tlc evaluation guide
DESCRIPTION
very nice guideTRANSCRIPT
TRIPWIRE LOG CENTER 7.0EVALUATION GUIDE
© 2003-2013 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. All other
brand or product names may be trademarks or registered trademarks of their respective companies or
organizations.
Tripwire, Inc.
One Main Place
101 SW Main St., Suite 1500
Portland, OR 97204
US Toll-free: 1.800.TRIPWIRE
main: 1.503.276.7500
fax: 1.503.223.0182
http://www.tripwire.com
TW1139-02
Contents
About This Guide 7
Overview 7
Document List 8
Document Conventions 9
Contact Information 10
Chapter 1. Overview 11
About the TLC Evaluation 12
What is Tripwire Log Center? 13
How does TLC collect, normalize, and correlate logmessages? 14
Chapter 2. Installation and Configuration 16
Installing Tripwire Log Center 17
Configuring Tripwire Log Center 18
Step 1. Configure your Log Sources 18
Step 2. Configure your TLC Console 21
Step 3. Import the Latest Normalization Rules 24
Step 4. Configure your Asset Groups 25
Step 5. Configure your Collectors 30
Step 6. Push Updates to your Manager 32
Step 7. Create and Configure your Assets 32
Step 8. Confirm Log-Message Collection 36
Step 9. Assign Correlation Rules to the Correlation Engine 37
Step 10. Create an Email Action 39
Working with the TLC Console 42
Step 1. Verify Collector Installation and Review the Audit Logger Directory 42
Step 2. View the Regular Expression defined by a Normalization Rule 44
Step 3. Create a Layout in the Dashboard 47
Tripwire Log Center 7.0 Evaluation Guide 5 Contents
Chapter 3. Scenarios 51
Scenario 1. Detecting User Activity 52
Step 1.1 - Detect and Evaluate Unauthorized User Activity 52
Step 1.2 - Investigate a 'Brute Force Attack' 57
Scenario 2.Monitoring and Reporting SystemActivity 61
Step 2.1 - Analyze Event Data with the Dashboard 62
Step 2.2 - Generate a Report on Event Data 66
Scenario 3. Analyzing SystemActivity 71
Step 3.1 - Query the Audit Logger for Evidence of SystemActivity 71
Step 3.2 - Graph and DiagramEvent Data 73
Step 3.3 - Identify Recurrent Issues 77
Step 3.4 - Generate a Report on Log-Message Data 81
Scenario 4. Correlating SSH Logon Events 83
Step 4.1 - Create a Correlation List 84
Step 4.2 - Create a Correlation Rule 85
Step 4.3 - Analyze Correlated Events in the Event-Database Viewer 90
Step 4.4 - Generate a Report on User-Logon Activity 93
Chapter 4. Summary 95
Evaluation Guide Summary 96
Professional Services 97
Contact Us 98
Tripwire Log Center Glossary 99
Index 111
Tripwire Log Center 7.0 Evaluation Guide 6 Contents
About This Guide
Overview
The Tripwire Log Center Evaluation Guide presents a collection of step-by-step scenarios to
introduce prospective and novice Tripwire Log Center (TLC) users (i.e. security administrators
and analysts) to application features and functionality.
This guide includes the following chapters:
l Chapter 1: Overview (on page 11) introduces TLC and provides further details about the
evaluation process.
l Chapter 2: Installation and Configuration (on page 16) explains how to install and
configure Tripwire Log Center Manager, Tripwire Log Center Console, and your Event-
Management Database software.
l Chapter 3: Scenarios (on page 51) provides a collection of hypothetical scenarios in which
you will work with Tripwire Log Center to achieve specific goals.
l Chapter 4: Summary (on page 95) recaps what you learned in the evaluation process and
provides resources for more information about TLC.
Tripwire Log Center 7.0 Evaluation Guide 7 About This Guide
Document List
The documentation set for Tripwire Log Center (TLC) includes the following guides.
l The Tripwire Log Center Evaluation Guide presents a collection of step-by-step scenarios
to introduce prospective and novice TLC users (i.e. security administrators and analysts)
to application features and functionality.
l The Tripwire Log Center Installation Guide provides system administrators with step-by-
step instructions for installing or upgrading TLC software, as well as the database
software for storage of critical log messages and events.
l The Tripwire Log Center User Guide is a reference manual for security administrators
and analysts working with Tripwire Log Center. This guide introduces TLC terms and
concepts, explains how to configure TLC, and provides step-by-step instructions and
related field descriptions for TLC procedures.
PDF versions of these documents are available on the Tripwire Customer Center:
https://tripwire.secure.force.com/customers/
In addition, the TLC online help provides the content in the PDFs above and may be accessed
from the Tripwire Log Center Console:
http://tlcdocumentation.tripwire.com/
Tripwire Log Center 7.0 Evaluation Guide 8 About This Guide
Document Conventions
Convention Description
Bolding Indicates:
l The labels of buttons, menus, fields, drop-downs, and check boxes.
l Options selected from a drop-down list or menu.
l Keystrokes and menu paths.
l Introductory sentences for procedures.
l The first reference of a term.
Examples:
l In the Monitor dialog, select the Activate check box.
l Press CTRL+DELETE.
Italics Indicates cross references to sections and chapters in this book, as well as the titles ofother books.
Example: "For more information, see Creating a Node."
SansSerif
Indicates:
l URLs and e-mail addresses
l Directory paths and file names
l Command-line entries
Examples:
l www.tripwire.com
l C:\Program Files\
Brackets Indicates a set of possible user-entered options; individual options are separated by thepipe ( | ) character.
Example: [ 1 | 2 | 3 ]
Anglebrackets
Indicates placeholders for user-entered values.
Example: <a_variable>
Tripwire Log Center 7.0 Evaluation Guide 9 About This Guide
Contact Information
Tripwire US
Web site: http://www.tripwire.com
E-mail: [email protected]
Phone: 1.800.TRIPWIRE (1.800.874.7947)
Tripwire International
Web site: http://europe.tripwire.com
E-mail: [email protected]
Tripwire Technical Support
Online support: https://tripwire.secure.force.com/customers/
Support policies: http://www.tripwire.com/customers/support-policy.cfm
US toll-free: 1.866.TWSUPPORT (1.866.897.8776; 6am-6pm PST/PDT)
EMEA toll-free:00 800-77517751 (9am-9pm CET/CEST)
Australia toll-free: 1800 193 879
Direct phone: 1.503.276.7663
Tripwire Professional Services
Tripwire Professional Services provides a wide range of services, including Tripwire
Quickstarts, Turnkey Implementations, Change Auditing, and Process Improvement. For more
information, please visit http://www.tripwire.com/services or contact your Tripwire salesrepresentative.
Tripwire Educational Services
Tripwire Educational Services provides hands-on technical training for the installation,
configuration, and maintenance of your Tripwire software. All courses are taught by Tripwire
Certified Instructors. For more information, please contact your Tripwire sales representative or
visit http://www.tripwire.com/services/training/.
Tripwire Log Center 7.0 Evaluation Guide 10 About This Guide
Chapter 1.Overview
About the TLC Evaluation
To demonstrate Tripwire Log Center (TLC) features and capabilities, the Tripwire Log Center
Evaluation Guide walks novice users through the process of installing, configuring, and using the
software. To fully benefit from the evaluation process, you should work through the Evaluation
Guide sequentially (i.e., read it from beginning to end).
The Evaluation Guide consists of the following parts:
l Chapter 1: Overview (on the previous page). The Overview provides an introduction to
basic TLC terms and functionality.
l Installing Tripwire Log Center on page 17 and Configuring Tripwire Log Center on page
18. To begin the evaluation process, you will prepare TLC to normalize, correlate, and
analyze log messages collected from Log Sources in your TLC environment.
l Working with the TLC Console on page 42. This part of the evaluation introduces you to a
few key components of the TLC user interface, as well as the directory structure in which
the Audit Logger stores log messages.
l Chapter 3: Scenarios (on page 51). The evaluation Scenarios illustrate how TLC detects,
reports, and analyzes activity in your TLC environment. In a series of Steps, each
Scenario explains how TLC may be used to detect, evaluate, and resolve potential issues.
l Chapter 4: Summary (on page 95). To conclude the evaluation, you will review what you
learned in the Scenarios. In addition, the Summary provides a few resources for more
information about TLC.
Tripwire Log Center 7.0 Evaluation Guide 12 Chapter 1. Overview
What is Tripwire Log Center?
Tripwire Log Center (TLC) is a fully integrated log- and event-management solution from
Tripwire, Inc. The TLC software suite consists of the following applications:
l Tripwire Log Center Manager (or TLC Manager) is the core software in your TLC
environment. TLC Manager collects and processes log messages from a wide variety of
systems and devices.
l Tripwire Log Center Console (or TLC Console) is the software for the TLC graphic
user interface (GUI). Through the TLC Console, you can configure TLC and work with
collected data.
Note TLC Console is also the term for the TLC GUI itself, and a Manager is a
system on which TLC Manager software has been installed.
l Installed on a Windows or Linux system, Tripwire VIA Agent is a service that collects
log messages from any log-generating application running on the system. When installed
on a Windows system, VIA Agent can also collect the system's Windows Event Logs via
the Secure Sockets Layer (SSL) protocol.
Tripwire Log Center:
l securely collects log messages from systems (i.e. 'Log Sources') on your network
l identifies events of interest in real time
l securely archives log messages with AES-256 encryption in a flat-file storage structure
l correlates detailed changes with events and event sequences
l responds to events of interest by taking appropriate action
l provides a robust set of analysis tools, including customizable reports, graphs, and
network diagrams
Tripwire Log Center 7.0 Evaluation Guide 13 Chapter 1. Overview
How does TLC collect, normalize, and correlate log messages?
A Collector is a TLC module that gathers or receives log messages from Log Sources. A Log
Source is any application, system, database, or device from which TLC collects log messages.
In the TLC Console, an Asset represents a Log Source from which TLC collects log messages.
When a Log Source passes a log message to a Collector, TLC displays the content of the
message in the Real-Time Event Viewer. If the log message satisfies criteria defined by your
configuration of TLC, the log message is also forwarded to the Output Destinations assigned to
the Log Source's Asset. Output Destinations may include the following TLC components:
l The Audit Logger is the log-management tool in which TLC saves log messages with
their original format and content.
l The Correlation Engine determines if log messages indicate events of interest.
l Event-Management Databases store log messages that have been 'normalized' by TLC.
If the Asset has the Correlation Engine or an Event-Management Database as an Output
Destination, TLC sends the log message to the Normalization Engine. Normalization is the
process of standardizing log messages for further use by TLC. To normalize log messages, the
Normalization Engine uses the Normalization Rules in your TLC Console. Each Normalization
Rule defines a regular expression to parse the name/value pairs in log messages, and each rule
can only be used to normalize messages generated by a specific type of Log Source.
l If the Normalization Engine processes a log message for an Asset that has an Event-
Management Database as an Output Destination, and the message satisfies the conditions
defined by your Normalized-Message Filters, TLC saves the Normalized Message as an
Event in the database.
l If the Correlation Engine is assigned as an Output Destination for the Asset, TLC
forwards the Normalized Message to the Correlation Engine.
To identify events of interest, the Correlation Engine applies Correlation Rules to the
Normalized Messages received from the Normalization Engine. A Correlation Rule consists of a
logical flow of one or more conditions, which are known as Decisions. If a Normalized
Message satisfies a rule's Decisions, TLC initiates the response(s) defined by the rule.
Responses (or 'Outputs') may include:
l saving the Normalized Message in an Event-Management Database
l creating a work ticket in the Ticket Center
l running an Action (for example, sending a notification email to your Security
Administrator or running a command)
Figure 1 on the next page illustrates the high-level steps involved in the processing of log
messages.
Tripwire Log Center 7.0 Evaluation Guide 14 Chapter 1. Overview
Notes Types of Event-Management Databases include Event Databases, IDS Databases,
and Firewall Databases. For this evaluation, you will only work with the default
Event Database created by the TLC Manager installer.
To support the Common Event Expression (CEE) Architecture, TLC provides a
collection of Tripwire-defined Classification Tags for classification descriptions
defined by the CEE Dictionary and Event Taxonomy (CDET). TLC also gives you
the ability to create custom Classification Tags. Once TLC has associated log
messages with Classification Tags, you can run queries and Reports based on
those Classification Tags.
Figure 1. Collection, normalization, and correlation of log messages
Tripwire Log Center 7.0 Evaluation Guide 15 Chapter 1. Overview
Chapter 2.Installation andConfiguration
Installing Tripwire Log Center
To begin the evaluation, download the TLC evaluation zip file from the Product Downloads
section of the Tripwire Customer Center. This zip file contains PDFs of the TLC Installation
Guide and TLC User Guide. (For assistance with the evaluation zip file, contact Tripwire
Customer Support.)
Once done, install the following software on your host system (see About the Installation
Process in the Tripwire Log Center Installation Guide):
1. Your Event-Management Database software (either MySQL Server or Microsoft SQL
Server)
2. Tripwire Log Center Manager
3. Tripwire Log Center Console
Caution Prior to installing each of these software packages, you should first verify that
your system conforms with requirements. For further details, see the following
topics in the Tripwire Log Center Installation Guide:
l Requirements for your Database Software
l Requirements for Tripwire Log Center Manager
l Requirements for Tripwire Log Center Console
Since you will only install TLC Manager software on a single system, this system will act as
your Primary Manager. To manage more complex environments, you can install TLC Manager
software on multiple systems. Each additional TLC Manager system is known as a Secondary
Manager.
When you install the TLC Manager software on your Primary Manager, be sure to complete the
following steps in the TLC Manager Configuration Wizard:
1. In the Log Source Types page, select Generic, Linux, Tripwire, and allWindows Log
Source types.
