Working with Managers
To add a Manager, see:
Note |
For an introduction to Secondary Managers and Failover Managers, see What are Managers, Log Sources, and Monitored Assets?. |
---|
To delete or change the properties of a Manager:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Resources >Managers. |
3. | To change the properties of a Manager: |
a. | In the workspace, double-click the Manager. |
b. | As needed, change the Name, Description, and/or tabs in the Manager dialog (see Table 42). Then, click OK. |
To delete a Manager:
a. | Select the Manager and clickDelete. |
b. | In the confirmation dialog, click Yes. |
Tip |
Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers). |
---|
Tab |
Description |
---|---|
Advanced Settings |
|
Configuration settings for the Manager's Advanced Windows Collector. (This tab only appears in the Manager dialog if a Advanced Windows Collector has been added to the Installed Modules tab.) AutoDiscovery Settings Enable AutoDiscovery. Enables auto-discovery of Windows Axon Agents. If TLC auto-discovers a Windows Agent, TLC creates a new Monitored Asset with the Advanced Windows Collector in the Auto-Discovered Assets Asset Group. Notes: 1) If this setting is enabled, an auto-discovered Monitored Asset will only collect Windows Event Logs if the Asset is i) not assigned to an Asset Group, or ii) assigned to an Asset Group with the Collect Windows Event Logs setting enabled in the group's Advanced Collector Collection tab (see Working with Asset Groups). 2) To manually create a Monitored Asset for a Windows Axon Agent (see Adding a Monitored Asset for a new Log Source), this setting must be disabled. Output to Correlation Engine. If enabled, TLC automatically adds the Correlation Engine as an Output Destination in the Monitored Asset's properties (see Table 50). |
|
Asset-Configuration Rules |
|
Configuration settings for the Manager's Audit Logger. Encrypt log messages. If enabled, this setting encrypts log messages saved in the Audit Logger File Store with the 256-AES algorithm. (Note: This setting will affect performance, but will only slightly increase the size of the data in the Audit Logger File Store.) Save log messages from unknown hosts. If enabled, the Audit Logger will save log messages received from Log Sources for which a Monitored Asset does not exist in the Configuration Manager (see What are Collectors?). Save log messages for all Monitored Assets. If enabled, the Audit Logger will save all log messages from Log Sources for which a Monitored Asset exists in the Configuration Manager. If disabled, the Audit Logger will only save the log messages if the Monitored Asset specifies the Audit Logger as an Output Destination. Separate data by Location. See About Locations and the Audit Logger. Audit Logger File Store directory. The directory in which the Audit Logger saves log messages. Index directory. The directory in which the Audit Logger saves index entries for collected log messages. Tips: If you change the Index directory or Audit Logger File Store directory, you must restart the TLC Manager service (see Working with the TLC Manager Interface). These fields do not support Uniform Naming Convention (UNC) paths. For example: Correct - E:\AuditLogs\ Incorrect - \\MyAuditLogServer\AuditLogs\ Log rotation configuration Limit number of archived Audit Logger log files. To limit the number of AuditLogger.log files retained by TLC, select this option and enter the maximum number of files to be retained in the Archived Audit Logger log files to keep field. For example, if this option is enabled, and the number of AuditLogger.log files matches the specified value, TLC will replace the oldest file when a new file is needed. |
|
Audit Logger Ext |
(Secondary Managers only) This tab only appears in the Manager dialog if the Audit Logger Extension has been added to the Installed Modules tab. With the Audit Logger extension, the Manager forwards any collected log messages to another Manager's Audit Logger, rather than saving the messages locally. Audit Logger. The Audit Logger to which the Manager forwards log messages. Collection Times. Schedules a time when the Manager forwards collected log messages to the specified Audit Logger. Start Time. The time of day when the Manager begins sending log messages. End Time. The time of day when the Manager stops sending log messages. Audit Logger File Store directory. The directory in which the Audit Logger temporarily saves log messages. Tip: If you change the Audit Logger File Store directory, you must restart the host's TLC Manager service (see Working with the TLC Manager Interface). Note: In previous versions of TLC, a Secondary Manager configured to forward log messages was known as a Concentrator. |
