What are Managers, Log Sources, and Monitored Assets?

A Manager is a host system for TLC Manager software, and a TLC Console host is a system on which TLC Console software has been installed. If TLC Manager and Console are installed on the same system, the system is referred to as a Manager.

Most systems and devices on a network record information about their operation in a log. A Log Source is any log-generating application, operating-system service, database instance, or device from which TLC collects log messages. A Monitored Asset (or Asset) is an object in TLC that represents a Log Source from which TLC collects log messages directly. (See also What are Discovered Assets?.)

Each Monitored Asset specifies the IP address of a Log Source and a single Collector. A Collector is a TLC module that gathers or receives log messages from Log Sources. To communicate with a Log Source, a Collector employs a protocol appropriate for the system -- for example, SNMP for network devices or WMI for Windows operating systems. For descriptions of Collector types, see Table 28.

Notes	A Monitored Asset using an Oracle Database Collector can collect log messages from multiple Log Sources (i.e. database instances and views). However, all other Monitored Assets collect messages from a single Log Source. Installed on a Windows, AIX, or Linux system, Tripwire Axon Agent for TLC is a service that collects log messages from any log-generating application running on the system (a.k.a., an Axon Agent). When installed on a Windows system, this service can also collect the system's Windows Event Logs via the Secure Sockets Layer (SSL) protocol. For more information, see Table 28.

Notes

A Monitored Asset using an Oracle Database Collector can collect log messages from multiple Log Sources (i.e. database instances and views). However, all other Monitored Assets collect messages from a single Log Source.

Installed on a Windows, AIX, or Linux system, Tripwire Axon Agent for TLC is a service that collects log messages from any log-generating application running on the system (a.k.a., an Axon Agent). When installed on a Windows system, this service can also collect the system's Windows Event Logs via the Secure Sockets Layer (SSL) protocol. For more information, see Table 28.

In the Audit Logger tab of the Manager properties dialog (see Table 42), you can schedule the discovery of IP addresses in a TLC Manager's Audit Logger File Store to identify Log Sources in your TLC environment for which Monitored Assets have yet to be created in your TLC Console (i.e., Discovered Assets). This process is known as Asset Discovery.

In Asset Discovery, if TLC locates the IP address of one of these Assets in at least one log message collected from a Monitored Asset, it adds the Discovered Asset to the following file:

C:\ProgramData\Tripwire\LogCenterManager\Data\

DiscoveredAssets.db

TLC does not perform Asset Discovery on log messages collected from Monitored Assets via Internet Protocol Version 6 (IPv6).

For more information:

To schedule Asset Discovery, see Scheduling Asset Discovery for a Manager.

To view your Discovered Assets, see Working with Discovered Assets.

Your Tripwire Log Center (TLC) environment consists of all TLC software, Managers, Log Sources, Monitored Assets, Collectors, and data in your TLC installation.

About Primary and Secondary Managers

Each Manager may be configured to perform the following core functions:

Collection. The gathering or receipt of log messages from Log Sources (see What are Collectors?).

Classification. The application of 'Tags' to categorize log messages (see How does Classification work?).

Normalization. The process of standardizing log messages for further use by TLC (see How does Log-Message Normalization work?). Standardized messages are known as Normalized Messages.

Correlation. The examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients (see How does Event Correlation work?).

Each TLC environment has a single Primary Manager. In addition to the core Manager functions outlined above, the Primary Manager controls:

The storing of log messages in the Audit Logger File Store (see What is the Audit Logger?) and Events in Event-Management Databases (see Where does TLC store Data?).

The configuration settings for your TLC environment (see About TLC Settings and Global Settings).

User access and license management for TLC (see About User Access and Licensing).

Your TLC environment may also include one or more Secondary Managers. In addition to the core Manager functions, a Secondary Manager may be configured to either:

Store log messages (as with a Primary Manager), or

Forward log messages to another Manager.

By adding one or more Secondary Managers to your TLC environment, you can distribute TLC functionality to meet your organization's needs. The use of Secondary Managers can improve performance while also giving you the ability to partition your TLC data based on geography, business unit, or function. To determine if a Secondary Manager would be helpful in your TLC environment, see Planning your TLC Environment or consult your Tripwire Customer Service Representative.

Notes

Concentrator is an obsolete term for a Secondary Manager that has been configured to forward log messages.

If you change the IP address of a Manager, you must:

Change the IP address in the Settings tab of the Manager's properties dialog (see Working with Managers), and

Assign a new certificate to the Manager in the TLC Manager Interface (see Configuring your Manager's SSL Certificate).

About Failover Managers

A Failover Manager is a Manager that acts as a backup system for another Manager (a.k.a., an Active Manager). When the Active Manager assigned to a Failover Manager goes offline, the Failover Manager will automatically assume the Active Manager's workload.

To add a Failover Manager to your TLC environment, complete the steps in Adding a Failover Manager. Once done, the failover process consists of the following steps:

TLC copies the Active Manager's configuration files to the Failover Manager at a specified interval (i.e., the Synchronization Interval). Synchronization ensures the configuration of the Failover Manager mirrors the configuration of the Active Manager.

TLC pings the Active Manager every 10 seconds to monitor its status (a.k.a., heartbeats).

If the Active Manager is unresponsive to a heartbeat (i.e., the Active Manager's host system is offline or its TLC Manager service is not running), TLC will begin a countdown of the Downtime Threshold (i.e., a specified number of minutes).

If the Active Manager is still unresponsive to heartbeats when the countdown exceeds the Downtime Threshold, TLC starts the Failover Manager service.

The Failover Manager assumes responsibility for the Active Manager's operations.

You must update the DNS record of the Active Manager so that other Managers and Monitored Assets now resolve to the Failover Manager host system. To expedite this change, Tripwire recommends entering a low Time To Live (TTL) value in the DNS record.

When the Active Manager is restored, TLC begins a countdown of the Recovery Threshold (i.e., a specified number of minutes).

You must update the DNS record of the Active Manager so that other Managers and Monitored Assets now resolve to the Active Manager host system. To expedite this change, Tripwire recommends entering a low Time To Live (TTL) value in the DNS record.

If the Active Manager is still responsive when this countdown exceeds the Recovery Threshold, TLC copies the Failover Manager's configuration files to the Active Manager.

10.

TLC returns the Failover Manager to a passive state, and the Active Manager resumes operation.

Note	To configure the Synchronization Interval, Downtime Threshold, and Recovery Threshold for a Failover Manager, see the Failover Settings option in the TLC Manager Interface (see Working with the TLC Manager Interface).