2. In the AutoDiscover Log Sources page, clear the Enable AutoDiscovery check box.
If Auto-Discovery were enabled, the installer would create an Asset for each Linux and
Windows system in your TLC environment. For the evaluation, you will instead create an Asset
for a Windows system and another Asset for a Linux system later in the evaluation process (see
Step 7. Create and Configure your Assets on page 32). You will then work with log messages
collected from these two Log Sources to complete the evaluation.
Tip For the evaluation, you also need access to an email server. If you do not have an
email server, you may configure an email server on the Linux system configured in
Step 1. Configure your Log Sources on the next page. For directions, see your Linux
documentation.
Tripwire Log Center 7.0 Evaluation Guide 17 Chapter 2. Installation and Configuration
Configuring Tripwire Log Center
Step 1. Configure your Log Sources
To set up your TLC environment for this evaluation, you first need to configure a Windows
system and a Linux system to send log messages to TLC. These systems will act as the Log
Sources from which TLC will collect log messages.
Windows Configuration
To configure the Windows system:
1. Install Tripwire VIA Agent software on the system, as described in the Tripwire Log
Center Installation Guide.
2. Configure the Audit Policy settings specified in Table 1 below. For further details, see
your Microsoft Windows documentation for information about the Security Policy Editor.
Audit Policy Security Setting
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Table 1. Minimum Audit Policy Settings
Linux Configuration
Recommended Linux software for this evaluation: CentOS, Debian, Fedora Core, Red Hat
Linux, or Ubuntu
Tips If you are a novice with Linux, Ubuntu may be the easiest software with which to
work.
For a complete list of *NIX platforms supported by TLC, see:
www.tripwire.com/it-compliance-products/log-event-management/supported-devices/
Tripwire Log Center 7.0 Evaluation Guide 18 Chapter 2. Installation and Configuration
To configure the Linux system:
1. Download and install the latest distribution for your Linux software (see supported
versions above). During the installation, create a user account named twadmin.
2. Install the latest patches for your Linux software.
3. Install OpenSSH or an equivalent SSH daemon.
Tip For further instructions on the preceding steps, see your Linux-distribution
documentation.
4. Edit the hosts file (/etc/hosts) and add the following lines:
<host_ip><tab><host_name><tab><host_alias><tlc_ip><tab><tlc_host_name><tab><tlc_host_alias>
Where:
<tab> is a tab character,
<host_ip> is the IP address of the Linux system,
<host_name> is the name of the Linux system,
<host_alias> is an alias for the Linux system of your choosing,
<tlc_ip> is the IP address of your TLC Manager,
<tlc_host_name> is the name of the TLC Manager host system, and
<tlc_host_alias> is an alias for the TLC Manager of your choosing.
For example:
10.10.200.1 linuxhost.tripwire.com linuxhost10.10.200.2 tlcmanager.tripwire.com tlcmanager
5. Save and close the hosts file.
6. To confirm that Syslog is running on the Linux system, enter the following command at a
command line:
ps -ef | grep syslogd
If Syslog appears in the command output, proceed to Step 2. Configure your TLC Console on
page 21. Otherwise, complete the steps below.
Tip If Syslog is running, but you wish to reconfigure Syslog as described below, enter the
following command to re-start the Syslog module:
“kill –HUP `cat /var/run/syslogd.pid`”.
Tripwire Log Center 7.0 Evaluation Guide 19 Chapter 2. Installation and Configuration
To complete configuration of your Syslog module:
1. Open the configuration file (/etc/syslog.conf or /etc/rsyslog.conf).
2. In the configuration file, add the following line:
<facility>.<severity>.<location>
Where:
<facility> is one of the following keywords: auth, authpriv, cron, daemon, kern,lpr, mail, mark, news, security (same as auth), syslog, user, uucp, local0through local7.
<severity> is one of the following keywords: debug, info, notice, warn (orwarning), err (or error), crit, alert, emerg (or panic).
<location> is a local logging file or a remote machine to which the log messageswill be forwarded.
To save all log messages in a local logging file, enter the following value as the
<location>:
/<full_path_to_file>
Tip To prevent synchronization of the logging file after each log event, you can
format this entry as follows:
-/<full_path_to_file>
While you may lose some data if the system crashes after a write attempt, the
absence of synchronization should improve performance, especially if your
programs use logging in a verbose manner.
To forward all log messages to a remote machine, enter the following value as the
<location>:
*.* @<tlc_manager>
Where:
<tlc_manager> is the host name or IP address of your TLC Manager.
3. At a command prompt, enter the following command to restart the Syslog module:
/etc/init.d# ./syslogd -m 30
Tripwire Log Center 7.0 Evaluation Guide 20 Chapter 2. Installation and Configuration
Step 2. Configure your TLC Console
The TLC Console is the user interface for Tripwire Log Center.
To configure a few usability features for your TLC Console:
1. Log in to TLC.
a. Select Start > Programs > Tripwire Log Center > Console.
b. In the Login dialog, clickMore.
c. Enter the Username and Password for your TLC administrator account.
Note If you forget the password for your Administrator user account, contact
Tripwire Technical Support:
http://www.tripwire.com/customers
d. In the Hostname/IP field, enter the hostname or IP address of your Primary
Manager.
e. In the Port field, enter the Manager port specified when you installed your TLC
Manager software.
f. Click Login. The TLC Console opens (see Figure 2 below). Table 2 on the next
page describes the most commonly used components in the button bar and side bar.
Figure 2. The TLC Console
Tripwire Log Center 7.0 Evaluation Guide 21 Chapter 2. Installation and Configuration
ButtonTLCComponent In this component, you can ...
AdministrationManager
... manage the user accounts, user groups, permissions, and othersettings for your TLC environment.
Audit Logger ... query and review the log messages collected by Tripwire LogCenter.
ConfigurationManager
... create and configure a variety of TLC content, including Assets,Managers, Event-Management Databases, Normalization Rules,Correlation Rules, and Classification Tags.
Dashboard ... work with configurable layouts that present information aboutyour Managers and Event-Management Databases.
Event-DatabaseViewer
... query and work with the Events in your Event Databases.
Real-TimeEvent Viewer
... monitor the collection of log messages in real time.
Report Center ... run reports about the Events in your Event-ManagementDatabases.
Task Manager ... define and save queries of your Event-Management Databases.Each Task can present query results in a table, graph, or report.
Ticket Center ... create and monitor the work tickets (i.e. Event Tickets) createdfor Correlated Events in your TLC environment.
Table 2. Primary components of the TLC Console
2. From the menu bar, select View > Tabbed Forms.
With the Tabbed Forms view, TLC opens each selected TLC Console component in a tab
in the workspace. If this setting is disabled, each component opens in a separate window.
3. From the menu bar, select Options > Settings.
4. In the Miscellaneous page of the Settings dialog (see Figure 3 on the next page), select
Open Dashboard on start-up. With this setting, TLC always opens the Dashboard when
you log in. The Dashboard presents information about your TLC Manager and the log
messages collected from your Log Sources.
Tripwire Log Center 7.0 Evaluation Guide 22 Chapter 2. Installation and Configuration
Figure 3. The Miscellaneous group in the Settings dialog
5. In the Table Settings page of the Settings dialog, select the following check boxes. You
will work with these features in Step 3.3 - Identify Recurrent Issues on page 77 of
Scenario 3. Analyzing System Activity on page 71.
Display 'Group by' region provides the ability to group the contents of a table by
the values in a specified table row.
Show Filter buttons in column headers embeds a Filter button in the header of
each column in a table. To sort a table's contents by the values in a column, you
simply select the column's Filter button.
6. Click OK to close the Settings dialog.
Tripwire Log Center 7.0 Evaluation Guide 23 Chapter 2. Installation and Configuration
Step 3. Import the Latest Normalization Rules
For an introduction to Normalization, see How does TLC collect, normalize, and correlate log
messages? on page 14.
Tripwire maintains and regularly updates a library of pre-defined Normalization Rules.
Tip This Step requires Internet access. If your evaluation system does not have Internet
access, you can download Normalization Rules from the Tripwire Customer Center.
www.tripwire.com/customers
To download and import the latest Normalization Rules for Windows and Linux Log
Sources:
1. From the menu bar in the TLC Console, select Options > Import TLC Content >
Content.
2. In the Import Content tab, select Download via the Web the latest default file from
Tripwire and click Update.
3. In the confirmation dialog, click OK.
4. In the Select and Import Content field, expand the Normalization Rules group and select
the check box for each Normalization-Rule Group specified in Table 3 below.
5. Click Import.
In the Import Status field, TLC presents a list of the imported content.
Group These rules apply to ...
Linux CentOS ... CentOS Linux
Linux Debian ... Debian Linux
Linux Fedora ... Red Hat Fedora
Linux Red Hat ... Red Hat Linux
Linux Ubuntu ... Ubuntu Linux
Windows XP-2003 ... Windows XP and 2003
Windows Vista-2012 ... Windows Vista, 2008, 2012, and 7
Table 3. Normalization-Rule Groups for this Evaluation
Tripwire Log Center 7.0 Evaluation Guide 24 Chapter 2. Installation and Configuration
Figure 4. The Import Data tab with the Normalization Rule group expanded
Step 4. Configure your Asset Groups
Tripwire recommends that you manage your Assets by assigning them to Asset Groups. When
you installed your TLC Manager software, the installer created a number of default Asset
Groups, including a group named "Windows." In this Step, you will:
1. create two additional Asset Groups (named "Linux" and "Critical Systems"), and
2. assign the Normalization-Rule Groups specified in Table 4 on the next page to these three
(3) Asset Groups.
Later in the configuration process (see Step 7. Create and Configure your Assets on page 32),
you will create an Asset for your Windows system and another for your Linux system, and then
assign these Assets to the Asset Groups configured in this Step. Once done, if TLC passes an
Asset's log message to the Normalization Engine, the Normalization Engine will normalize the
message with the Normalization Rules assigned to the Asset Group(s) containing the Asset.
Tripwire Log Center 7.0 Evaluation Guide 25 Chapter 2. Installation and Configuration
Asset Group Assign ...
Linux ... the appropriate Normalization-Rule Group for the platform of your Linux LogSource; either:
CentOS
Debian
Fedora
Red Hat
Ubuntu
Windows ... the appropriate group for the platform of your Windows Log Source; either:
Windows XP-2003
Windows Vista-2012
CriticalSystems
1. The Normalization-Rule Group assigned to the Linux Asset Group, and
2. The group assigned to the Windows Asset Group.
Table 4. Normalization-Rule Groups to be assigned to each Asset Group
To configure the default Windows Asset Group:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Resources > Asset Groups.
In the workspace, TLC presents the Asset Groups created by the TLC Manager installer.
3. Double-click the Windows group in the workspace.
4. In the Asset Group properties dialog, select the Normalization Rules tab.
5. To assign the appropriate Normalization-Rule Group for your Windows Log Source (see
Table 4 above):
a. Click Add.
b. In the Modify Rules for Group dialog, expand and select the Normalization-Rule
Group.
c. Click Check Selected Rows to select all rules in the group (see Figure 5 on the
next page).
d. Click OK.
Tripwire Log Center 7.0 Evaluation Guide 26 Chapter 2. Installation and Configuration
Figure 5. The Modify Rules for Group dialog with Normalization Rules selected
6. TLC adds the selected Normalization Rules to the Rules tab (see Figure 6 on the next
page).
To close the Asset Group properties dialog, click OK.
Tip When TLC normalizes a log message, the Normalization Engine will run the
rules in the order in which they appear in the Rules tab. To modify the order,
use the buttons on the right side of the tab.
Tripwire Log Center 7.0 Evaluation Guide 27 Chapter 2. Installation and Configuration
Figure 6. The Normalization Rules tab in the Asset Group properties dialog
To create the Linux Asset Group:
1. In the Asset Groups page of the Configuration Manager, click Add.
2. In the Asset Group properties dialog:
a. Enter Linux in the Name field.
b. In the Description field, enter Linux Systems.
3. To assign the appropriate Normalization-Rule Group for your Linux Log Source (see
Table 4 on page 26):
a. In the Normalization Rules tab, click Add.
b. In the Modify Rules for Group dialog, expand and select the group.
c. Click Check Selected Rows to select all rules in the group.
d. Click OK.
TLC adds the selected Normalization Rules to the Normalization Rules tab.
4. To save the Linux Asset Group and close the Asset Group properties dialog, click OK.
Tripwire Log Center 7.0 Evaluation Guide 28 Chapter 2. Installation and Configuration
To create the Critical Systems Asset Group:
1. In the Asset Groups page of the Configuration Manager, click Add.
2. In the Asset Group properties dialog:
a. Enter Critical Systems in the Name field.
b. In the Description field, enter Business-critical Systems.
3. To assign the two Normalization-Rule Groups specified in Table 4 on page 26:
a. In the Normalization Rules tab, click Add.
b. In the Modify Rules for Group dialog, expand and select the first group.
c. Click Check Selected Rows to select all rules in the group.
d. Expand and select the second group, and click Check Selected Rows.
e. Click OK.
TLC adds the selected Normalization Rules to the Normalization Rules tab.
4. Click OK to close the Asset Group properties dialog.
The Linux and Critical Systems Asset Groups should now appear in the workspace (see
Figure 7 below).
Figure 7. Configuration Manager with default and custom Asset Groups
Tripwire Log Center 7.0 Evaluation Guide 29 Chapter 2. Installation and Configuration
Step 5. Configure your Collectors
In TLC, a Collector is a module that either actively gathers or passively listens for log
messages from your Log Sources. Table 5 below defines each type of Collector and identifies
the protocol employed by TLC to collect log messages from the Collector's Log Sources.
