases, see Table 123.

4. From the Time Filter drop-down, configure the time filter for the Report.

Select a time period to query the database for information saved to the database within the specified time period. For example, to query the database for information saved within the last 24 hours, select 24 Hours.

To use the default time period defined in the Time Filter page of your TLC Settings (see Working with Time Filter Options), select Global Setting.

To query the database without a time filter, select No Filter.

5. (Optional) If you selected a Report in the Standard Reports group, the following options may be available in the Style drop-down.

Detail generates a full Report.

Overview generates a one-page graphic summary.

Grouped generates a consolidated version of a Detailed Report.

Brief generates an Executive-level Report with graphs and charts.

6. ClickRun ReportRun Report.

TLC presents the report output in the main pane. For more information, see Working with Report Output.

To run a Report defined by a Report Task in the Task Manager:

1. In the side bar, select Events >Task ManagerTask Manager.
2. In the side bar of the Task Manager, expand the Report Tasks group.
3. Under the Report Tasks group, expand the database for which the Task was created and select the Task.

TLC opens the Task's properties in the main pane.

4. In the main pane, clickStartStart.

TLC opens a tab with the Task's report output. For more information, see Working with Report Output.

Table 121. Standard Reports for the System Database

Report Type

This Report presents ...

Tickets by Assigned To

... information about the Event Tickets assigned to each User Account.

Tickets by Category

... information about the Event Tickets for each Category defined in the Ticket Center (see Working with Event Tickets).

Tickets by Group

... information about the Event Tickets in each Ticket Group defined in the Ticket Center.

Tickets by Priority

... information about the Event Tickets for each Priority defined in the Ticket Center.

Tickets by Status

... information about the Event Tickets for each Status defined in the Ticket Center

Tickets Overview

... the number of Event Tickets created on each day in the time period, as well as the Top 10 ticket owners ('Assigned To'), Statuses, Categories, and User Groups.

User Log by Date

... a list of the TLC activities performed by users on each day in the time period.

User Log by User Account

... a dated list of the TLC activities performed by each User Account.

Table 122. Asset Inventory Reports for the System Database

Report Type

This Report presents ...

Advanced File Collector Assets

... a list of all Monitored Assets to which the Advanced File Collector is currently assigned (see Working with Monitored Assets). In addition, this Report lists the Log Sources for each Monitored Asset.

Tip: If you migrate any Monitored Assets from the File Collector to the Advanced File Collector, this Report may be used in conjunction with the File Collector Assets Report to verify that those Assets (and their Log Sources) have been migrated successfully.

Auto-Discovered Assets for Advanced Collectors

... a list of the Monitored Assets created by TLC for Axon Agents via auto-discovery.

Duplicated Assets for Advanced Windows Collectors

... a list of any Monitored Assets with the Advanced Windows Collector specified in the Asset's Collector field (see Table 50) that have the same IP address as an Asset with the WinLog Collector.

File Collector and Advanced File Collector Assets (CSV)

... a list of all Monitored Assets to which the File Collector or Advanced File Collector is currently assigned (see Working with Monitored Assets). The report output is saved to a comma-separated value (CSV) file and may be used to determine if a single Log Source has been added to multiple Monitored Assets. In the report output, the Log Source column lists the full path of each Log Source assigned to a Monitored Asset. If an Asset has multiple Log Sources, the paths are separated by semi-colons (;). For example:

c:\DropFolder\153.67.99.1.log;C:\DropFolder\Any_Application.txt

Notes: Some other columns may also include semi-colon delimited values.

For a Monitored Asset with the File Collector, Log Source paths are specified in the File Collector tab of the Monitored Asset's properties dialog (see Table 57). For a Monitored Asset with the Advanced File Collector, Log Source paths are specified in the Log Source properties dialog (see Table 56).

File Collector Assets

... a list of all Monitored Assets to which the File Collector is currently assigned (see Working with Monitored Assets). In addition, this Report lists the Log Sources for each Asset.

Tip: If you migrate any Monitored Assets from the File Collector to the Advanced File Collector, this Report may be used in conjunction with the Advanced File Collector Assets Report to verify that those Assets (and their Log Sources) have been migrated successfully.

Monitored Asset EPS per Manager

... a list of the average and maximum EPS (Events Per Second) rates for all Monitored Assets. An EPS rate is the number of events received by a Monitored Asset in a one-minute period.

The average EPS is the average value of the EPS rates recorded for an Asset in the time period specified by the Time Filter.

The maximum EPS is the highest EPS rate recorded for an Asset in the time period specified by the Time Filter.

Monitored Assets per Collector

... the IP addresses of the Log Sources from which each of your Collectors received log messages.

Table 123. Standard Reports for Event-Management Databases

Report Type

For the data saved to a selected database during a specified time period, this Report ...

Authentication Overview

... presents information about the successful user logons and saved Events.

Collection Failed Events by IP

... presents a list of Correlated Events that were created if no log messages were collected from specified Monitored Assets within the time period specified in the Advanced tab of the Monitored Assets' properties dialogs (see Working with Monitored Assets).

Events by Legacy Classification

... organizes data by the values entered in the Legacy Classification fields of saved Events.

Tip: For Event-field descriptions, click here.

Events by Destination Host

... organizes data by the values entered in the Destination Host fields of saved Events.

Events by Destination IP

... organizes data by the values entered in the Destination IP fields of saved Events.

Events by Destination IP Map

... generates a map showing the geographic location of each IP address cited in the Destination IP fields of saved Events.

Events by Name

... organizes data by the values in the Name fields of saved Events.

Events by Source IP

... organizes data by the values in the Source IP fields of saved Events.

Events by Source IP Map

... generates a map showing the geographic location of each IP address cited in the Source IP fields of saved Events.

Events by User

... organizes data by the values entered in the User fields of saved Events.

Events Overview

... the number of Events created on each day in the time period, as well as the Top 10 values for the following fields in saved Events: Legacy Classification, Sensor, Src IP, and Dest IP.

Full IDS Report

... provides detailed information about IDS-related log messages collected by TLC.

Hosts by Group

... organizes data by the Host Groups containing saved Hosts.

Hosts by OS

... organizes data by the operating systems of saved Hosts.

Host Activity

... shows the activity on each saved Host.

Host Applications

... shows the applications installed on each saved Host.

Host Listing

... shows all saved Hosts.

Logon Events by Host

... presents a list of logon Events for each saved Host.

Logon Events by User

... presents a list of logon Events initiated by each user.

Vulnerabilities by App

... organizes saved Vulnerability Events by application.

Note: A Vulnerability Event is an event collected from a vulnerability scanner, such as Nessus or a Tripwire VnE Manager.

Vulnerabilities by Host

... organizes saved Vulnerability Events by Host.

Vulnerabilities by Name

... organizes saved Vulnerability Events by name.

Vulnerabilities Overview

... provides a detailed overview of all open Vulnerability Events in your TLC environment.