Archiving Log Messages

In the Archive tab of the Audit LoggerThe TLC Console1. Tripwire LogCenter Console is the software for the TLC graphic user interface (GUI), or 2. The Tripwire LogCenter GUI. Through the TLC Console, you can configure TLC, oversee your TLC environment, and manage log and event data. component in which you can work with the log messages collected by TLC., you can define criteria to archive specified log messages in the Audit Logger File StoreConsists of a series of compressed flat files containing the log messages collected by the Manager from Log Sources, and an index of terms contained in the log messages.. You also have the option of saving specified criteria as an Audit Logger Archive TaskAn Audit Logger task that archives log messages identified by specified criteria. for future use. When TLC archives log messages, it copies the files in the Audit Logger File Store to the location specified by the Output path field in the Archive Criteria tab (see Table 83). 

	VIDEO:  Archiving Audit Logger Data

To open the Archive tab:

1.

In the side bar, select Events >Audit Logger.

2.

In the Audit Logger, select the Archive tab.

The Archive tab includes two sub-tabs:

In the Archive Criteria tab (see Table 83), you run archive operations and create Audit Logger Archive Tasks.

The Archive History tab (see Table 84) provides a history of all archive operations.

Note

To view the Archive tab in the Audit Logger, the Audit Logger - Export permission must be assigned to your User AccountA TLC object that provides a user with a collection of User Permissions to work with TLC. (see Working with User Permissions). Additionally, if the Separate Data by LocationA custom category used to classify Monitored Assets by geography. setting is enabled in the Audit Logger tab of a Manager's properties dialog, you must have sufficient system permissions to access at least one of the existing Location folders (see What is the Audit Logger? and About Locations and the Audit Logger). If no Location folders exist, TLC will present the Archive tab to any user with the Audit Logger - Export permission.

To run a custom archive operation:

1.

Complete the Archive Criteria tab (see Table 83).

2.

Click Start.

To create and schedule an Audit Logger Archive Task:

1.

Complete the Archive Criteria tab (see Table 83).

2.

Click Save.

TLC adds the new TaskCreated and configured in the Task Manager, a Task queries Events, Hosts, or Scanner Events in an Event-Management Database to perform an operation. Types of Tasks include Layout-Panel, Administrative, and Search Tasks. to the Task hierarchy in the left pane of the Archive Criteria tab.

3.

(Optional) To define a schedule for the new Task, see Working with the Task Scheduler.

To run an existing Audit Logger Archive Task:

1.

In the left pane of the Archive Criteria tab, select the Task.

TLC populates the Archive Criteria tab (see Table 83) with the Task's criteria.

2.

Click Start.

To re-run an archive operation:

1.

In the Archive History tab (see Table 84), double-click an archive operation.

TLC populates the Archive Criteria tab (see Table 83) with the operation's criteria.

2.

Click Start.

Tip	Log messages in the Audit Logger cache are excluded from Audit Logger archive operations. To flush the Audit Logger cache, see Working with the Audit Logger Cache.

To restore archived log messages to the Audit Logger File Store: 

1.

Open the directory specified by the Output path field in the Archive Criteria tab (see Table 83).

2.

In this directory, select and copy the messages to be restored.

To restore all log messages for a Location, select the Location's folder (e.g., 0, 1, 2, etc.).

To restore all log messages for a specific date for a Location, select the date's sub-folder within the Location's folder.

To restore a sub-set of log messages for a specific date, open the date's sub-folder, and then select the appropriate .zip files. (Each log.zip file has an associated metadata.zip file, and both files must be copied.)

Note	For an explanation of Location folders and the Audit Logger File Store, see What is the Audit Logger?.

3.

Open the following directory:

<audit_logger_file_store>\Restore\

Where <audit_logger_file_store> is the directory specified for the Audit Logger File Store when TLC Manager was installed (see Installing TLC Manager on your Primary Manager).

4.

In the Restore directory, paste the selected log messages. If you are pasting a date's sub-folder or .zip file, you will need to replicate the Location's directory structure in the Restore folder.

For example, if you select the following files in the Audit Logger File Store ...

<audit_logger_file_store>\0\20191115\1-0000001_105917126.log.zip

<audit_logger_file_store>\0\20191115\1-0000001_105917126.metadata.zip

... you must paste these file in the following location: 

<audit_logger_file_store>\Restore\0\20191115\

Once TLC detects the presence of .zip files in the Restore folder, it extracts the log messages and completes the steps described in What is the Audit Logger?. If the log messages in a .zip file are invalid and cannot be added to the Audit Logger File Store, TLC moves the file to the following directory: 

<audit_logger_file_store>\NotRestored

Table 83. Default fields in the Archive Criteria tab

Field	Description
Task name	(For Audit Logger Archive Tasks only) The name of the Task.
Task ID	(For Audit Logger Archive Tasks only) A unique ID for the Task.
Description	(For Audit Logger Archive Tasks only) A description of the Task.
Audit Logger	The Audit Logger for which log messages will be archived.
Location	The Location(s) for which data will be archived (Default = All). For more information about Locations, see What is the Audit Logger? and About Locations and the Audit Logger. Note: To view Locations, your User Account must have the following permissions:  The View and Export Audit Logger permissions (see Working with Audit Logger Permissions). The appropriate User permissions in the Audit Logger > Location Permissions folder (see Working with User Permissions).
Output path	Click Browse to select the directory in which the archived files will be saved. Note: This directory must be available to the TLC Manager of the selected Audit Logger.
Time Period	Limits the archive operation to log messages created within a specified time period. To define a time period relative to the time of the query, complete the Archive data older than fields: 1. In the first field, enter the number of units. 2. From the drop-down, select Days or Months. For example, if you enter Archive data older than 4 Months and the task runs on July 14 2015, TLC would archive all log messages created before March 14 2015.

Table 84. Archive History tab

Column	Description
Timestamp	The date and time when archive operation was run.
Audit Logger	The Audit Logger for which log messages were archived. Note: The Archive History tab only presents this column if you have multiple Audit Loggers in your TLC environment.
Count	The number of log files archived.
Query	The criteria specified by the Time Period fields in the Archive Criteria tab (see Table 83).