Type
Protocol andRequiredPorts Description
AdvancedFile
SSL: TCP/5670 If Tripwire VIA Agent is installed on a Windows or Linux system, thisCollector may be used to gather log messages from any log-generatingapplication running on the host system.
AdvancedWindows
SSL: TCP/5670 If Tripwire VIA Agent is installed on a Windows system, this Collectormay be used to gather the system's Windows Event Logs.
CheckPoint
OPSEC andLEA:TCP/18184;UDP/18184
Listens for log messages from Check Point firewalls.
Cisco IDS SDEE: TCP/443 Gathers log messages from Cisco IDS sensors.
Database MySQL:TCP/3306
MS-SQL:TCP/1433
Gathers log messages from an application that logs to an ExternalDatabase. For a list of supported applications, see the Tripwire CustomerCenter:
https://secure.tripwire.com/customers/
File SMB: TCP/135-139; TCP/445
SFTP: TCP/22
FTP: TCP/21
Gathers or receives log messages from Log Sources that store messagesin an ASCII log file.
Network Syslog:UDP/514;TCP/1468
SNMP:TCP/162;UDP/162
Listens for Syslog and SNMP-based messages from network devices.
OracleDatabase
TCP/IP: 1521 Gathers log messages from Oracle database audit logs. For a list ofsupported Oracle versions, see the Tripwire Customer Center:
https://secure.tripwire.com/customers/
WinLog WMI: TCP/135,TCP/1024+
Gathers log messages from Windows Event Logs.
Note: Synchronous Connectivity requires only TCP/135.
Table 5. Types of Collectors
In the properties of your Primary Manager, the TLC Manager installer automatically assigns the
appropriate Collector for each type of Log Source selected in the TLC Manager Configuration
Wizard. For this evaluation, you selected the check box for each type of Windows and Linux
Log Source (see Installing Tripwire Log Center on page 17).
Tripwire Log Center 7.0 Evaluation Guide 30 Chapter 2. Installation and Configuration
In this step, you will confirm that the Advanced Windows Collector and Network Collector
have been assigned to your TLC Manager. In addition, you will enable AutoDiscovery of
Windows systems by the Advanced Windows Collector.
To configure your Collectors:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Resources > Managers.
3. In the workspace, double-click your Primary Manager.
4. In the Manager's properties tab, select the Installed Modules tab.
Since you selected Windows and Linux Log Sources in the TLC Manager Configuration
Wizard, this tab includes the Advanced Windows Collector and the Network Collector
(see Figure 8 below).
Figure 8. The Installed Modules tab in the Manager properties tab
5. In the Advanced Windows Collector tab, select the Enable AutoDiscovery check box.
With this setting enabled, TLC will AutoDiscover the Windows system on which you
installed Tripwire VIA Agent software (see Step 1. Configure your Log Sources on page
18). TLC will then create a new Asset and assign the Advanced Windows Collector to the
Asset.
6. Click OK to close the Manager properties tab.
Tripwire Log Center 7.0 Evaluation Guide 31 Chapter 2. Installation and Configuration
Step 6. Push Updates to your Manager
In the following Steps, you added and modified objects in the Configuration Manager:
Step 4. Configure your Asset Groups on page 25
Step 5. Configure your Collectors on page 30
Whenever you make changes in the Configuration Manager, you must 'push updates' to the
Managers in your TLC environment.
To push updates to your Primary Manager:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Resources > Managers.
3. In the main pane, select the Manager's table row by clicking the arrow to the left of the
row.
4. Click Push Updates to Manager.
Step 7. Create and Configure your Assets
In Step 4. Configure your Asset Groups on page 25, you reviewed the Asset Groups created by
the TLC Manager installer, which included a group namedWindows. You also created two new
Asset Groups; one named Linux and another named Critical Systems.
In Step 5. Configure your Collectors on page 30, you configured the Advanced Windows
Collector to AutoDiscover your Windows Log Source, and then you pushed these changes to
your Primary Manager in Step 6. Push Updates to your Manager above. You are now ready to 1)
configure the Asset created by TLC for your AutoDiscovered Windows Log Source, and 2)
create and configure a new Asset for your Linux Log Source.
Tip To ensure the accuracy of timestamps in collected log messages, Tripwire
recommends the use of the Network Time Protocol (NTP) on each Log Source host
system.
Tripwire Log Center 7.0 Evaluation Guide 32 Chapter 2. Installation and Configuration
Configuring your Windows Asset
To configure the Asset for your Windows Log Source, complete the following steps:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Resources > Assets.
The workspace displays the AutoDiscovered Asset for your Windows Log Source (see
Figure 9 below).
Tip If your Windows Asset does not appear in the workspace, and an operating-
system firewall or network firewall is positioned between the Windows system
and your TLC Manager, confirm that the required ports are open. For further
assistance, contact Tripwire Technical Support.
Figure 9. The AutoDiscovered Windows Asset in the workspace
3. Double-click the Asset to open the Asset properties dialog.
4. In the Name field, replace the existing name withMy_Windows_Asset.
Note In the Collector field of the Settings tab, TLC automatically assigned the
Advanced Windows Collector to the Asset.
5. In the Asset Groups tab, associate the Asset with the Windows Asset Group and the
Critical Systems Asset Group.
To associate the Asset with a group:
a. Click Add.
b. From the Host Group drop-down, select the group and click Add.
Figure 10 on the next page shows the Asset Groups tab with the two groups assigned to
the Windows Asset.
Tripwire Log Center 7.0 Evaluation Guide 33 Chapter 2. Installation and Configuration
Figure 10. The Asset Groups tab in the Asset properties dialog
6. In the Output Destinations tab, the Correlation Engine is automatically assigned by
default. To assign the Audit Logger as an Output Destination:
a. Click Add.
b. From the Output Destination drop-down, select the Audit Logger and click Add.
7. To save the Asset, click OK in the Asset Properties dialog.
Creating and Configuring your Linux Asset
To create and configure an Asset for your Linux Log Source, complete the following steps:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Resources > Assets.
3. Click Add Asset.
Tripwire Log Center 7.0 Evaluation Guide 34 Chapter 2. Installation and Configuration
4. Complete the top of the Asset properties dialog.
a. In the Name field, enterMy_Linux_Asset.
b. (optional) Enter a description.
c. Confirm that the Enabled check box is selected.
5. In the Settings tab (see on page 32):
a. Enter the IP Address of the Linux system.
b. From the Type drop-down, select Linux System.
c. From the Collector drop-down, select TLC Network Collector.
d. Click Apply.
6. In the Asset Groups tab, associate the Asset with the Linux Asset Group and the Critical
Systems Asset Group.
To associate the Asset with a group:
a. Click Add.
b. From the Host Group drop-down, select the group and click Add.
7. In the Output Destinations tab, assign the Correlation Engine and Audit Logger as
Output Destinations for the Asset.
To assign an Output Destination:
a. Click Add.
b. From the Input Type drop-down, select Syslog.
c. From the Output Destination drop-down, select the destination and click Add.
8. To save the Asset, click OK in the Asset Properties dialog.
The Configuration Manager now contains each of your new Assets (see Figure 11 below).
Figure 11. The Configuration Manager with your Windows Asset and Linux Asset
Tripwire Log Center 7.0 Evaluation Guide 35 Chapter 2. Installation and Configuration
9. To push updates to your Manager:
a. In the side bar of the Configuration Manager, select Resources >
Managers.
b. In the main pane, select the Manager's table row by clicking the arrow to the left of
the row.
c. Click Push Updates to Manager.
Step 8. Confirm Log-Message Collection
At this point in the configuration process, TLC should be collecting log messages from your
Windows Asset and Linux Asset.
To confirm that TLC is successfully collecting log messages, complete the following steps
for each Asset:
1. In the side bar, select Events > Real-Time Event Viewer.
2. In the IP Address field, enter the IP address of the Asset's Log Source.
3. From the Collector drop-down, select the appropriate Collector for the Asset.
4. Click Start.
If TLC displays log messages in the Real-Time Event Viewer (see Figure 12 on the next
page), then the Asset has been properly configured.
5. Click Stop and close the Real-Time Event Viewer.
Tip If the Real-Time Event Viewer does not display log messages, complete the
following steps to troubleshoot the issue:
1. If the system is inactive, try logging in and out of the system to generate
log messages.
2. If you have an operating-system firewall or network firewall in your
TLC environment, verify that the required ports are open.
3. Review and verify the properties of the Asset (see Step 7. Create and
Configure your Assets on page 32). Most importantly, confirm that the
IP Address is correct.
If these steps fail to resolve the issue, contact Tripwire Technical Support:
www.tripwire.com/customers
Tripwire Log Center 7.0 Evaluation Guide 36 Chapter 2. Installation and Configuration
Figure 12. Log messages in the Real-Time Event Viewer
Step 9. Assign Correlation Rules to the Correlation Engine
In Step 7. Create and Configure your Assets on page 32, you assigned the Correlation Engine as
an Output Destination for both your Windows Asset and Linux Asset. Consequently, if TLC
normalizes a log message for one of these Assets, TLC will forward the Normalized Message to
your Manager's Correlation Engine. To identify events of interest, the Correlation Engine
applies Correlation Rules to these Normalized Messages.
In this Step, you will add pre-defined Correlation-Rule Groups to your Manager's Correlation
Engine.
Note In Scenario 4. Correlating SSH Logon Events on page 83, you will learn how to
create a Correlation Rule of your own.
To add the Correlation-Rule Groups to your Manager's Correlation Engine:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Correlation > Engines.
3. In the workspace, double-click the Correlation Engine.
4. In the Correlation Engine tab, click Add.
Tripwire Log Center 7.0 Evaluation Guide 37 Chapter 2. Installation and Configuration
5. To add the Correlation-Rule Groups:
a. In the Modify Rules for Correlation Engine dialog, press CTRL and select the
following groups:
Authentication
Internal Rules
Network Audit
System Audit
User Audit
Tip For optimal performance, Tripwire recommends that you only add
Correlation-Rule Groups that apply to your environment.
b. Click Check Selected Rows to select all rules in the groups (see Figure 13
below), and click OK.
Figure 13. Modify Rules for Correlation Engine dialog with Correlation Rules selected
6. TLC adds the selected Correlation Rules to the Correlation Engine.
Click OK to close the Correlation Engine tab.
Tip When TLC correlates a Normalized Message, the Correlation Engine will run
the rules in the order in which they appear in the Correlation Engine tab. To
modify the order, use the buttons on the right side of the tab.
Tripwire Log Center 7.0 Evaluation Guide 38 Chapter 2. Installation and Configuration
Step 10. Create an Email Action
An Action (or Correlation Action) initiates a response to events of interest (i.e. Correlated
Events) identified by your Manager's Correlation Engine. Table 6 below defines each type of
Action in TLC.
Type Description
Email Sends an email alert to specified recipients.
Notification Creates a Notification in the Notifications dialog of the TLC Console. For further details,see Working with Notifications in the Tripwire Log Center User Guide.
Script Runs a Windows command.
Syslog Sends a Syslog message to a specified Syslog server.
Table 6. Types of Actions
By default, the TLC Manager installer creates a Notification Action with no defined
Notifications. In this step, you will create an Email Action to send email alerts to yourself. In
Scenario 4. Correlating SSH Logon Events on page 83, you will assign this Action as an Output
in a Correlation Rule.
To create the new Email Action:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Resources > Managers.
3. In the workspace, double-click your TLC Manager.
4. In the Email tab of the Manager's properties tab (see Figure 14 on the next page):
a. In the SMTP Server field, enter the IP address of your email server.
b. Complete any remaining fields required for authentication by your email server.
c. Click OK to close the Manager's properties tab.
Tripwire Log Center 7.0 Evaluation Guide 39 Chapter 2. Installation and Configuration
Figure 14. Email tab in the Manager's properties tab
5. In the side bar of the Configuration Manager, select Correlation > Actions
In the workspace, TLC presents the two Actions created by the installer.
6. Click Add Action.
7. In the Action properties dialog (see Figure 15 on the next page):
a. Enter Email to me in the Name field.
b. In the Type Settings tab, click Add Email Address.
TLC adds a row to the Type Settings tab.
c. In the Email Address field, enter the email address for the Action and click OK.
Tripwire Log Center 7.0 Evaluation Guide 40 Chapter 2. Installation and Configuration
Figure 15. The Action properties dialog
8. To push updates to your Manager:
a. In the side bar of the Configuration Manager, select Resources >
Managers.
b. In the main pane, select the Manager's table row by clicking the arrow to the left of
the row.
c. Click Push Updates to Manager.
Tripwire Log Center 7.0 Evaluation Guide 41 Chapter 2. Installation and Configuration
Working with the TLC Console
Step 1. Verify Collector Installation and Review the Audit LoggerDirectory
Now that your Tripwire Log Center (TLC) environment has been configured, let's take a
moment to review a few product features before proceeding with the evaluation Scenarios.
The Audit Logger is TLC's log-archive tool, and TLC stores collected log messages in the
Audit Logger File Store, a series of compressed flat files.
When TLC receives a log message from a Collector, TLC first places the message in an internal
cache known as the Audit Logger Cache (or Audit Logger Buffer). When the log messages in
the cache exceed specified time or size thresholds, or when you flush the cache, TLC:
1. calculates 256-SHA checksums to verify the integrity of each file created when the cache
is flushed to disk,
2. saves each message (in its original format) in the Audit Logger File Store, and
3. indexes the key terms in each message (to support standard search-engine queries).
Note With a production license of Tripwire Log Center, you would also have the
option of encrypting log messages with the AES-256 algorithm.
