tlc evaluation guide

TRIPWIRE LOG CENTER 7.0EVALUATION GUIDE

© 2003-2013 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. All other

brand or product names may be trademarks or registered trademarks of their respective companies or

organizations.

Tripwire, Inc.

One Main Place

101 SW Main St., Suite 1500

Portland, OR 97204

US Toll-free: 1.800.TRIPWIRE

main: 1.503.276.7500

fax: 1.503.223.0182

http://www.tripwire.com

[email protected]

TW1139-02

Contents

About This Guide 7

Overview 7

Document List 8

Document Conventions 9

Contact Information 10

Chapter 1. Overview 11

About the TLC Evaluation 12

What is Tripwire Log Center? 13

How does TLC collect, normalize, and correlate logmessages? 14

Chapter 2. Installation and Configuration 16

Installing Tripwire Log Center 17

Configuring Tripwire Log Center 18

Step 1. Configure your Log Sources 18

Step 2. Configure your TLC Console 21

Step 3. Import the Latest Normalization Rules 24

Step 4. Configure your Asset Groups 25

Step 5. Configure your Collectors 30

Step 6. Push Updates to your Manager 32

Step 7. Create and Configure your Assets 32

Step 8. Confirm Log-Message Collection 36

Step 9. Assign Correlation Rules to the Correlation Engine 37

Step 10. Create an Email Action 39

Working with the TLC Console 42

Step 1. Verify Collector Installation and Review the Audit Logger Directory 42

Step 2. View the Regular Expression defined by a Normalization Rule 44

Step 3. Create a Layout in the Dashboard 47

Tripwire Log Center 7.0 Evaluation Guide 5 Contents

Chapter 3. Scenarios 51

Scenario 1. Detecting User Activity 52

Step 1.1 - Detect and Evaluate Unauthorized User Activity 52

Step 1.2 - Investigate a 'Brute Force Attack' 57

Scenario 2.Monitoring and Reporting SystemActivity 61

Step 2.1 - Analyze Event Data with the Dashboard 62

Step 2.2 - Generate a Report on Event Data 66

Scenario 3. Analyzing SystemActivity 71

Step 3.1 - Query the Audit Logger for Evidence of SystemActivity 71

Step 3.2 - Graph and DiagramEvent Data 73

Step 3.3 - Identify Recurrent Issues 77

Step 3.4 - Generate a Report on Log-Message Data 81

Scenario 4. Correlating SSH Logon Events 83

Step 4.1 - Create a Correlation List 84

Step 4.2 - Create a Correlation Rule 85

Step 4.3 - Analyze Correlated Events in the Event-Database Viewer 90

Step 4.4 - Generate a Report on User-Logon Activity 93

Chapter 4. Summary 95

Evaluation Guide Summary 96

Professional Services 97

Contact Us 98

Tripwire Log Center Glossary 99

Index 111

Tripwire Log Center 7.0 Evaluation Guide 6 Contents

About This Guide

Overview

The Tripwire Log Center Evaluation Guide presents a collection of step-by-step scenarios to

introduce prospective and novice Tripwire Log Center (TLC) users (i.e. security administrators

and analysts) to application features and functionality.

This guide includes the following chapters:

l Chapter 1: Overview (on page 11) introduces TLC and provides further details about the

evaluation process.

l Chapter 2: Installation and Configuration (on page 16) explains how to install and

configure Tripwire Log Center Manager, Tripwire Log Center Console, and your Event-

Management Database software.

l Chapter 3: Scenarios (on page 51) provides a collection of hypothetical scenarios in which

you will work with Tripwire Log Center to achieve specific goals.

l Chapter 4: Summary (on page 95) recaps what you learned in the evaluation process and

provides resources for more information about TLC.

Tripwire Log Center 7.0 Evaluation Guide 7 About This Guide

Document List

The documentation set for Tripwire Log Center (TLC) includes the following guides.

l The Tripwire Log Center Evaluation Guide presents a collection of step-by-step scenarios

to introduce prospective and novice TLC users (i.e. security administrators and analysts)

to application features and functionality.

l The Tripwire Log Center Installation Guide provides system administrators with step-by-

step instructions for installing or upgrading TLC software, as well as the database

software for storage of critical log messages and events.

l The Tripwire Log Center User Guide is a reference manual for security administrators

and analysts working with Tripwire Log Center. This guide introduces TLC terms and

concepts, explains how to configure TLC, and provides step-by-step instructions and

related field descriptions for TLC procedures.

PDF versions of these documents are available on the Tripwire Customer Center:

https://tripwire.secure.force.com/customers/

In addition, the TLC online help provides the content in the PDFs above and may be accessed

from the Tripwire Log Center Console:

http://tlcdocumentation.tripwire.com/



http://tlcdocumentation.tripwire.com/

Document Conventions

Convention Description

Bolding Indicates:

l The labels of buttons, menus, fields, drop-downs, and check boxes.

l Options selected from a drop-down list or menu.

l Keystrokes and menu paths.

l Introductory sentences for procedures.

l The first reference of a term.

Examples:

l In the Monitor dialog, select the Activate check box.

l Press CTRL+DELETE.

Italics Indicates cross references to sections and chapters in this book, as well as the titles ofother books.

Example: "For more information, see Creating a Node."

SansSerif

Indicates:

l URLs and e-mail addresses

l Directory paths and file names

l Command-line entries

Examples:

l www.tripwire.com

l C:\Program Files\

Brackets Indicates a set of possible user-entered options; individual options are separated by thepipe ( | ) character.

