Changing a Manager's Advanced Settings
Caution |
You should only modify your Manager's Advanced Settings if directed to do so by Tripwire Technical Support. |
---|
To change the advanced settings for a Manager:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Resources >Managers. |
3. | In the workspace, double-click the Manager. |
4. | Select the Advanced Settings tab. |
5. | To add a setting in the Manager dialog: |
a. | ClickAdd. TLC adds a row to the Advanced Options table. |
b. | In the new row, mouse over the Advanced Option field to display the drop-down arrow. |
c. | Select an option from the Advanced Option drop-down (see Table 50). |
d. | In the Value field, enter a value for the option. Some options require entry of an explicit value, while others provide values in a drop-down list. |
To change the value for a setting, select and edit the Value field for the setting's table row.
To remove a setting, click the arrow button to the left of the setting's table row and clickRemove.
Tip |
Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers). |
---|
Option |
Description |
---|---|
Advanced Collector - Duplicate-Asset Criteria |
The Tripwire Axon Agent for TLC installer assigns a universally unique identifier (UUID) to each Axon Agent (see Auto-Discovery of a Windows Axon Agent), and the Agent will change its UUID if: All of the Media Access Control (MAC) addresses on the Axon Agent host system change (for example, if the system is cloned), or The Axon Agent state files become corrupted and must be recreated. Whenever an Axon Agent's UUID is first assigned or subsequently changed, the Agent sends the UUID to its TLC Manager. If the UUID is unassociated with any existing Monitored Assets, this setting specifies the criteria employed by TLC to determine if the UUID represents a new Axon Agent or a change for an existing Axon Agent. Hostname. If the UUID is from an Axon Agent with a host name that matches an existing Monitored Asset, TLC updates the Asset's UUID. Otherwise, TLC creates a new Monitored Asset. Hostname and IP. If the UUID is from an Axon Agent with a host name and IP address that match an existing Monitored Asset, TLC updates the Asset's UUID. Otherwise, TLC creates a new Monitored Asset. None. TLC creates a new Monitored Asset, regardless of the Axon Agent's host name or IP address. |
Asset AutoDiscovery - Assigned Location |
Specifies the ID of a Location to be assigned to all auto-discovered Monitored Assets. To view the Locations assigned to a Monitored Asset, see Working with Monitored Assets. |
Audit Logger - Create Log Files by Asset |
If True, TLC writes log messages to a separate log file for each Monitored Asset. |
Audit Logger - Buffer Time Limit (in Hours) |
Sets the maximum number of hours that log messages will sit in the Audit Logger buffer. |
Audit Logger - Custom Term Separators |
Specifies characters to be used as term separators in the Audit Logger. Note: By default, the following characters are defined as term separators. ' & ; / , \ \ = | ( ) [ ] % { } + \ " ` If you add your own term separators in the Value field, Tripwire LogCenter overrides the default separators. Tripwire LogCenter always treats a space character as a term separator. |
Audit Logger - Display Hostnames in the PCI Reports |
If True, the Audit Logger will use host names to identify and sort Monitored Assets with the Advanced Windows Collector or the Advanced File Collector (see Table 29) in the output of Tripwire-defined PCI Reports. Otherwise, these Assets will be identified by their IP addresses. Tip: For a specific report, you can override this setting in the Report Options tab (see Table 87). |
Audit Logger - Enable SHA-256 Checksum |
If True, the Audit Logger will calculate a SHA-256 hash for each file written to the Audit Logger File Store. TLC stores the hashes in the Audit Logger Index. When an Audit Logger query is run, TLC first verifies the SHA-256 hashes of the queried files before presenting the query results. |
Audit Logger - Index Thread Limit |
Sets the maximum number of indexing threads that the Audit Logger can sustain at one time. |
Audit Logger - Indexing Limit |
Sets the maximum number of log messages that can be indexed by the Audit Logger at one time. |
Audit Logger - Maximum Index Size (in MB) |
Sets the maximum size (in MB) of the Audit Logger Index. If the index exceeds this size, TLC creates a new partition. |
Audit Logger - Maximum Size of Uncompressed Log Files |
Sets the maximum size (in MB) of uncompressed log files in an Audit Logger zip file. |
Audit Logger - Query Term Limit |
Sets the maximum number of terms in the Audit Logger Index that can be queried at one time. |
Audit Logger - Zip File Size Limit |
Sets the maximum size (in MB) of an Audit Logger zip file. If the size of a zip file exceeds this value, TLC creates a new zip file. |
Buffer Size - Actions |
Sets the maximum number of Actions that can be cached in the buffer of the Action Engine. |
Buffer Size - Check Point Collector |
Sets the maximum number of log messages that can be cached in the buffer of the Check Point Collector. |
Buffer Size - Correlation Engine |
Sets the maximum number of Normalized Messages that can be cached in the buffer of the Correlation Engine. |
Buffer Size - Correlation Engine Alert Output |