Authentication |
Identifies the servers to be used by User Accounts configured for LDAP/Active Directory, Radius, and single sign-on authentication (see Creating and Deleting User Accounts). LDAP/Active Directory Directory service. LDAP or Active Directory. Hostname. The host name, IP address, or domain name of an LDAP Server or Active Directory server. Authentication method. The method to be used when authenticating a user account. Basic is basic authentication, the default setting for most LDAP servers. DPA is Distributed Password Authentication (DPA). Kerberos is Kerberos authentication. MSN is the Microsoft Network Authentication Service. Negotiate uses the best method available between Kerberos and NTLM. NTLM is Windows NT Challenge/Response (NTLM) authentication. Sicily indicates that a Sicily negotiation mechanism will be used to choose DPN, MSN, or NTLM. (This option should be selected for LDAPv2 servers only.) RADIUS server settings RADIUS host. The host name or IP address of a Radius server. Secret key and Secret key (confirm). Enter and confirm the shared secret key for the Radius server. The secret key is stored in both the system database and the tlc.config file. In TLC 6.2.1 and later versions, the key is encrypted in both locations. Note: The RADIUS fields are unavailable if the following policy is enabled in the Windows Local Security Settings on the Manager’s host system (or if TLC cannot determine the setting's status): System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing. Single sign-on. See Configuring Single Sign-On Authentication. Notes: TLC saves all authentication errors in the tlc.log file. |
Configuration settings for the Manager's Database Collector. (This tab only appears in the Manager dialog if a Database Collector has been added to the Installed Modules tab.) Source. The IP address or host name of an external database from which the Collector will collect log messages. Destination. The Event Database, Correlation Engine, or Audit Logger to which the Collector will forward collected log messages. To add an external database to the Collector, clickAdd. To remove an external database from the Collector, select the database and clickRemove. |
|
|
|
Configuration settings for the Manager's File Collector. Collect log messages via FTP and SSH. Configures the Manager to receive log messages via FTP over SSH. Enable AutoDiscovery. If this setting is enabled and a Monitored Asset does not exist for a Log Source from which the Collector receives a log message, TLC will create a Monitored Asset for the Log Source (see Auto-Discovery of an Asset other than an Axon Agent). Manager collection port. The port on which the Manager listens for log messages. Support legacy algorithms for inbound SSH connections. By default, the File Collector will accept log messages collected via SSH connections with the following algorithms: Encryption algorithms: AES-128-ctr, AES-192-ctr, AES-256-ctr, 3DES-ctr, Blowfish-ctr, Twofish-128-ctr, Twofish-192-ctr, Twofish-256-ctr, Serpent-128-ctr, Serpent-192-ctr, Serpent-256-ctr, IDEA-ctr, CAST-128-ctr MAC algorithms: SHA-1, RIPEMD160, RIPEMD, RIPEMD openssh, SHA-256, UMAC32, UMAC64, UMAC128, SHA2-256, SHA2-512 If this setting is enabled, the File Collector will also support the following algorithms: Encryption algorithms: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc MAC algorithms: hmac-md5, hmac-sha1, hmac-sha1-96, hmac-md5-96 In the table at the bottom of this tab, you can add SSH keys stored on the TLC Manager. To add a key: 1. ClickAdd. 2. From the Users drop-down, select the user accounts to which the key will apply. 3. In the KeyPath field, enter the full path to the key file. 4. (Optional) Enter a Description. |
|