Due to this unique design, TLC provides high-speed performance capable of archiving all log
messages generated by the Log Sources on your network.
To learn more about the Audit Logger File Store, complete the following steps:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Resources > Managers.
3. In the workspace, double-click your Manager.
Tripwire Log Center 7.0 Evaluation Guide 42 Chapter 2. Installation and Configuration
4. Complete the following steps in the Manager properties tab:
a. In the Installed Modules tab (see Figure 16 below), verify that the following
modules are installed and enabled -- Network Collector, Advanced Windows
Collector, Schedule Engine, License Service, Correlation Engine, and Audit Logger.
Note In the Installed Modules tab, TLC automatically adds the Collectors
required for each 'Product Type' (i.e. Log Source) specified in the TLC
Manager Configuration Wizard (see Installing Tripwire Log Center on
page 17). If you add other types of Log Sources to TLC, you can install
the required Collectors in this tab. For more information, see
Configuring a Collector in the Tripwire Log Center User Guide and
Step 5. Configure your Collectors on page 30.
b. In the Audit Logger tab, copy the path of the Audit Logger File Store directory.
By default, this directory is:
C:\Program Files\Tripwire\Tripwire Log Center Manager\Audit Logger\
Figure 16. The Installed Modules tab in the Manager's properties
5. In Windows Explorer, navigate to the Base Log Directory and review its contents (see
Figure 17 on the next page).
l In the Audit Logger\0\ sub-directory, TLC creates a sub-folder for each day since
you installed TLC Manager. TLC uses the current date to name each sub-folder,
and each sub-folder contains one or more zip files with the data in the Audit
Logger.
l The Audit Logger\Index\ sub-directory consists of sub-folders with zip filescontaining key terms in the Audit Logger File Store.
Tripwire Log Center 7.0 Evaluation Guide 43 Chapter 2. Installation and Configuration
Figure 17. The Base Log Directory in Windows Explorer
Step 2. View the Regular Expression defined by a Normalization Rule
TLC normalizes log messages with regular expressions defined by Normalization Rules. You
will now review a regular expression defined by one of the Normalization Rules downloaded
from the Tripwire Web site during configuration (in Step 3. Import the Latest Normalization
Rules on page 24).
To open the properties of a Normalization Rule:
1. In the side bar, select Resources > Configuration.
2. In the side bar of the Configuration Manager, select Normalization > Rules.
3. Expand and select a rule group under Rules.
4. In the workspace, double-click a rule.
5. In the Normalization Rule properties dialog, select the Rule Details tab (see Figure 18 on
the next page).
The Quick Match field specifies a string. If a log message contains the string, TLC runs
the regular expression defined in the Rule field.
The Description tab contains a value saved in the properties of Events created by the
rule. The description may consist of literal strings and variables for Event-field values
(e.g. <Dst IP>).
Tripwire Log Center 7.0 Evaluation Guide 44 Chapter 2. Installation and Configuration
Figure 18. The Rule Details tab in the Normalization Rule properties dialog
6. Tripwire recommends that you do not modify the regular expression defined by a
Normalization Rule downloaded from the Tripwire Web site. However, you can create
Normalization Rules of your own, or create a copy of a downloaded rule. In such cases,
you may edit the rule's regular expression with the Rule Editor.
To open the Rule Creator (see Figure 19 on the next page), click Rule Editor.
Each rule's regular expression:
a. parses specified name/value pairs in the content of log messages, and
b. specifies the columns in which the parsed values will be saved in Event-
Management Databases.
Tripwire Log Center 7.0 Evaluation Guide 45 Chapter 2. Installation and Configuration
When defining a regular expression in the Rule Editor, you can:
l include one or more Aliases in the expression. Each Alias is a custom variable that
represents a partial or complete regular expression. At this point in the evaluation,
your TLC environment may not contain any Aliases.
l define find-and-replace values in the Replace tab for columns in the content of log
messages.
l test the expression by entering the content of a log message in the Input Data tab
and clicking Test. TLC then displays the result in the Output field.
Figure 19. The Rule Editor
Tripwire Log Center 7.0 Evaluation Guide 46 Chapter 2. Installation and Configuration
Step 3. Create a Layout in the Dashboard
A component of the TLC Console, the Dashboard presents information about a Manager or
Event-Management Database in a Layout, a customizable configuration of panels containing
fields, tables, and/or graphs.
l A Manager Layout shows information about 1) a selected Manager’s system resources
and configuration, and 2) the log messages collected by the Manager's Collectors.
l A Database Layout presents data for the Events in a selected Event-Management
Database.
The panels in a Layout are known as Layout Panels, and Table 7 below describes each type of
Layout Panel.
Type Description
ConfigurationDiagram
(Manager Layouts only) Displays a diagram of the Log Sources, Collectors, Managers,Audit Loggers, Correlation Engines, and Event-Management Databases in your TLCenvironment.
Map (Database Layouts only) Displays the geographic locations of IP addresses involved inEvents on a map.
Text Presents data in a table.
Time Graph Presents a timeline of log messages or Events in a graph.
Top Graph (Database Layouts only) Displays the Top N items in a graph or chart.
Table 7. Types of Layout Panels
To add a panel to a Layout, you must first create a Layout-Panel Task in the Task Manager.
Table 8 on the next page describes each type of Task in TLC.
Note In the Task Scheduler, you can define schedules for Copy, Delete, Archive, and
Report Tasks.
Tripwire Log Center 7.0 Evaluation Guide 47 Chapter 2. Installation and Configuration
Type Description
Layout-Panel Creates a Layout Panel that may be added to a Layout in the Dashboard.
Administrative Performs an administrative operation on specified data in an Event-ManagementDatabase.
An Archive Taskmoves the data from one database to another.
A Copy Task copies the data from one database to another.
A Delete Task removes the data from the database.
Search Performs a query of data in an Event-Management Database.
A List Task presents the query results in a table.
A Graph Task presents the query results in the form of a graph or chart.
A Report Task compiles and formats the query results in a Report. In Scenario 2.Monitoring and Reporting System Activity on page 61, you will create and run aReport Task.
Table 8. Types of Tasks in the Task Manager
In Scenario 2. Monitoring and Reporting System Activity on page 61, you will:
1. create and run a Report Task, and
2. work with a custom Layout in the Dashboard.
To prepare TLC for your work in the Dashboard, you will now create a Layout-Panel Task, and
then add the panel to the new Layout.
To complete this Step:
1. In the side bar, select Events > Task Manager.
2. To create the Layout-Panel Task:
a. In the workspace, enterMedium and High Priority Events in the Name field.
b. From the 'Task type' drop-down, select Layout Panel.
c. From the Output drop-down, select Text Panel, and then select Top Priorities from
the adjacent Type drop-down.
d. Click Save.
TLC adds the new Layout-Panel Task to the Task Manager's side bar under Layout-Panel
Tasks group in the Task Manager's side bar.
Tripwire Log Center 7.0 Evaluation Guide 48 Chapter 2. Installation and Configuration
Figure 20. The new Layout-Panel Task in the Task Manager
3. To create the new Database Layout:
a. In the side bar, select Events > Dashboard.
b. From the 'Display data for' drop-down, select Events.
c. From the Layout drop-down, select New Layout.
d. Click Add and select Text Panels > Medium and High Priority Events (see
Figure 21 on the next page).
e. Click Save.
f. In the Save As dialog, enter Priority_Events as the name of the new Layout file
and click Save.
The new Layout should now be available in the Dashboard's Layout drop-down.
Tripwire Log Center 7.0 Evaluation Guide 49 Chapter 2. Installation and Configuration
Figure 21. The Layout drop-down with the new Database Layout
4. Close the Dashboard and Task Manager.
Tripwire Log Center 7.0 Evaluation Guide 50 Chapter 2. Installation and Configuration
Chapter 3.Scenarios
Scenario 1. Detecting User Activity
To begin the evaluation, this Scenario demonstrates how Tripwire Log Center (TLC) can detect
and respond to unauthorized user activity in your TLC environment. In Step 1.1 - Detect and
Evaluate Unauthorized User Activity below, you will create new user accounts on your
Windows Log Source and then employ the Real-Time Event Viewer and Audit Logger to
evaluate this activity. In Step 1.2 - Investigate a 'Brute Force Attack' on page 57, you will
analyze the log messages generated in response to a simulated 'Brute Force Attack.'
Step 1.1 - Detect and Evaluate Unauthorized User Activity
In this Step, you will:
l create two (2) new user accounts on your Windows Log Source
l monitor the Real-Time Event Viewer for log messages documenting the creation of the
user accounts
l create a Custom Command to look up IP addresses on the Network Solutions WHOIS
Web site
Note A Custom Command is a command that users can run when they select
certain fields in a table in the TLC Console.
l simulate a logon failure by attempting to log in to the Windows system with incorrect
authentication credentials
l search TLC for the log message generated by the logon failure
l run the Custom Command to display the WHOIS details for an IP address in the log
message
l email the log message to your Security Administrator for further analysis
To complete this Step:
1. In the side bar, select Events > Real-Time Event Viewer.
2. In the Real-Time Event Viewer, complete the following steps.
a. In the Message-content filter field, enter:
TLC_*
b. In the IP Address field, enter the IP address of your Windows Log Source.
c. From the Collector drop-down, select Advanced Windows Collector.
d. Select the Wrap Text check box and click Start.
TLC begins displaying log messages from the Windows system in real time.
Tripwire Log Center 7.0 Evaluation Guide 52 Chapter 3. Scenarios
3. On the Windows system:
a. Create a Windows user account named "TLC_GOOD_USER," and add this account
to the Administrators group.
b. Create a Windows user account named "TLC_BAD_USER."
Tips Make a note of the password for each account.
For further directions, refer to your Microsoft Windows documentation.
4. Monitor the Real-Time Event Viewer in TLC. You should see the log messages related to
the creation of each new user account (see Figure 22 below).
Note As needed, you can use the Real-Time Event Viewer to verify collection of
log messages from any Log Source in your TLC environment.
Figure 22. Real-Time Event Viewer with log messages for new Windows user accounts
5. Click Stop and close the Real-Time Event Viewer.
6. From the menu bar in the TLC Console, select Options > Settings.
7. In the side bar of the Settings dialog, select User Settings > Custom Commands and
click Add.
Tripwire Log Center 7.0 Evaluation Guide 53 Chapter 3. Scenarios
8. Complete the Custom Command dialog (see Figure 23 below).
a. In the Name field, enter Network Solutions WHOIS Lookup.
b. Select the Enabled check box.
c. From the Data Type drop-down, select IP Address.
d. For the Output drop-down, accept the default value of DOS Command.
e. In the Command field, enter:
http://www.networksolutions.com/whois/results.jsp?ip=<ip>
f. To test the command, click Test.
g. In the Test dialog, enter 192.168.1.100 and click Test.
If the test is successful, TLC will present a Web page with the WHOIS results for
the IP address.
h. Click OK to save your work and close the Custom Command dialog.
i. In the Settings dialog, click OK.
Note Network Solutions is unaffiliated with Tripwire, Inc.
Figure 23. Custom Command dialog
9. Attempt to log in to the Windows system with incorrect authentication credentials.
Tripwire Log Center 7.0 Evaluation Guide 54 Chapter 3. Scenarios
10. To search for log messages related to the failed logon attempt:
a. In the side bar, select Events > Audit Logger.
b. Select the Query tab (see Figure 24 below).
c. From the Output drop-down, select List Events - Processed.
d. In the Classification Tags field, enter User Logon Failure.
e. From the two Assets drop-downs, select IP Address and your Windows Asset.
f. To run the search, click Start.
TLC queries the Audit Logger File Store for log messages collected from the
Windows system with which the Classification Tags User, Logon, and Failure are
associated. TLC then normalizes the log messages with the Normalization Rules
assigned to the Windows and Critical Systems Asset Groups, and presents the
results in the Query Results - Normalized Messages tab (see Figure 25 on the next
page).
Figure 24. The Query tab in the Audit Logger
Tripwire Log Center 7.0 Evaluation Guide 55 Chapter 3. Scenarios
Figure 25. The Query Results - Normalized Messages tab
11. To run the Custom Command:
a. In the Processed Logs tab, select and right-click an IP address in a log message for
a failed logon attempt (see Figure 26 on the next page).
b. From the right-click menu, select Run Custom Command on selected IP address
> Network Solutions WHOIS Lookup.
TLC runs the Custom Command and opens a Web Browser tab containing a page
from the Network Solutions Web site. The page presents information about the
selected IP address.
Note Network Solutions is unaffiliated with Tripwire, Inc.
c. Close the Web Browser tab.
Tripwire Log Center 7.0 Evaluation Guide 56 Chapter 3. Scenarios
12. Close the Audit Logger.
Figure 26. The right-click menu in the Query Results - Normalized Messages tab
Step 1.2 - Investigate a 'Brute Force Attack'
In this Step, you will simulate a ‘Brute Force Attack’ by attempting to log in to the Windows
system with an incorrect password for the TLC_GOOD_USER account (created in Step 1.1 -
Detect and Evaluate Unauthorized User Activity on page 52, and then changing the account's
password. You will then query and review the log messages generated by the Windows system
in response to the Brute Force Attack.
Caution To complete this Step, your Windows system should not have an enabled policy
that locks a Windows user account after five (5) or fewer failed login attempts.
Tripwire Log Center 7.0 Evaluation Guide 57 Chapter 3. Scenarios
To complete this Step:
1. To simulate a "Brute Force Attack" on your Windows system:
a. Using an incorrect password for the TLC_GOOD_USER account, attempt to log in
to the Windows system five (5) times.
b. Using the correct password, log in to the system with the TLC_GOOD_USER
account.
c. Change the password for the TLC_GOOD_USER account, and make a note of the
new password.
