Log-Message Collection

What are Collectors?

Generated by a Log Source, a log message is a data record from a Log Source. Configured in the properties of a Manager (see Configuring a Collector), a Collector is a module that either actively gathers or passively listens for log messages from a type of Log Source. To communicate with Log Sources, each Collector employs an appropriate protocol. For example, a Cisco IDS Collector uses the SDEE protocol to gather log messages from Cisco devices.

For a description of each type of Collector in TLC, along with the protocols and communication port(s) used by each Collector, see Table 29.

Table 29. Types of Collectors

Type

Protocol and Required Ports

Description

Advanced File

SSL: TCP/5670

If Tripwire Axon Agent for TLC is installed on a Windows, AIX, or Linux system, this Collector may be used to gather log messages from any log-generating application running on the host system.

Note: To install Tripwire Axon Agent for TLC, see Installing Tripwire Axon Agent using a Pre-Shared Key. For supported platforms, see Getting Started with Tripwire Axon Agent for TLC.

Advanced Windows

SSL: TCP/5670

If Tripwire Axon Agent for TLC is installed on a Windows system, this Collector may be used to gather the system's Windows Event Logs.

Note: See also the description for the Advanced File Collector.

Check Point

OPSEC and LEA: TCP/18184, UDP/18184

Listens for log messages from a Check Point Manager.

Note: A Check Point Collector can only collect log messages from a single Check Point Manager. If your TLC environment includes multiple Check Point Managers, then a different Check Point Collector (and, therefore, TLC Manager) must be configured for each Check Point Manager in your environment.

Cisco IDS

SDEE: TCP/443

Gathers log messages from Cisco IDS sensors.

Database

MySQL: TCP/3306

MS-SQL: TCP/1433

PostgreSQL: TCP/5432

Gathers log messages from an application that logs to an External Database. For a list of supported applications, see:

https://www.tripwire.com/products/tripwire-log-center/system-requirements/

File

SMB: TCP/135-139, TCP/445

SFTP: TCP/22

FTP: TCP/21

Gathers or receives log messages from Log Sources that store messages in an ASCII log file.

Note: TLC can also collect compressed .zip and .tar.gz log files.

Network

Syslog: UDP/514, TCP/1468, TCP/6514 (TLS)

SNMP: TCP/162, UDP/162

Listens for Syslog and SNMP-based messages from network devices.

Oracle Database

TCP/IP: 1521

Gathers log messages from Oracle database audit logs.

WinLog

WMI: TCP/135, TCP/1024-65535

Gathers log messages from Windows Event Logs.

Tip: For the collection of log messages from Windows Event Logs, Tripwire recommends the use of the Advanced Windows Collector, rather than the WinLog Collector.

To collect log messages from a Log Source, you must configure the Log Source to send log messages to TLC (see Appendix I: Log-Source Configuration). In addition, you must create and configure a Monitored Asset for the Log Source (see Working with Monitored Assets).

Notes 

When Tripwire Axon Agent for TLC software is installed and configured on a host system (see Installing Tripwire Axon Agent using a Pre-Shared Key), the Agent notifies its TLC Manager, and TLC creates a new Monitored Asset for the Axon Agent. For further details, see How does Auto-Discovery work?.

To collect log messages from non-English versions of Microsoft Windows, complete the following steps: 

1. Browse to the following directory:

<manager_install_dir>\Translation\

Where <manager_install_dir> is the directory in which TLC Manager is installed.

2. In this directory, create a text file called translation.txt.
3. This directory contains a sample files for different languages (e.g., Italian, Spanish, etc.). Open the appropriate sample file for the language employed by your version of Microsoft Windows, and copy the contents to translation.txt.
4. Save and close translation.txt.

Figure 37 shows how TLC processes a log message collected from a Log Source. Upon receipt of a log message, TLC forwards the message to the Real-Time Event Viewer (see What is the Real-Time Event Viewer?). In addition, TLC determines if:

The message should be stored in the Audit Logger File Store (see What is the Audit Logger?),

The Auto-Discovery process should be started (see Auto-Discovery of an Asset other than an Axon Agent), and

The message should be forwarded to the Normalization Engine (see How does Log-Message Normalization work?).

The steps below describe this decision-making process (outlined in red in Figure 37).

Note 

Auto-Discovery and Asset Discovery are two different processes. For information about Asset Discovery, see What are Discovered Assets?.

Note 

If the Log unknown hosts setting is enabled in the Audit Logger tab of the Manager’s properties dialog (see Working with Managers), TLC saves the message in the Audit Logger File Store regardless of any other steps taken (see What is the Audit Logger?).

Figure 37.  Collecting a log message (click to enlarge)

Collecting a log message

Does the Configuration Manager contain a Monitored Asset?

Yes = If the TLC Configuration Manager contains a Monitored Asset for the Log Source that generated the log message, TLC refers to the Output Destinations tab of the Asset’s properties dialog.

No = Otherwise, TLC determines what type of Collector collected the message.

Is the message from a File or Network Collector?

Yes = If the log message was collected by a File Collector or Network Collector, TLC initiates the Auto-Discovery process (see Auto-Discovery of an Asset other than an Axon Agent).

No = Otherwise, TLC ignores the log message.

Output = AL, ED, IDS, or CE?

Yes - AL= If the Audit Logger is enabled in the Monitored Asset's Output Destinations tab, TLC saves the message in the Audit Logger File Store.

Note 

If a message contains the string specified by the Quick Match field in a Normalization Rule (see Table 90), and the message's Collector is assigned to the rule, TLC associates the message with any Classification Tags assigned to the rule when the Audit Logger indexes the message. For more information, see How does Classification work?.

Yes - ED, IDS, and/or CE= If an Event Database, IDS Database, and/or Correlation Engine is enabled in the Monitored Asset's Output Destinations tab, TLC sends the log message to the Manager's Normalization Engine (see How does Log-Message Normalization work?).

No Output specified= If no Output Destinations are enabled for the Monitored Asset, TLC refers to the Save log messages for all Monitored Assets setting in the Manager's Audit Logger tab.

Does the Manager log all Assets?

Yes = If the Save log messages for all Monitored Assets setting is enabled, TLC saves the message in the Audit Logger File Store (see What is the Audit Logger?).

No = Otherwise, the Audit Logger ignores the log message.