The TLC modules that have been added to the Manager. To activate a module, you must add and enable the module. Modules include: The Audit Logger (see What is the Audit Logger?) Collectors (see What are Collectors?) Correlation Engines (see How does Event Correlation work?) The License Service (see About User Access and Licensing) The Schedule Engine (see What are the Task Manager and Task Scheduler?) By default, the TLC Manager Configuration Wizard adds the Advanced File Collector, Advanced Windows Collector, File Collector, Network Collector, and WinLog Collector to each Manager. To enable a disabled module, select the module and clickEnable. To disable an enabled module, select the module and clickDisable. To create and add a new module, clickCreate new module. To change the name of a module, select the module and clickEdit selected module. To delete a module from your TLC environment, select the module and clickDelete selected module. To add an existing module to the Manager, clickAssign existing module. To remove a module from the Manager, select the module and clickUnassign selected module. (The module is still available for use by other Managers.) To open a list of all modules in your TLC environment, clickView all modules. |
|
Logging |
|
Configuration settings for the Manager's Network Collector. Tip: Tripwire recommends that you select the Enabled check box for the UDP, TCP, and SNMP protocols. UDP Settings for Syslog Collection: Enabled. Enables the collection of Syslog messages on a UDP port. Port. The port on which the Manager listens for Syslog messages. TCP Settings for Syslog Collection: Enabled. Enables the collection of Syslog messages on a TCP port. Port. The port on which the Manager listens for Syslog messages. SNMP Server Settings: Enabled. Enables the collection of SNMP messages. Port. The port on which the Manager listens for SNMP messages. Community string. A public or group password for SNMP. Version 1. Enables SNMP version 1. Version 2c. Enables SNMP version 2c. Version 3. Enables SNMP version 3. If you select Version 3, you must configure the following SNMP v3 Authentication settings: SNMP v3 User. The name of a user account to be used by the Manager when authenticating with SNMP version 3. Security Level. For Cisco Adaptive Security Appliances (ASA), this field specifies the Security Level of the Cisco user account(s) with which TLC collects log messages. None - TLC will collect all Cisco ASA log messages. Auth Only - TLC only collects log messages if the user account has the AuthNoPriv Security Level. Auth and Priv - TLC only collects log messages if the user account has the AuthPriv Security Level. Password. The password for the user account. Encryption password. 1) The password of a user account to be used by the Manager when transferring SNMP messages, and 2) the encryption algorithm to be used. Note: SNMP v3 supports the MD5 and SHA(1) authentication protocols. However, TLC can only collect log messages with the SHA(1) protocol. AutoDiscovery Settings Enable AutoDiscovery. If this setting is enabled and a Monitored Asset does not exist for a Log Source from which the Collector receives a log message, TLC will create a Monitored Asset for the Log Source (see Auto-Discovery of an Asset other than an Axon Agent). Output to Correlation Engine. If a Monitored Asset is created for an Auto-Discovered Log Source, TLC automatically adds the Correlation Engine as an Output Destination in the Asset's properties (see Table 50). IP address filter. A .NET regular expression that identifies IP Addresses to be included or excluded in/from Auto-Discovery. To prevent TLC from Auto-Discovering an IP address, insert a ! before the regular-expression value. All values are comma delimited. Example: 192.168.*, !192.168.1.* This regular expression will attempt to Auto-Discover all 192.168.x.x IP addresses, with the exception of those in the 192.168.1.x range. |
|
Permissions |
Sets permissions for users to view and change the Manager's properties in the Manager dialog (i.e. this dialog). To add a User Account to the Manager, clickAdd User Account. To add a User Group to the Manager, clickAdd User Group. To remove a User Account or Group, select the item and clickRemove selected items. To configure permissions, select the appropriate check boxes for each user account and group. For more information, see Working with Manager Permissions. |
Proxy |
|
Settings |
Communication settings for the Manager. Host Address. The IP address or host name of the Manager host system. Port. The port on which the Manager listens for log messages from Log Sources. Use this Manager as Failover. If enabled, TLC will employ the Manager as a Failover Manager. Caution: This option disables the Location setting and all other tabs in the Manager dialog. When you complete the steps in Adding a Failover Manager, TLC will overwrite these properties with the configuration of the designated Active Manager. For more information, see About Failover Managers. Location. (Optional) A Location of your choosing. |