Sets the maximum number of Normalized Messages that can be cached in the alerts buffer of the Correlation Engine. |
Buffer Size - Correlation Engine Database Output |
Sets the maximum number of Normalized Messages that can be cached in the database buffer of the Correlation Engine. |
Buffer Size - Event Databases |
Sets the maximum number of Normalized Messages that can be cached in the buffer used for Event Databases. |
Buffer Size - Firewall Databases |
Sets the maximum number of Normalized Messages that can be cached in the buffer of the Clean-Up Utility used for Firewall Databases. |
Buffer Size - IDS Databases |
Sets the maximum number of Normalized Messages that can be cached in the buffer of the Clean-Up Utility used for IDS Databases. |
Buffer Size - MySQL |
Sets the maximum number of Normalized Messages that can be cached in the buffer of any MySQL Event-Management Database. |
Buffer Size - Normalization Engine |
Sets the maximum number of log messages that can be cached in the buffer of the Normalization Engine. |
Buffer Size - WinLog Collector |
Sets the maximum number of log messages that can be cached in the buffer of the Windows Collector. |
Cisco IDS Collector - Close Subscription on Stop |
Closes the subscription to the Cisco IDS when the Manager service stops. When the Manager service is re-started, a new subscription will be created. (Without a subscription, TLC is unable to collect log messages from Cisco IDS systems while the Manager service is stopped.) |
Cisco IDS Collector - Collection Interval |
Sets the interval (in seconds) for polling of log messages from Cisco IDS systems by the Cisco IDS Collector. |
Cisco IDS Collector - Collection Limit |
Sets the maximum number of Cisco IDS log messages that may be collected by the Cisco IDS Collector at one time. |
Cisco IDS Collector - Timestamp from Manager |
If True, this setting overwrites the timestamp of log messages collected by the Cisco IDS Collector with the Manager's timestamp. |
Classification Performance - Log Mode |
Determines if TLC will write classification-performance statistics to tlc.log. If this setting is enabled (Slow or All), TLC may write the following statistics for each Normalization Rule: The average time in which the Normalization Rule classified log messages, The longest period of time in which the rule classified a log message, and The shortest period of time in which the rule classified a log message. Options include: None. No classification-performance statistics are written to tlc.log. Slow. Writes a Normalization Rule's classification-performance statistics to tlc.log only if the rule classified at least one log message in a time period exceeding the threshold defined by the Classification Performance - Slow Threshold setting. All. Writes classification-performance statistics for all Normalization Rules to tlc.log. Note: For an introduction to classification, see How does Classification work?. |
Classification Performance - Log Detail Level |
If the Classification Performance - Log Mode setting is enabled, this setting determines the additional level of detail written to tlc.log. None. No additional detail. UID. For each Normalization Rule, TLC includes the unique ID (UID) of the log message classified by the rule in the longest period of time. Text. For each Normalization Rule, TLC includes the unique ID (UID) and the first 300 characters of the log message classified by the rule in the longest period of time. |
Classification Performance - Slow Threshold |
This setting defines the threshold (in milliseconds) for the classification process. For further details, see Classification Performance - Log Mode. |
Correlation Engine - Remote Max Wait (milliseconds) |
Sets the maximum number of milliseconds Normalized Messages can be cached in the buffer of the local Manager's Correlation Engine. When a Normalized Message is in the buffer for a duration of time exceeding this value, the local Manager will send all messages in the buffer to another Manager's Correlation Engine. |
Correlation Engine - Remote Queue Size |
Sets the maximum number of Normalized Messages that can be cached in the buffer of the local Manager's Correlation Engine. When the number of messages exceeds this value, the local Manager will send all messages in the buffer to another Manager's Correlation Engine. |
Correlation Engine - State Table Size |
Sets the maximum number of state-table items permitted in the state table at one time. |
Dashboard - Normalized Message Cache Timeout (in Minutes) |
Sets the maximum number of minutes Normalized Messages will be cached for display in the Dashboard. |
Database Collector - Collection Limit |
Sets the maximum number of log messages that may be collected by the Database Collector at one time. |
Database Server - Query Timeout |
Sets the timeout (in seconds) for queries of your database server (1 to 2147483). To run queries with no timeout, enter zero (0). |
Event Framework - Ignore Messages Older Than (Days) |
To disable this setting, enter a value of 0. Otherwise, if a collected log message has a timestamp older than the specified number of days (1-365), TLC will not normalize the log message and the message will not be saved in an Event-Management Database. |
File Collector - Enable SSHD Authentication |