For further directions, refer to your Microsoft Windows documentation.
2. To search for log messages generated by the failed logon attempts:
a. In the side bar, select Events > Audit Logger.
b. In the Audit Logger, select the Query tab.
c. From the Output drop-down, accept the default option of List Events - Raw. With
this option, TLC will query the Audit Logger File Store for log messages in their
original, un-normalized state.
d. In the Classification Tags field, enter User Logon Failure.
e. From the two Assets drop-downs, select IP Address and your Windows Asset.
f. From the Date and Time drop-down, select Newer/older than.
g. In the Time Span drop-downs, enter Newer than 10 Minutes.
Note If more than 10 minutes have passed since you simulated the Brute
Force Attack, you will need to adjust the Time Filter accordingly.
h. To run the search, click Start.
TLC presents the query results in the Raw Logs tab (see Figure 27 on the next
page).
Tripwire Log Center 7.0 Evaluation Guide 58 Chapter 3. Scenarios
Figure 27. The logon failure messages in the Raw Logs tab
3. To search for the log message generated by the Windows system when you changed the
password of the TLC_GOOD_USER account:
a. In the Audit Logger, select the Query tab.
b. From the Output drop-down, accept the default option of List Events - Raw.
c. In the Classification Tags field, enter Password.
d. From the two Assets drop-downs, select IP Address and your Windows Asset.
e. In the Time Span drop-downs, enter Newer than 10 Minutes.
f. To run the search, click Start.
TLC presents the query results in the Raw Logs tab (see Figure 28 on the next
page). Locate the log message and review the content.
4. Close the Audit Logger.
Tripwire Log Center 7.0 Evaluation Guide 59 Chapter 3. Scenarios
Figure 28. The Password Change log message in the Raw Logs tab
Tripwire Log Center 7.0 Evaluation Guide 60 Chapter 3. Scenarios
Scenario 2. Monitoring and Reporting System Activity
In addition to the storage of log messages in the Audit Logger, Tripwire Log Center (TLC) also
saves data in the following databases.
l The System Database retains a record of all user logons and logouts, as well as TLC
content, such as Assets and Normalization Rules.
l An Event-Management Database stores Events. Each Event is either:
a. A Normalized Message (see How does TLC collect, normalize, and correlate log
messages? on page 14), or
b. An event imported from a supported scanner, such as Tripwire IP360 or Tenable
Nessus.
Table 9 below describes each type of Event-Management Database. By default, the TLC
Manager installer creates a single Event Database called 'Events.' With the Database Viewers
in the TLC Console, you can access information about the Events in your Event-Management
Databases.
Type Stores Events from ...DatabaseViewer
EventDatabase
... any Log Source and/or any supported scanner
Notes: An Event Database can also store firewall Events, as well as Eventsfrom an IDS or IPS.
For IDS and IPS Events, an Event Database excludes the packet payloads. Tostore the packet payloads, you should store Events in an IDS Database.
Event-DatabaseViewer
FirewallDatabase
... firewalls Firewall-DatabaseViewer
IDSDatabase
... IDS and IPS devices IDS-DatabaseViewer
Table 9. Types of Event-Management Databases and Database Viewers
In this Scenario, you will work with the Dashboard to review Events with a high Priority.
Priorities indicate the relative importance of Events. For an introduction to the Dashboard, see
Step 3. Create a Layout in the Dashboard on page 47.
Tripwire Log Center 7.0 Evaluation Guide 61 Chapter 3. Scenarios
Step 2.1 - Analyze Event Data with the Dashboard
In this Step, you will:
l review the default Events Overview Layout in the Dashboard
Note The Events Overview Layout is automatically created by the TLC Manager
installer.
l open and review the custom Layout (Priority_Events) created in Step 3. Create a Layout in
the Dashboard on page 47
l add another Layout Panel to the custom Layout
l search for Events with a high Priority
l create a Decision for a Correlation Rule
Note In Scenario 4. Correlating SSH Logon Events on page 83, you will create a
Correlation Rule involving this Decision.
To complete this Step:
1. In the side bar, select Events > Dashboard.
2. To open the Events Overview Layout (see Figure 29 on the next page):
a. From the 'Display data for' drop-down, select Events.
b. From the Layout drop-down, select Overview.
The Layout Panels in this Database Layout present information about the Events in the
default Events Database.
l The top panel presents the total number of Events in the database, along with the
number of Normalization Rules used to normalize those Events.
l The middle panel presents a collection of 'Top 10' panels. Each of these panels
displays the most common values for a specific field in the database's Events. For
example, the Top 10 Priorities panel shows the total number of Events for each
Priority.
l The bottom panel is a Time Graph Panel. For each of the past 24 hours, this panel
shows the total number of Events saved to the database. For each one-hour period,
the graph also shows how many Events were saved for each Priority (High,
Medium, Low, and Info).
Tripwire Log Center 7.0 Evaluation Guide 62 Chapter 3. Scenarios
Figure 29. The Events Overview Layout in the Dashboard
3. To access your custom Layout:
a. From the Layout drop-down, select Priority_Events.
b. Click Refresh to populate the Layout Panel with data (see Figure 30 below).
Figure 30. The custom Layout in the Dashboard
4. To add another Layout Panel to the Priority_Events Layout (see Figure 31 on the next
page):
a. Click Add and select Time Graph Panels > Last 24 Hours.
b. Click Refresh.
Tripwire Log Center 7.0 Evaluation Guide 63 Chapter 3. Scenarios
Figure 31. The custom Layout with the new Layout Panel
5. To search the Events Database for Events with a High Priority:
a. In one of the Layout's panels, select a High Priority table row or graph segment.
b. Right-click the High Priority row or segment, and select Search for Events (see
Figure 32 on the next page).
The Task Manager opens (see Figure 33 on the next page). In the Filter Wizard tab,
TLC automatically adds a single search filter for High Priority Events.
c. Select the filter's Enable check box and click Start.
TLC queries the database and presents the High Priority Events in a new tab.
d. Review the search results and then close the tab.
Tripwire Log Center 7.0 Evaluation Guide 64 Chapter 3. Scenarios
Figure 32. The Correlation Search right-click option
Figure 33. The Filter Wizard tab in the Task Manager
6. To create a Correlation Rule Decision based on the search filter:
a. Click Create Correlation Rule Decision in the Filter Wizard tab of the Task
Manager (see Figure 33 above).
b. In the Enter Decision Information dialog, enter High Priority Events in the Name
field.
c. From the Group drop-down, select System Security and click Add.
d. In the Confirmation dialog, click No.
TLC creates and saves the Decision. In Scenario 4. Correlating SSH Logon Events
on page 83, you will add the Decision to a new Correlation Rule.
7. Close the Task Manager and the Dashboard.
Tripwire Log Center 7.0 Evaluation Guide 65 Chapter 3. Scenarios
Step 2.2 - Generate a Report on Event Data
In this Step, you will:
1. create a Report Task to define a Report about the Events in the default Events Database
2. run the Report Task and view the results in the Report Center
In the Report's output, you will locate the Events related to the simulated 'Brute Force Attack'
conducted in Scenario 1. Detecting User Activity on page 52), and then save the output as a PDF
file to share with your co-workers.
To complete this Step:
1. In the side bar, select Events > Task Manager.
2. In the Task Manager, the side bar groups the default and custom Tasks in your TLC
environment.
Note The Search group contains List Tasks, and the Dashboard Panels group
contains Layout-Panel Tasks.
To create your Report Task, complete the following steps in the workspace.
a. In the Name field, enter System Activity by Classification.
b. From the Database drop-down, accept the default value of Events.
c. From the Output drop-down, select Report.
d. From the Type drop-down, select Events by Legacy Classification - Detailed.
e. Click Save.
In the Task Manager side bar, TLC adds the new Report Task under Report Tasks
> Events group (see Figure 34 on the next page).
Tripwire Log Center 7.0 Evaluation Guide 66 Chapter 3. Scenarios
Figure 34. New Report in the Task Manager
3. In the Task Manager, you can run a Report Task by opening the Task and clicking Start.
However, you can also access and run Report Tasks in the Report Center, as well as a
wide variety of pre-defined Reports.
To run the new Report Task in the Report Center:
a. In the side bar, select Events > Report Center.
b. From the Database drop-down, select Events.
c. Expand the Standard Reports group and select the System Activity by
Classification Report.
d. From the Time Filter drop-down, select 24 Hours.
e. Click Run Report.
TLC presents the report output in the workspace (see Figure 35 on the next page).
Tripwire Log Center 7.0 Evaluation Guide 67 Chapter 3. Scenarios
Figure 35. The output of the System Activity by Classification Report
4. The report output includes:
l A collection of graphs illustrating the frequency of Event types and the systems
involved in those Events, and
l A detailed list of the Events.
In the output, scroll down the list to locate the Events for the simulated 'Brute Force
Attack' completed in Scenario 1. Detecting User Activity on page 52 (see Figure 36 on the
next page). To generate these Events, TLC used the Correlation Rules assigned to the
Correlation Engine in Step 9. Assign Correlation Rules to the Correlation Engine on page
37.
Tripwire Log Center 7.0 Evaluation Guide 68 Chapter 3. Scenarios
Figure 36. The Events for the simulated 'Brute Force Attack'
5. To add a watermark to the Report output:
a. Click Watermark.
b. In the Watermark dialog (see Figure 37 on the next page), enter 'Classified' in the
Text field.
c. From the Size drop-down, select 54.
d. Adjust the Transparency slider bar to a value of 160, and click OK.
TLC adds the watermark to the Report output.
Tripwire Log Center 7.0 Evaluation Guide 69 Chapter 3. Scenarios
Figure 37. Watermark dialog
6. To save the Report output as a PDF file:
a. Click Export to and select PDF File.
b. In the PDF Export Options dialog, click OK.
c. In the Save As dialog, select your Desktop from the Save in drop-down, and then
click Save.
d. In the Export confirmation dialog, click Yes.
TLC opens the PDF file with the Report output.
7. When you finish reviewing the output in the PDF file, close the file and the Report Center.
Tripwire Log Center 7.0 Evaluation Guide 70 Chapter 3. Scenarios
Scenario 3. Analyzing System Activity
The Audit Logger and Event-Database Viewer provide a number of tools with which you can
analyze your TLC data, including:
l a wide variety of graphs - pie charts, line graphs, and bar graphs
l Event-Relationship Diagrams that depict and replay communications between systems
involved in queried Events
l a robust set of customizable Reports
This Scenario guides you through the process of detecting and analyzing SSH-related activity on
your Linux Log Source. Along the way, you will use these tools to illustrate this activity and
identify events of interest. In addition, you will create an Event Ticket to track related work.
Step 3.1 - Query the Audit Logger for Evidence of System Activity
In this Step, you will:
l start (or restart) the SSH Daemon, log in via SSH, and clear the system log file on your
Linux Log Source
l search for log messages generated by the Linux system for the SSH Daemon
To complete this Step:
1. On your Linux system:
a. Restart the SSH Daemon.
b. Log in to the Linux system via SSH with the twadmin user account (created in LinuxConfiguration on page 18).
c. Create a new Linux user account named twuser.
For further details, refer to your Linux documentation.
2. To search for the log messages:
a. In the side bar, select Events > Audit Logger.
b. In the Audit Logger, select the Query tab.
c. From the Output drop-down, select List Events - Processed.
d. In the Terms field, enter SSH*.
Tripwire Log Center 7.0 Evaluation Guide 71 Chapter 3. Scenarios
Tips For query-syntax characters that may be entered in the Query field, see
Table 10 on the next page.
To search for a special character in log messages, enter a regular
expression with the character in the Query field and insert a forward
slash (/) before the character (i.e. escape the special character with /).
To optimize performance, enter the most unique terms first. For
example, "jhammond user failed" would be faster than "user failed
jhammond."
e. From the two Assets drop-downs, select Asset Group and the Linux Asset Group.
f. To run the search, click Start.
TLC queries the Audit Logger File Store for log messages containing SSH*, and
then normalizes the messages with the Normalization Rules assigned to the Linux
Asset Group. The Query Results - Normalized Messages tab (see Figure 38 below)
presents the results.
Figure 38. The Query Results - Normalized Messages tab
Tripwire Log Center 7.0 Evaluation Guide 72 Chapter 3. Scenarios
Character Description Example
space An AND operator Write Data
| An OR operator Write | Data
? Wildcard for a single character Wr?te
* Wildcard for zero or more charactersat the end of a term
Wri*
|| Separates multiple queries Permit 192.168.0.1 || Deny 192.168.0.2
An example of a nested query:
(Permit | Allow) 192.168.0.1 || (Permit| Allow) 192.168.0.2
" " A literal value "Failed Login"
\ Separates a Location name from anIP address
Miami\192.168.129.1
Table 10. Query-syntax characters
Step 3.2 - Graph and Diagram Event Data
In this Step, you will complete the following steps in the Event-Database Viewer.
l Generate a Graph to show all Events added to the default Events Database over the past
24 hours
l Generate an Event-Relationship Diagram to illustrate the communications between the
host systems involved in these Events
l Create an Event Ticket with which your organization can track related work
To complete this Step:
1. In the side bar, select Events > Event-Database Viewer.
2. To generate the Graph:
a. In the side bar of the Event-Database Viewer, expand Events > Graphs.
b. Under Graphs, select Last 24 Hours.
TLC generates and presents the graph in the main pane (see Figure 39 on the next page).
Tripwire Log Center 7.0 Evaluation Guide 73 Chapter 3. Scenarios
Figure 39. Last 24 Hours Graph in the Event-Database Viewer
3. To generate the Event-Relationship Diagram:
a. In the Graph, right-click a High Priority section of a bar (in red) and select View
related items from the right-click menu.
b. In the list of queried Events, select at least two (2) Events while holding the CTRL
key.
c. Click Diagram Events.
