Log Management

What is the Audit Logger?

Tripwire LogCenter (TLC) stores log messages in the Audit Logger File Store, a series of compressed flat files. When TLC receives a log message from a Collector, TLC first places the message in an internal cache known as the Audit Logger Buffer. When the log messages in the buffer exceed specified time and size thresholds, TLC:

1. Calculates 256-SHA checksums to verify the integrity of each file created when the buffer is flushed to disk,
2. Saves each message (in its original format) in the Audit Logger File Store,
3. Indexes the key terms in each message (to support standard search-engine queries), and
4. (Optional) Encrypts each message with the AES-256 algorithm.

Due to this unique design, TLC provides high-speed performance capable of storing all log messages generated by the Log Sources on your network. To learn how TLC determines if a log message should be saved in the Audit Logger File Store, see What are Collectors?.

The Audit Logger is the component of the TLC Console in which you can work with the log messages collected by TLC. In the Audit Logger, you can:

Review statistics about the Audit Logger's capacity, data compression, and log-message traffic (see Viewing Audit Logger Vital Statistics).

Run SQL-like queries of stored log messages (see Working with Audit Logger Queries).

Generate graphs of queried data (see Displaying Audit Logger Data in a Graph).

Run Reports about the Audit Logger's messages (see Generating an Audit Logger Report).

Send log messages from the Audit Logger to an Event-Management Database (see Sending Log Messages to an Event-Management Database).

Tip 

The Audit Logger File Store can reside on a local disk drive on a Manager or a fiber-attached network storage device (such as iSCSI storage).

The Audit Logger File Store is located in the directory specified when you installed TLC Manager (see Installing TLC Manager on your Primary Manager). If Separate Data by Location is enabled for the Audit Logger (see Working with Managers), the Audit Logger directory will contain a folder for each of your Locations (see About Locations and the Audit Logger). For example:

<audit_logger_file_store>\1\

Each Location folder contains a sub-folder for each day since TLC Manager was installed. The name of each sub-folder is based on the date when the sub-folder was created (e.g., 20150822), and each sub-folder contains a collection of zip files with the data in the Audit Logger.

TLC updates the Audit Logger Index whenever it adds a new log file to the Audit Logger File Store. In addition, TLC performs a daily clean-up of the Index which involves the removal of references to log files that have been moved to an offline archive, as well as the indexing of any files that have been moved from offline storage to the Audit Logger File Store.