If True and a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting enables the use of SSHD keyboard authentication to send log messages from the server to the File Collector. |
File Collector - Concurrent Connections |
If a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting defines the maximum number of concurrent connections between the server and the File Collector. |
File Collector - Limit FTP Server to One IP Address |
If True and a File Collector is configured for use with a Secure FTP server (see Working with Managers), this setting limits the server to a single IP address. If this setting is disabled, the Secure FTP server will use all IP addresses. |
File Collector - Save Log Name in Message Properties |
If True, the File Collector will save the applicable log filename in the properties of each log message saved in the Audit Logger. |
FTP SSH Outbound Connections - Support Legacy Algorithms |
If True, the SFTP client will use the following algorithms to connect with an SFTP Server: Encryption algorithms: aes256-ctr, aes256-cbc, 3des-cbc MAC Algorithms: hmac-sha1, hmac-md5, hmac-sha1-96, hmac-md5-96 Otherwise, the SFTP client will use the following algorithms: Encryption algorithms: aes256-ctr MAC Algorithms: hmac-sha1 |
Log Message Forwarding - Destinations |
Specifies one or more Forwarding Destinations. For more information, see: |
Log Message Forwarding - Forwarding message length |
Sets the maximum number of characters (1,024 - 65,000) in log messages that may be forwarded to the Forwarding Destination(s) specified by the Log-Message Forwarding - Destinations setting (above). If a log message contains more characters than this value, the Manager will remove the content exceeding this limit prior to forwarding the message to the Forwarding Destination(s). |
Log Message Forwarding - Retry if Socket is Blocked |
If True, TLC will continue trying to forward log messages to third-party storage devices if the connection socket between the TLC Manager and the device is blocked. If False, TLC will drop a log message if the connection socket is not available. In addition, if the Manager's logging level is set to Debug (see Changing a Manager's Log Settings), TLC will add an entry to the tlc.log file containing 1) a note indicating the log message could not be forwarded, and 2) up to 200 characters of the dropped log message. |
MySQL - Bulk Load Data |
If True, TLC will bulk load data to a MySQL database by sending multiple inserts at the same time, instead of one at a time. This increases performance. |
MySQL - Delayed Insert Function |
If True, this setting enables the use of the MySQL Delayed Insert function. |
Normalization Engine - Concurrent Text Thread Limit |
Sets the maximum number of concurrent text threads for the Normalization Engine. |
Normalization Engine - Concurrent Windows Thread Limit |
Sets the maximum number of concurrent threads for Windows log messages processed by the Normalization Engine. |
Normalization Engine - Display Classification Condition |
If True, TLC displays the Classification Condition fields in the Classification tab of the Normalization Rule properties dialog (see Table 90). |
Normalization Engine - Parse Log Message Timestamps |
If True, the Normalization Engine's Parsing Utility will attempt to parse the timestamp of each log message. Otherwise, the Parsing Utility uses the Manager's timestamp. |
Normalization Engine - Time Synchronization Threshold |
Defines a time threshold (in minutes). If the difference between the timestamp of a Monitored Asset and the Manager's current time exceeds this value, TLC generates and sends a Normalized Message to the Correlation Engine. |
Normalization Performance - Mode |
If the Manager's logging level is set to Debug (see Changing a Manager's Log Settings), TLC can write the following normalization-performance statistics for each Normalization Rule to tlc.log: The average time in which the Normalization Rule normalized log messages, The longest period of time in which the rule normalized a log message, and The shortest period of time in which the rule normalized a log message. This setting determines the Normalization Rules for which TLC will write these statistics to tlc.log. Options include: Slow. Writes a Normalization Rule's normalization-performance statistics to tlc.log only if the rule normalized at least one log message in a time period exceeding the threshold defined by the Normalization Performance - Slow Threshold setting. All. Writes normalization-performance statistics for all Normalization Rules to tlc.log. |
Normalization Performance - Log Detail Level |
This setting determines if TLC includes additional information when writing normalization-performance statistics to tlc.log. For further details, see Normalization Performance - Mode. None. No additional detail. UID. For each Normalization Rule, TLC includes the unique ID (UID) of the log message normalized by the rule in the longest period of time. Text. For each Normalization Rule, TLC includes the unique ID (UID) and the first 300 characters of the log message normalized by the rule in the longest period of time. |
Normalization Performance - Slow Threshold |
This setting defines the threshold (in milliseconds) for the normalization process. For further details, see Normalization Performance - Mode. |
Read Compressed File Block Size |