TLC presents the Event-Relationship Diagram in the main pane (see Figure 40 on
the next page). The diagram shows the communications between the host systems
with IP addresses in the Source IP address (Src IP) and Destination IP address
(Dst IP) fields of the selected Events. In a production environment, an Event-
Relationship Diagram may depict an unlimited number of hosts and communications.
d. To run a replay of the sequence of communications depicted in the diagram, move
your pointer over the Replay Events tab at the bottom of the workspace and click
Start. TLC highlights the diagram's arrows in the order in which the
communications occurred.
e. Close the Event Relationship tab.
Tripwire Log Center 7.0 Evaluation Guide 74 Chapter 3. Scenarios
Figure 40. An Event-Relationship Diagram
4. To create the Event Ticket:
a. In the side bar of the Event-Database Viewer, expand Events > Events >
Destination IPs.
b. In the Destination IPs group, select the IP address of your Linux Log Source.
c. Locate and select the Event for the creation of the twuser Linux user account(completed in Step 3.1 - Query the Audit Logger for Evidence of System Activity on
page 71). To determine the user account associated with each Event, select the
Details tab at the bottom of the workspace (see Figure 41 on the next page).
d. In the button bar, click Assign selected items to Event Ticket > Create Ticket
to open the Ticket tab (see Figure 42 on page 77).
Tripwire Log Center 7.0 Evaluation Guide 75 Chapter 3. Scenarios
Figure 41. The Details tab
5. To complete and save the Event Ticket:
a. In the Name field, enter Unauthorized User Account.
b. From the Priority drop-down, select High.
c. From the Status drop-down, select New.
d. From the Assigned Group drop-down, select User Admin.
e. From the Ticket Group drop-down, select DMZ.
f. From the Category drop-down, select Suspicious Activity.
g. In the Description tab, enter:
Suspect user account created. Requires further investigation.
h. Click Save & Close.
Tip In the TLC Ticket Center, you can create, review, and update Event Tickets.
As needed, you can also modify the list of available values for any drop-down.
Tripwire Log Center 7.0 Evaluation Guide 76 Chapter 3. Scenarios
Figure 42. The completed Ticket tab
Step 3.3 - Identify Recurrent Issues
In this Step, you will:
l search for log messages saved in the Audit Logger over the past 30 days
l sort and group the log messages in the search results
l generate a pie chart to illustrate the five (5) most frequent names of log messages
collected by TLC
To complete this Step:
1. In the side bar, select Events > Audit Logger.
2. In the Audit Logger, select the Query tab.
Tripwire Log Center 7.0 Evaluation Guide 77 Chapter 3. Scenarios
3. To query the Audit Logger for log messages generated within the last 24 hours, complete
the following steps in the Search tab (see Figure 24 on page 55):
a. Select List Events - Processed from the Output drop-down.
b. From the two Assets drop-downs, accept the default values of IP Address and any.
c. From the Date and Time drop-down, select Newer/Older than.
d. From the Time Span drop-downs, select Newer than 30 Days.
e. Click Start.
TLC queries the Audit Logger File Store and normalizes the log messages generated
by the Windows and Linux systems within the past 30 days. TLC then presents the
Normalized Messages in the Query Results - Normalized Messages tab (see Figure
43 below).
Figure 43. The Query Results - Normalized Messages tab
Tripwire Log Center 7.0 Evaluation Guide 78 Chapter 3. Scenarios
4. To sort and group the messages in the Query Results - Normalized Messages tab:
a. Scroll to the right to locate the User column, and then click the User column header
(see Figure 44 below). TLC sorts the Normalized Messages by the user account that
performed the action.
Click the User column header again to reverse the order.
b. To group the messages by the TLC Normalization Rules that normalized the
messages, click-and-drag the Rule ID column header to the grouping region (see
Figure 44 below).
TLC groups the Normalized Messages by rule numbers (see Figure 45 on the next
page).
Tip To view the grouped messages, you may need to scroll to the left.
Figure 44. Grouping region above the Rule ID and User columns
Tripwire Log Center 7.0 Evaluation Guide 79 Chapter 3. Scenarios
Figure 45. Normalized Messages grouped by Rule ID
5. To generate the graph, complete the Query tab (see Figure 24 on page 55):
a. From the Output drop-down, select Graph Events - Processed.
b. From the Template drop-down, select Pie Chart.
c. From the Events per Query drop-down, select ALL.
In the Group tab at the bottom of the Query tab:
a. Click Add.
b. From the Column drop-down, select category.
In the Column tab:
a. Click Add.
b. From the Column Name drop-down, select category.
c. Click Add.
d. From the Column Name drop-down, select Count.
e. From the Sort Column drop-down, select Count.
Tip In the Column tab, you must add at least one column with a text format,
and another column with a numeric format. In this case, the category
column has a text value, while the Count column contains whole
numbers.
Tripwire Log Center 7.0 Evaluation Guide 80 Chapter 3. Scenarios
6. Click Start.
TLC queries the Audit Logger File Store and generates the Graph with the query results
(see Figure 46 below).
Tip With the buttons along the top of the Query Results - Graph tab, you can
modify and work with the graph. You can also customize the graph by right-
clicking a pie piece and selecting an option from the right-click menu.
Figure 46. The Query Results - Graph tab
7. To clear the fields in the Query tab, click the Clear Form button.
Step 3.4 - Generate a Report on Log-Message Data
In this Step, you will run an Audit Logger Report to show:
l the number of log messages collected on each day of the prior month
l the most common properties of those log messages
l further details about the log messages generated by each Log Source
To complete this Step:
1. In the side bar, select Events > Audit Logger.
2. In the Audit Logger, select the Query tab.
Tripwire Log Center 7.0 Evaluation Guide 81 Chapter 3. Scenarios
3. In the Query tab:
a. From the Output drop-down, select Report.
b. From the Report drop-down, select Events by Name - Detailed.
c. Click Start.
TLC presents the report output in the workspace (see Figure 47 below). With the
buttons along the top of the Report tab, you can review, print, re-format, save, and e-
mail the Report.
Figure 47. The output of the Audit Logger Report
Tripwire Log Center 7.0 Evaluation Guide 82 Chapter 3. Scenarios
Scenario 4. Correlating SSH Logon Events
When you configured Tripwire Log Center (TLC), you assigned the Correlation Engine as an
Output Destination for your Windows Asset and Linux Asset (Step 7. Create and Configure your
Assets on page 32). Consequently, if TLC normalizes a log message from these Log Sources, the
Normalization Engine forwards the Normalized Message to the Correlation Engine. To identify
events of interest, the Correlation Engine applies Correlation Rules to the Normalized
Messages.
Each Correlation Rule in TLC is constructed with a flowchart containing the following
components:
l An Input specifying the source of Normalized Messages to be correlated by the rule (for
example, the Collector that collected the original log message). If the message originated
with the specified Input, the Correlation Engine applies the rule's Decisions to the
message.
l One or more Decisions. Each Decision defines criteria to evaluate each Normalized
Message processed by the rule.
l One or more Outputs. An Output is a response to any Normalized Message that satisfies
the criteria specified by the rule's Decisions.
A Correlated Event is an event of interest identified by the Correlation Engine. If a
Normalized Message satisfies the Decisions in a Correlation Rule, the Correlation Engine
creates a Correlated Event and initiates the response(s) defined by the rule's Output(s). An
Output can be any of the following actions:
l Saving the Correlated Event in an Event-Management Database
l Creating an Event Ticket in the Ticket Center
l Running an Action
TLC includes an extensive set of pre-defined Inputs, Decisions, and Outputs. You can also
create custom Decisions to suit your organization's needs, as you did in Scenario 2. Monitoring
and Reporting System Activity on page 61.
In this Scenario, you will create a Correlation Rule and then query the Events Database for
Correlated Events created by the new rule.
Tripwire Log Center 7.0 Evaluation Guide 83 Chapter 3. Scenarios
Step 4.1 - Create a Correlation List
In this Step, you will create a Correlation List to be used in a Decision in the Correlation Rule
you will create in Step 4.2 - Create a Correlation Rule on the next page. The list will consist of
the following user accounts on your Linux Log Source: root, twadmin, sysadmin, andsuperuser.
To complete this Step:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Correlation > Lists.
3. Click Add.
TLC opens the List tab.
4. In the List tab:
a. Enter Linux User Accounts in the Name field.
b. From the 'Field type' drop-down, select User.
5. Add the root, twadmin, sysadmin, and superuser accounts to the Correlation List.
To add each account:
a. Click Add to add a row to the list.
b. In the row's Value field, enter the user account.
Figure 48 below shows the Correlation List with all four user accounts.
Figure 48. The Correlation List with the Linux user accounts
Tripwire Log Center 7.0 Evaluation Guide 84 Chapter 3. Scenarios
6. Click Save to close the List tab.
7. To push updates to your Manager:
a. In the side bar of the Configuration Manager, select Resources >
Managers.
b. In the main pane, select the Manager's table row by clicking the arrow to the left of
the row.
c. Click Push Updates to Manager.
Step 4.2 - Create a Correlation Rule
In this Step, you will create a Correlation Rule consisting of:
l an Input for Events collected by the Manager’s Network Collector
l the Decision for High Priority Events created in Scenario 2. Monitoring and Reporting
System Activity on page 61
l two (2) Outputs; one for the default Event Database, and another for the Email Action
created when you configured TLC (see Step 10. Create an Email Action on page 39)
With this rule, TLC will save an Event in the default Event Database and run the Email Action
if the Event has 1) a High Priority, and 2) a field with one of the user accounts specified by the
Correlation List created in Step 4.1 - Create a Correlation List on the previous page.
To create the Correlation Rule:
1. In the side bar, select Resources > Configuration Manager.
2. In the side bar of the Configuration Manager, select Correlation > Rules.
In the workspace, TLC presents a list of all Correlation Rules in your TLC environment.
3. In the side bar of the Configuration Manager, expand the Rules group to see the existing
Correlation-Rule Groups in your TLC environment.
4. Click Add.
TLC opens the Correlation Rule tab.
Tripwire Log Center 7.0 Evaluation Guide 85 Chapter 3. Scenarios
5. In the Rule Settings tab (see Figure 49 below) at the bottom of the Correlation Rule tab:
a. Enter SSH Login Detection in the Name field.
b. From the Group drop-down, select Authentication.
Note The Correlation Rule will create a Correlated Event for any failed login
attempt. However, if you 1) select one or more fields in the Track
Event By region, and 2) enter a value in the Suppress field of the
Decision Settings tab (see below), the rule would only create a
Correlated Event when the number of failed logins exceeds the value
entered in the Suppress field.
Figure 49. The Rule Settings tab
6. Select the Correlation Engine tab and select the Enabled check box for your Manager's
Correlation Engine.
7. To add the Network Collector as the rule's Input:
a. Expand Inputs > Collectors > TLC Network Collector in the side bar.
b. Drag-and-drop the TLC Network Collector from the TLC Network Collector
group to the workspace.
Tips The button bar at the top of the workspace contains a number of helpful
buttons. For example, the Zoom buttons adjust the magnification of the
workspace, and the Save button will save your work.
Tripwire Log Center 7.0 Evaluation Guide 86 Chapter 3. Scenarios
8. To add the High Priority Events Decision:
a. Expand Decisions > System Security in the side bar.
b. Drag-and-drop the High Priority Events Decision from the System Security group
to the workspace, and position it directly below the Network Collector Input (see
Figure 50 below).
Figure 50. The new rule with an Input and Decision
9. To add a criterion to the Decision, complete the following steps in the Decision Settings
tab (see Figure 51 on the next page):
a. With the Decision selected in the workspace, click Add to add a new table row
to the tab.
b. From the Type drop-down in the new row, select User.
c. From the Condition drop-down, select =.
d. From the Value drop-down, select LIST: Linux User Accounts.
Note Figure 54 on page 90 shows the Correlation Rule in its final form.
Tripwire Log Center 7.0 Evaluation Guide 87 Chapter 3. Scenarios
Figure 51. The Decision Settings tab with the new criterion
10. To connect the Input with the Decision, draw a connector between these two building
blocks (see Figure 52 below).
a. In the workspace, select the Input.
b. Click the mid-point on the bottom border of the Input and drag to the top point of the
Decision diamond.
Figure 52. The Input and Decision with a connector
11. To add the default Event Database as an Output:
a. Expand Outputs > Databases in the side bar.
b. Drag-and-drop the Events database from the Databases group to the workspace, and
position the Output to the lower-left of the High Priority Events Decision.
c. Draw a connector between the Decision and the Output.
12. To add the Email Action created in Step 10. Create an Email Action on page 39as an
Output:
a. Expand Outputs > Actions in the side bar.
b. Drag-and-drop the Email to me Action from the Actions group to the workspace,
and position the Output to the lower-right of the High Priority Events Decision.
c. Draw a connector between the Decision and the Output.
Tripwire Log Center 7.0 Evaluation Guide 88 Chapter 3. Scenarios
13. To configure the Email Action Output, select the Output in the workspace and complete
the following steps in the Action Settings tab:
a. In the 'Message content' field, delete <evt_name>.
b. From the 'Content values' drop-down, select User and click Insert.
TLC adds <evt_user> to the 'Message content' field.
c. In the 'Email subject' line, enter:
Privileged user account added
d. In the 'Message content' field, enter the following sentence after <evt_user> (seeFigure 53 below):
This privileged user account has been added to the Linux Log Source.
The 'Message content' will appear as the content of email messages sent by TLC
when an Event contains a field with a user account specified by the Correlation List
in the Decision.
Figure 53. The Action Settings tab
14. The rule's process flow should now match Figure 54 on the next page. When you are
satisfied with your work, click Save and Exit to close the Correlation Rule tab.
Tripwire Log Center 7.0 Evaluation Guide 89 Chapter 3. Scenarios
Figure 54. The completed Correlation Rule
15. To push updates to your Manager:
a. In the side bar of the Configuration Manager, select Resources >
Managers.
b. In the main pane, select the Manager's table row by clicking the arrow to the left of
the row.
c. Click Push Updates to Manager.
16. Close the Configuration Manager.
Step 4.3 - Analyze Correlated Events in the Event-Database Viewer
In this Step, you will:
l log in to your Linux Log Source via SSH to prompt the creation of a Correlated Event with
the Correlation Rule added in Step 4.2 - Create a Correlation Rule on page 85
l review the properties of the Correlated Event in the Event-Database Viewer
l adjust the Correlation Rule so it only creates Correlated Events when the twadmin useraccount logs in to the Linux Log Source
l log in to your Linux Log Source with the twadmin user account, and then log in with thetwuser account
l open the Real-Time Event Viewer to verify that TLC collected a log message for the
logon by the twadmin user account, but not the twuser account
Tripwire Log Center 7.0 Evaluation Guide 90 Chapter 3. Scenarios
To complete this Step:
1. Log in to your Linux Log Source via SSH with the twadmin user account to create theCorrelated Event.
2. To query the Events Database for the Correlated Event:
a. In the side bar, select Events > Event-Database Viewer to open the Event-
Database Viewer.
b. In the side bar of the Event-Database Viewer, select Events > Events > Priorities.
TLC presents a pie chart showing the number of Events in the database for each
Priority.
c. Right-click the pie piece for High Priorities, and select View related items (see
Figure 55 below).
TLC presents a list of all Events with a High Priority in the database.
Figure 55. 'View related items' command for High Priorities
Tripwire Log Center 7.0 Evaluation Guide 91 Chapter 3. Scenarios
3. To adjust the Correlation Rule:
a. In the side bar, select Resources > Configuration Manager.
b. In the side bar of the Configuration Manager, select Correlation > Rules >
Authentication.
c. In the workspace, double-click SSH Login Detection.
d. In the Correlation Rule tab, select the High Priority Events Decision.
e. In the Decision Settings tab (see Figure 56 below), change the Value of the User
line from the Correlation List to "twadmin."
f. Click Save and Exit to close the Correlation Rule tab.
Figure 56. Decision Settings tab
4. To push updates to your Manager:
a. In the side bar of the Configuration Manager, select Resources >
Managers.
b. In the main pane, select the Manager's table row by clicking the arrow to the left of
the row.
c. Click Push Updates to Manager.
5. In the side bar, select Events > Real-Time Event Viewer.
6. In the Real-Time Event Viewer, complete the following steps.
a. In the IP-address filter field, enter the IP address of your Linux Log Source.
b. From the Collector drop-down, select TLC Network Collector.
c. Select the Wrap text check box and click Start.
TLC begins displaying log messages from your Linux Log Source in real time.
Tripwire Log Center 7.0 Evaluation Guide 92 Chapter 3. Scenarios
7. On the Linux Log Source:
a. Log in and out with the twadmin user account.
b. Log in and out with the twuser account.
8. Monitor the Real-Time Event Viewer in TLC. You should see log messages for the logon
events by the twadmin user account (see Figure 57 below).
Note As needed, you can use the Real-Time Event Viewer to verify collection of
log messages from any Log Source in your TLC environment.
Figure 57. Real-Time Event Viewer with log messages for twadmin logon event
9. Click Stop and close the Real-Time Event Viewer.
Step 4.4 - Generate a Report on User-Logon Activity
To complete this Scenario, you will open the Report Center and run a Report to analyze the
logon events for each user account on your Linux Log Source.
To complete this Step:
1. In the side bar, select Events > Report Center.
2. In the side bar of the Report Center:
a. From the Database drop-down, select Events.
b. Select Standard Reports > Events by User.
c. From the 'Time filter' drop-down, select 30 Days.
d. Click Run Report.
Tripwire Log Center 7.0 Evaluation Guide 93 Chapter 3. Scenarios
TLC presents the report output in the workspace (see Figure 58 below). The output
includes:
l A pie chart showing the most common hosts on which events occurred over the
previous 30 days,
l A pie chart showing the user accounts most frequently involved in those events, and
l All logon events grouped by user account.
Figure 58. Output of the Events by User Report
Tripwire Log Center 7.0 Evaluation Guide 94 Chapter 3. Scenarios
Chapter 4.Summary
Evaluation Guide Summary
In this evaluation, you learned how Tripwire Log Center (TLC) handles:
l Installation and configuration. To begin the evaluation, you successfully installed and
configured TLC. In addition, you learned how to customize and work with your
TLC Console.
l Log management. In the Real-Time Event Viewer, you monitored the collection of log
messages from your Log Sources in real time. With the Audit Logger, you queried log
messages saved in your Audit Logger File Store, and generated informative graphs and
reports.
l Event management. From the Tripwire Web site, you downloaded and imported pre-
defined Normalization Rules with which TLC normalizes log messages. In the
Configuration Manager, you created an Email Action and Correlation List. With these
'building blocks,' you then designed a new Correlation Rule to define criteria that
determine if Normalized Messages are saved as Events in the default Event Database.
You also queried, graphed, and analyzed your Event data with the Event-Database
Viewer.
l Data analysis. In addition to analyzing data in the Audit Logger and Event-Database
Viewer, you created a Layout in the Dashboard and ran a Report in the Report Center.
This concludes the TLC evaluation. For more information about TLC, visit the Tripwire
Customer Center:
www.tripwire.com/customers
Tripwire Log Center 7.0 Evaluation Guide 96 Chapter 4. Summary
Professional Services
From initial planning through post-deployment operation of your Tripwire Log Center (TLC)
implementation, Tripwire Professional Services can assist you every step of the way. Our team
can help you devise the perfect plan to achieve your goals with TLC. We can then continue to
assist you with extensive deployment and post-deployment services.
The Professional Services team offers the following services:
l Deployment Services enable you to swiftly put TLC to work. From pre-deployment
planning to customization, we assure that TLC is up and running as quickly and
effectively as possible.
l Post-Deployment Services have been designed with your specific needs in mind. With
Post-Deployment Services, our team of experts can make our solutions work harder for
you and deliver greater value in many different ways.
l Professional Services ensure that you benefit fully from your investment in TLC. Our
team of experts will work directly with your organization to address challenges in any of
the following areas:
- Audit and compliance preparedness
- Change and configuration management
- Security enforcement
- Best practices and process improvement
For more information, visit the Tripwire Professional Services Web site:
www.tripwire.com/services
Tripwire Log Center 7.0 Evaluation Guide 97 Chapter 4. Summary
Contact Us
We look forward to showing you more ways in which Tripwire Log Center can assist you. For
further information, please contact us at:
E-mail: [email protected]
Phone: 1-800-TRIPWIRE (1-800-874-7947)
Tripwire Log Center 7.0 Evaluation Guide 98 Chapter 4. Summary
Tripwire Log Center Glossary
Action
A TLC object that initiates a response to Correlated Events created by Correlation Rules.
Administration Manager
In this page, you can manage the user accounts, user groups, permissions, and Global Settings for your
TLC environment.
Administrative Task
A type of Task that performs an administrative operation on specified data in an Event-Management Data-
base. Types of Administrative Tasks include Archive, Copy, and Delete Tasks.
Advanced File Collector
A type of Collector that collects log messages from log-generating applications running on a VIA Agent
host system via the Secure Sockets Layer (SSL) protocol.
Advanced Windows Collector
A type of Collector that collects log messages from Windows Event Logs on VIA Agent systems via the
Secure Sockets Layer (SSL) protocol.
Agent
See Tripwire VIA Agent
Alias
A custom variable that represents a partial or complete regular expression.
Archive Task
A type of Administrative Task that moves specified data from one Event-Management Database to
another.
Asset
An object in TLC that represents a Log Source from which TLC collects log messages directly.
Tripwire Log Center 7.0 Evaluation Guide 99 Tripwire Log Center Glossary
Audit Logger
The TLC Console component in which you can work with the log messages collected by TLC.
Audit Logger File Store
Consists of a series of compressed flat files containing the log messages collected by the Manager from
Log Sources, and an index of terms contained in the log messages.
Auto-Discovery
An automated process by which TLC creates an Asset for an unknown Log Source that generated a log
message collected by TLC.
Check Point Collector
A type of Collector that listens for log messages from a Check Point Manager.
Cisco IDS Collector
A type of Collector that gathers log messages from Cisco IDS sensors.
Classification
The process of categorizing log messages with Classification Tags.
Classification Tag
Defines a string to classify similar log messages archived in the Audit Logger File Store.
Classification Tag Set
A group of Tripwire-defined or user-defined Classification Tags.
Clean-Up Utility
A component of the Normalization Engine that standardizes the format of each name-value pair in log mes-
sages.
Collection
The gathering or receipt of log messages from Log Sources.
Tripwire Log Center 7.0 Evaluation Guide 100 Tripwire Log Center Glossary
Collector
A TLC module that gathers or receives log messages from Log Sources.
Configuration Diagram Layout Panel
A type of Layout Panel that displays a diagram of the Log Sources, Collectors, Managers, Audit Loggers,
Correlation Engines, and Event-Management Databases in your TLC environment.
Configuration Manager
In the Configuration Manager, you can create and configure TLC Resources (Assets, Asset Groups, Man-
agers, Locations, Event-Management Databases), normalization objects (Normalization Rules, Aliases,
and Normalized-Message Filters), and correlation objects (Correlation Engines, Rules, Lists, and
Actions).
Copy Task
A type of Administrative Task that copies specified data from one Event-Management Database to
another.
Correlated Event
An event of interest identified by the Correlation Engine.
Correlation
The examination of Normalized Messages for events of interest, along with the ability to initiate appro-
priate responses; for example, sending an email notification to specified recipients.
Correlation Engine
The component of your Primary Manager responsible for identifying events of interest. To correlate
events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the
Normalization Engine.
Correlation List
A list of values that may be used to define a condition in a Decision.
Tripwire Log Center 7.0 Evaluation Guide 101 Tripwire Log Center Glossary
Correlation Rule
Constructed with a flowchart consisting of an Input, Decision(s), and Output(s), a Correlation Rule cor-
relates log messages to identify events of interest.
Custom Command
A command that users can run when they select a field or a row in a table in the TLC Console.
Dashboard
A TLC Console component that presents information about a Manager or Event-Management Database in
a Layout.
Database Collector
A type of Collector that gathers log messages from an application that logs to an External Database.
Database Layout
A type of Layout that presents information about the Events in a selected Event-Management Database.
Database Viewer
A TLC Console component in which you can review information about Events in Event-Management Data-
bases. Types of Database Viewers include the Event-Database Viewer, IDS-Database Viewer, and Fire-
wall-Database Viewer.
Decision
A component of a Correlation Rule, a Decision defines a condition that determines if the rule continues
correlating a log message.
Delete Task
A type of Administrative Task that removes specified data from a Event-Management Database.
Dynamic Correlation List
A Correlation List consisting of items that are automatically updated by TLC when related data is changed
on another system; for example, user logins on an Active Directory server.
Tripwire Log Center 7.0 Evaluation Guide 102 Tripwire Log Center Glossary
Email Action
A type of Action that sends an email notification to specified recipients.
Event
1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Nor-
malized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected
from a Log Source.
Event Database
A type of Event-Management Database that stores Events from any Log Source and/or scanner.
Event Management
To normalize and correlate log messages to identify events of interest, TLC uses the Normalization Rules
and Correlation Rules in the Configuration Manager. As appropriate, you may configure your Correlation
Rules to save log messages as Events in Event-Management Databases. In the TLC Console, you can then
review and query these Events in the appropriate Database Viewer.
Event Ticket
A work ticket for an Event in an Event-Management Database.
Event-Database Viewer
A type of Database Viewer in which you can query and work with the data in your Event Databases.
Event-Management Database
An optional component of your TLC environment, an Event-Management Database stores Events. Types
of Event-Management Databases include Event Databases, IDS Databases, and Firewall Databases.
Event-Relationship Diagram
A TLC-generated diagram depicting the series of communications between systems involved in two or
more Events.
File Collector
A type of Collector that gathers log messages from Log Sources that store messages in an ASCII log file.
Tripwire Log Center 7.0 Evaluation Guide 103 Tripwire Log Center Glossary
Firewall Database
A type of Event-Management Database that stores Events from firewalls.
Firewall-Database Viewer
A type of Database Viewer in which you can query and work with the data in your Firewall Databases.
Forwarding Destination
A third-party, log-archive tool to which log messages are forwarded by the Log-Message Forwarding fea-
ture.
Graph Task
A type of Search Task that queries an Event-Management Database and presents the results in a graph.
Host
1. A Log Source or a system involved in an Event. 2. A system on which TLC Manager, TLC Console, or
Event-Management Database software is installed.
IDS Database
A type of Event-Management Database that stores Events from IDS and IPS devices.
IDS-Database Viewer
A type of Database Viewer in which you can query and work with the data in your IDS Databases.
Internet Tools
A TLC Console component in which you can run queries with conventional utilities to gather information
about Hosts (e.g. NSLookup, Ping, Traceroute, and Whois).
IP Tag
A TLC object that applies highlighting to specified IP addresses when the addresses are displayed in a list
in the TLC Console.
Tripwire Log Center 7.0 Evaluation Guide 104 Tripwire Log Center Glossary
Layout
1. A customizable configuration of panels containing fields, tables, and/or graphs. 2. The configuration and
formatting of a table or Event-Relationship Diagram.