Sets the size (in bytes) of blocks to read from a zip file (default = 8096). |
Schedule Delay |
Sets the amount of time between synchronous collections of log messages. |
Syslog Collector - Avoid DNS resolution for unknown hostnames |
If both this setting and the Syslog Collector - Get Hostnames from Syslog Headers setting are enabled (True), TLC will make no further attempts to resolve hostnames that do not resolve on the first attempt. Instead, TLC will add an entry to tlc.log indicating the provided hostname could not be resolved. |
Syslog Collector - Collect IP Addresses from Packets |
If True, the Network Collector gathers IP addresses from packets instead of syslog headers (Default= False). |
Syslog Collector - Get Hostnames from Syslog Headers |
If True, TLC gathers host names from syslog headers. The host names are then used to resolve the IP address of each Log Source from which the Network Collector receives syslog messages (Default = False). |
System Database - Maximum number of Notifications |
Sets the maximum number of notifications retained by TLC. Each day, TLC removes the oldest notifications that exceed this threshold. For more information, see Working with Notifications. |
System Database - Repack Database During Push Updates |
If True, TLC will attempt to defragment the System Database when updates are pushed to the Primary Manager (see Pushing Updates to your Managers). |
Vulnerabilities - IP360 High Risk Score Threshold |
Note: This setting only applies to vulnerability events (i.e., IP360 scan results) collected from Tripwire VnE Managers. To collect IP360 scan results, complete the steps in Integration Guide: Tripwire IP360 and Tripwire LogCenter (PDF). In Tripwire VnE Manager, a Vulnerability Score is a numerical value indicating the severity or seriousness of a vulnerability event. Vulnerability Scores range from 0 (least severe) to 999,999,999 (most severe). In TLC, the Risk level (Low, Medium, or High) indicates the severity or seriousness of a vulnerability event. When a vulnerability event is imported from a Tripwire VnE Manager to an Event Database (see Importing Scanner Data to an Event Database), TLC converts the IP360 Vulnerability Score to a Risk level. TLC then displays the Risk level in the Information tab of the Event Details dialog (see Working with a Scanner Event). This setting specifies the minimum VnE Vulnerability Score for which TLC assigns a High Risk level (default = 3,000). TLC then calculates the minimum VnE Vulnerability Score for the Medium Risk level as one half (1/2) of this value. For example, if this setting specifies a value of 8,000, then: High Risk level = 8,000 to 999,999,999 Medium Risk level = 4,000 to 7,999 Low Risk level = 0 to 3,999 |
Vulnerabilities - IP360 High Value Host Threshold |
Note: This setting only applies to vulnerability events (i.e., IP360 scan results) collected from Tripwire VnE Managers. To collect IP360 scan results, complete the steps in Integration Guide: Tripwire IP360 and Tripwire LogCenter (PDF). In Tripwire VnE Manager, an Asset Value is a numerical value indicating the importance of a host system for which a Tripwire IP360 Device Profiler generated a vulnerability event. Asset Values range from 0 (least important) to 999,999,999 (most important). In TLC, the Priority level (Low, Medium, or High) indicates the importance of a host system. When you import a vulnerability event from Tripwire VnE Manager to an Event Database (see Importing Scanner Data to an Event Database), TLC converts the IP360 Asset Value to a Priority level. TLC then displays the Priority level in the Overview tab of the Host Details dialog (see Working with a Host), This setting specifies the minimum IP360 Asset Value for which TLC assigns a High Priority level (default = 100). TLC then calculates the minimum IP360 Asset Value for the Medium Priority level as one half (1/2) of this value. For example, if this setting specifies a value of 20,000, then: High Priority level = 20,000 to 999,999,999 Medium Priority level = 10,000 to 19,999 Low Priority level = 0 to 9,999 |
WinLog Collector - Asynchronous Status Interval |
Sets the time interval for TLC to check the status of Asynchronous connections for the WinLog Collector. |
WinLog Collector - Collection Interval |
Sets the time interval (in seconds) for TLC to check the WinLog Collector for log messages. (Default = 30 seconds) |
WinLog Collector - Duplicate Threshold |
Sets the number of log messages that are kept in memory by the WinLog Collector to prevent duplication. |
WinLog Collector - Encryption |
Enables encryption of log messages collected by the WinLog Collector. |
WinLog Collector - Ping Host |
Specifies an action taken by TLC prior to establishing WMI connections with Windows Log Sources. ICMP Ping. TLC pings the Log Source with an Internet Control Message Protocol (ICMP) echo-request packet. TCP Connect. TLC connects with the Log Source via TCP. Note: This setting was introduced in TLC 6.1.1. |
WinLog Collector - Process Event Threads |
Sets the number of processing threads for the conversion of log messages from WMI format to a TLC-compatible format. |
WinLog Collector - Startup Threads |
Sets the number of threads used to start the WinLog Collector. |
WinLog Collector - Status Threads |
The number of threads used by TLC to check the status of Windows Monitored Assets. |