Layout Panel
A component of a Layout. Types of Layout Panels include Configuration Diagram, Map, Text, Time
Graph, and Top Graph.
Layout-Panel Task
A type of Task that creates a Layout Panel that may be added to a Manager Layout or Database Layout.
List Task
A type of Search Task that queries an Event-Management Database and presents the results in a table.
Location
A custom category used to classify Assets by geography.
Log Management
TLC saves collected log messages in the Audit Logger File Store. In the TLC Console's Audit Logger,
you can review and query the log messages in the file store.
log message
A data record generated by a Log Source and collected by TLC.
Log Source
Any log-generating application, operating-system service, database instance, or device from which TLC
collects log messages.
Log-Message Forwarding
A TLC feature used to forward copies of log messages to one or more third-party, log-archive tools
(known as Forwarding Destinations).
Tripwire Log Center 7.0 Evaluation Guide 105 Tripwire Log Center Glossary
Manager Layout
A type of Layout that presents information about 1) a selected Manager’s system resources and con-
figuration, and 2) the log messages collected by the Manager's Collectors.
Map Layout Panel
A type of Layout Panel that displays the geographic locations of IP addresses on a map.
Network Collector
A type of Collector that listens for Syslog and SNMP-based log messages from network devices.
Normalization
The process of standardizing log messages for use by TLC. Standardized messages are known as Nor-
malized Messages.
Normalization Engine
The component of your Primary Manager responsible for normalizing log messages.
Normalization Rule
Defines a regular expression that can be used to normalize log messages generated by a specific type of
Log Source.
Normalized Message
A log message that has been normalized by TLC.
Normalized-Message Filter
A TLC object that defines a condition(s) to prevent TLC from forwarding some log messages to a spec-
ified Event-Management Database(s) or Correlation Engine(s).
Notification Action
A type of Action that creates a Notification in the Notifications dialog of the TLC Console.
Oracle Database Collector
A type of Collector that gathers log messages from Oracle database audit logs.
Tripwire Log Center 7.0 Evaluation Guide 106 Tripwire Log Center Glossary
Output Destination
Assigned to an Asset, an Output Destination is either the Audit Logger, an Event-Management Database,
or a Correlation Engine that correlates Normalized Messages.
Parsing Utility
A component of the Normalization Engine that parses each name-value pair in log messages.
Primary Manager
Each TLC environment has a single Primary Manager that controls: 1. The archiving of log messages in
the Audit Logger File Store and Events in Event-Management Databases, 2. The configuration settings for
your TLC environment, and 3. User access and license management for TLC.
Real-Time Event Viewer
A TLC Console component that displays log messages as they are collected by TLC.
Report Task
A type of Search Task that queries an Event-Management Database and compiles the results in a PDF
report file.
scanner
A device that monitors systems in your TLC environment (for example, a vulnerability scanner).
Scanner Event
An Event created when you import data from a scanner to an Event Database.
Scheduled Task
Created in the Task Scheduler, a Scheduled Task defines a schedule for TLC to run: 1. A Copy Task,
Delete Task, Archive Task, or Report Task. 2. A Saved Query that generates an Audit Logger Report.
Script Action
A type of Action that runs a Windows command.
Tripwire Log Center 7.0 Evaluation Guide 107 Tripwire Log Center Glossary
Search Task
A type of Task that performs a query of data in an Event-Management Database. Types of Search Tasks
include List, Graph, and Report Tasks.
Secondary Manager
Your TLC environment may also include one or more Secondary Managers that may be configured to
either: 1. Archive log messages (as with a Primary Manager), or 2. Forward log messages to another Man-
ager.
Syslog Action
A type of Action that sends a Syslog message to a specified Syslog server.
System Database
Installed on your Primary Manager, the System Database stores a record of all user logins and logouts, as
well as all TLC objects defined in the TLC Console; for example, Assets, Normalization Rules, and Event
Tickets
Task
Created and configured in the Task Manager, a Task queries Events, Hosts, or Scanner Events in an
Event-Management Database to perform an operation. Types of Tasks include Layout-Panel, Admin-
istrative, and Search Tasks.
Text Layout Panel
A type of Layout Panel that presents data in a table.
Ticket Center
The TLC Console component that is a complete ticketing and incident-handling system.
Time Graph Layout Panel
A type of Layout Panel that presents a timeline of log messages or Events in a graph.
Tripwire Log Center 7.0 Evaluation Guide 108 Tripwire Log Center Glossary
TLC Console
1. Tripwire Log Center Console is the software for the TLC graphic user interface (GUI), or 2. The Trip-
wire Log Center GUI. Through the TLC Console, you can configure TLC, oversee your TLC envi-
ronment, and manage log and event data.
TLC Console host
A system on which TLC Console software has been installed.
TLC environment
Consists of all TLC software, Managers, Log Sources, Assets, Collectors, and data in your TLC instal-
lation.
TLC Manager
Tripwire Log Center Manager is the core software in your TLC environment. TLC Manager collects and
processes log messages from a wide variety of systems and devices.
TLC Manager Interface
The graphic user interface (GUI) for TLC Manager.
Top Graph Layout Panel
A type of Layout Panel that displays the Top N items in a graph or chart.
Tripwire VIA Agent
A service that may be installed on a Windows or Linux system to collect log messages from any log-gen-
erating application running on the system. When installed on a Windows system, VIA Agent can also col-
lect the system's Windows Event Logs via the Secure Socket Layer (SSL) protocol.
Tripwire VIA Agent Bridge
A component of TLC Manager through which VIA Agents deliver log messages to TLC.
User Account
A TLC object that provides a user with a collection of User Permissions to work with TLC.
Tripwire Log Center 7.0 Evaluation Guide 109 Tripwire Log Center Glossary
User Group
A collection of User Accounts.
User Permission
A system authorization that enables a user to view, create, or otherwise modify data in TLC.
vulnerability
A potential security weakness identified by a vulnerability scanner. In an Event Database, you can import
or collect vulnerabilities detected by a scanner.
Vulnerability Event
An event imported from a vulnerability scanner.
WinLog Collector
A type of Collector that collects log messages from Windows Event Logs via the Windows Management
Instrumentation (WMI) protocol.
Tripwire Log Center 7.0 Evaluation Guide 110 Tripwire Log Center Glossary
A
Actionscreating an Email Action 39types 39
Administration Managerin TLC Console 22
Administrative Tasksdefined 48
Advanced File Collectorsdefined 30
AdvancedWindows Collectorconfiguring 30
AdvancedWindows Collectorsdefined 30
analyzingevent data with the Dashboard 62system activity 71system activity with Event-Database Viewer 73
Archive Tasksdefined 48
Asset Groupsassigning Normalization Rules to 25configuring 25
Assetscreating 32defined 14
assigningCorrelation Rules to the Correlation Engine 37Normalization Rules to your Asset Groups 25
Audit Loggercache 42defined 14File Store 42generating a Report 81Graph 81in TLC Console 22output of Report 82query-syntax characters 73Query Results - Normalized Messages tab 56,
72, 78Query tab 55Raw Logs tab 59reviewing the Audit Logger directory 42search and graph data 77searching for logmessages 71
Audit Logger File Storedefined 42
B
button barbuttons 22
buttonsin button bar 22in side bar 22
C
Check Point Collectordefined 30
Cisco IDS Collectordefined 30
Tripwire Log Center 7.0 Evaluation Guide 111 Index
Index
collectionabout 14confirming log-message collection 36diagram 15
Collectorsconfiguring the AdvancedWindows Collector 30configuring the Network Collector 30defined 14, 30types 30verifying installation 42
Configuration Diagram Layout Panelsdefined 47
Configuration Managerin TLC Console 22
configuringAsset Groups 25Collectors 30Log Sources 18Tripwire Log Center 18Windows Asset 33your TLC Console 21
Copy Tasksdefined 48
Correlated Eventsanalyzing 90defined 83
correlatingSSH login events 83
correlationabout 14diagram 15
Correlation Engineassigning Correlation Rules to 37defined 14, 37
Correlation Listscreating 84
Correlation Rulesassigning to Correlation Engine 37completed logic flow 90creating 85
creatinga Correlation List 84a Correlation Rule 85Actions 39Assets 32Layouts 47Linux Asset 34
CustomCommandsdefined 52dialog 54
D
Dashboardabout 47analyzing event data with 62creating Layouts 47defined 47in TLC Console 22with Events Overview Layout 63
Database Collectordefined 30
Database Layoutsdefined 47
Database Viewersdefined 61
databasessee Event-Management Databases 61
Delete Tasksdefined 48
detectinga 'Brute Force Attack' 57unauthorized user activity 52user activity 52
Tripwire Log Center 7.0 Evaluation Guide 112 Index
E
Email Actionscreating 39defined 39
Evaluation Guideabout 12summary 96
Event-Database Vieweranalyze system activity with 73analyzing Correlated Events in 90defined 61Graph 74in TLC Console 22with Event-Relationship Diagram 75
Event-Management Databasesdefined 14, 61installing database software 17types 61
Event-Relationship Diagramsin Event-Database Viewer 75
Event Databasesdefined 61
Event Frameworksee Event-Database Viewer 61
Event TicketsDetails tab 76Ticket tab 77
Eventsanalyzing Correlated Events in the Event-Data-
base Viewer 90defined 14, 61for simulated 'Brute Force Attack' in Report out-
put 69generating a Report for 66
F
File Collectordefined 30
Firewall-Database Viewerdefined 61
Firewall Databasesdefined 61
G
generatinga Report 66a User Login Report 93
Graph Tasksdefined 48
Graphsin Audit Logger 77, 81in Event-Database Viewer 74
I
IDS-Database Viewerdefined 61
IDS Databasesdefined 61
importingthe latest Normalization Rules 24
installingEvent-Management Database software 17TLC 17VIA Agent on a Windows system 18
L
Layout-Panel Tasksdefined 48
Tripwire Log Center 7.0 Evaluation Guide 113 Index
Layout Panelsin a Layout 64types 47
Layoutsabout 47creating 47Events Overview Layout in the Dashboard 63types 47with Layout Panels 64
Linux Assetcreating and configuring 34
List Tasksdefined 48
logmessagesconfirming collection of 36diagram of collection, normalization, and cor-
relation 15displayed in Real-Time Event Viewer 53in Audit Logger Query Results - Normalized Mes-
sages tab 72in Audit Logger Raw Logs tab 59login event in Real-Time Event Viewer 93searching in Audit Logger 71
Log Sourcesconfiguring 18defined 14
M
Manager Layoutsdefined 47
Managersabout Primary and SecondaryManagers 17pushing updates 32
Map Layout Panelsdefined 47
monitoringsystem activity 61
N
Network Collectorconfiguring 30defined 30
normalizationabout 14defined 14diagram 15
Normalization Enginedefined 14
Normalization Rulesassigning to Asset Groups 25defined 14importing 24Rule Editor 46viewing regular expression defined by 44
Normalized-Message Filtersdefined 14
Normalized Messagesin Audit Logger 'Query Results - Normalized Mes-
sages' tab 56in Audit Logger Query Results - Normalized Mes-
sages tab 78
Notification Actionsdefined 39
O
Oracle Database Collectorsdefined 30
P
Prioritiesdefined 61
push updatesand Managers 32
Tripwire Log Center 7.0 Evaluation Guide 114 Index
Q
queriessyntax characters in Audit Logger 73
R
Real-Time Event Viewerdefined 14in TLC Console 22with displayed logmessages 53with logmessage for login event 93
regular expressionsand Normalization Rules 44
Report Centerin TLC Console 22
Report Tasksdefined 48
reportingsystem activity 61
Reportsgenerating a Report in the Audit Logger 81generating a Report on Event data 66generating a User Login Report 93new Report in TaskManager 67output of a Report in the Report Center 94output of an Audit Logger Report 82output of SystemActivity by Classification
Report 68output with Events for simulated 'Brute Force
Attack' 69Watermark dialog 70
respondingto unauthorized user activity 52
S
Scenariosanalyzing system activity 71correlating SSH login events 83detecting user activity 52monitoring and reporting system activity 61
Script Actionsdefined 39
Search Tasksdefined 48
searchingAudit Logger 77for logmessages in the Audit Logger 71
side barbuttons 22
SSH login eventscorrelating 83
summaryof Evaluation Guide 96
syntaxcharacters for Audit Logger queries 73
Syslog Actionsdefined 39
system activityanalyze with Event-Database Viewer 73analyzing 71monitoring and reporting 61
SystemDatabaseabout 61
T
TaskManagerin TLC Console 22with auto-created search filter 65with new Report 67
Tripwire Log Center 7.0 Evaluation Guide 115 Index
Taskstypes 48
Text Layout Panelsdefined 47
Ticket Centerin TLC Console 22
Time Graph Layout Panelsdefined 47
TLCabout 13about collection, normalization, and
correlation 14about the evaluation 12components 22configuring 18defined 13diagram of log-message collection, nor-
malization, and correlation 15installing 17
TLC Consoleconfiguring 21defined 13diagram of components 21working with 42
TLC Managerdefined 13
Top Graph Layout Panelsdefined 47
Tripwire Log Centersee TLC 13
Tripwire Log Center Consolesee TLC Console 13
Tripwire Log Center Evaluation Guidechapters in 7
Tripwire Log Center Managersee TLC Manager 13
Tripwire VIA Agentsee VIA Agent 13
U
user activitydetecting 52
V
VIA Agentdefined 13installing onWindows system 18
W
Windows Assetconfiguring 33
WinLog Collectordefined 30
workingwith the TLC Console 42
Tripwire Log Center 7.0 Evaluation Guide 116 Index