Example: [ 1 | 2 | 3 ]

Anglebrackets

Indicates placeholders for user-entered values.

Example: <a_variable>


Contact Information

Tripwire US

Web site: http://www.tripwire.com

E-mail: [email protected]

Phone: 1.800.TRIPWIRE (1.800.874.7947)

Tripwire International

Web site: http://europe.tripwire.com


Tripwire Technical Support

Online support: https://tripwire.secure.force.com/customers/

Support policies: http://www.tripwire.com/customers/support-policy.cfm

US toll-free: 1.866.TWSUPPORT (1.866.897.8776; 6am-6pm PST/PDT)

EMEA toll-free:00 800-77517751 (9am-9pm CET/CEST)

Australia toll-free: 1800 193 879

Direct phone: 1.503.276.7663

Tripwire Professional Services

Tripwire Professional Services provides a wide range of services, including Tripwire

Quickstarts, Turnkey Implementations, Change Auditing, and Process Improvement. For more

information, please visit http://www.tripwire.com/services or contact your Tripwire salesrepresentative.

Tripwire Educational Services

Tripwire Educational Services provides hands-on technical training for the installation,

configuration, and maintenance of your Tripwire software. All courses are taught by Tripwire

Certified Instructors. For more information, please contact your Tripwire sales representative or

visit http://www.tripwire.com/services/training/.


http://www.tripwire.com/

http://europe.tripwire.com/


http://www.tripwire.com/customers/support-policy.cfm

http://www.tripwire.com/customers/support-policy.cfm

http://www.tripwire.com/services

http://www.tripwire.com/services/training/

Chapter 1.Overview

About the TLC Evaluation

To demonstrate Tripwire Log Center (TLC) features and capabilities, the Tripwire Log Center

Evaluation Guide walks novice users through the process of installing, configuring, and using the

software. To fully benefit from the evaluation process, you should work through the Evaluation

Guide sequentially (i.e., read it from beginning to end).

The Evaluation Guide consists of the following parts:

l Chapter 1: Overview (on the previous page). The Overview provides an introduction to

basic TLC terms and functionality.

l Installing Tripwire Log Center on page 17 and Configuring Tripwire Log Center on page

18. To begin the evaluation process, you will prepare TLC to normalize, correlate, and

analyze log messages collected from Log Sources in your TLC environment.

l Working with the TLC Console on page 42. This part of the evaluation introduces you to a

few key components of the TLC user interface, as well as the directory structure in which

the Audit Logger stores log messages.

l Chapter 3: Scenarios (on page 51). The evaluation Scenarios illustrate how TLC detects,

reports, and analyzes activity in your TLC environment. In a series of Steps, each

Scenario explains how TLC may be used to detect, evaluate, and resolve potential issues.

l Chapter 4: Summary (on page 95). To conclude the evaluation, you will review what you

learned in the Scenarios. In addition, the Summary provides a few resources for more

information about TLC.

Tripwire Log Center 7.0 Evaluation Guide 12 Chapter 1. Overview

What is Tripwire Log Center?

Tripwire Log Center (TLC) is a fully integrated log- and event-management solution from

Tripwire, Inc. The TLC software suite consists of the following applications:

l Tripwire Log Center Manager (or TLC Manager) is the core software in your TLC

environment. TLC Manager collects and processes log messages from a wide variety of

systems and devices.

l Tripwire Log Center Console (or TLC Console) is the software for the TLC graphic

user interface (GUI). Through the TLC Console, you can configure TLC and work with

collected data.

Note TLC Console is also the term for the TLC GUI itself, and a Manager is a

system on which TLC Manager software has been installed.

l Installed on a Windows or Linux system, Tripwire VIA Agent is a service that collects

log messages from any log-generating application running on the system. When installed

on a Windows system, VIA Agent can also collect the system's Windows Event Logs via

the Secure Sockets Layer (SSL) protocol.

Tripwire Log Center:

l securely collects log messages from systems (i.e. 'Log Sources') on your network

l identifies events of interest in real time

l securely archives log messages with AES-256 encryption in a flat-file storage structure

l correlates detailed changes with events and event sequences

l responds to events of interest by taking appropriate action

l provides a robust set of analysis tools, including customizable reports, graphs, and

network diagrams


How does TLC collect, normalize, and correlate log messages?

A Collector is a TLC module that gathers or receives log messages from Log Sources. A Log

Source is any application, system, database, or device from which TLC collects log messages.

In the TLC Console, an Asset represents a Log Source from which TLC collects log messages.

When a Log Source passes a log message to a Collector, TLC displays the content of the

message in the Real-Time Event Viewer. If the log message satisfies criteria defined by your

configuration of TLC, the log message is also forwarded to the Output Destinations assigned to

the Log Source's Asset. Output Destinations may include the following TLC components:

l The Audit Logger is the log-management tool in which TLC saves log messages with

their original format and content.

l The Correlation Engine determines if log messages indicate events of interest.

l Event-Management Databases store log messages that have been 'normalized' by TLC.

If the Asset has the Correlation Engine or an Event-Management Database as an Output

Destination, TLC sends the log message to the Normalization Engine. Normalization is the

process of standardizing log messages for further use by TLC. To normalize log messages, the

Normalization Engine uses the Normalization Rules in your TLC Console. Each Normalization

Rule defines a regular expression to parse the name/value pairs in log messages, and each rule

can only be used to normalize messages generated by a specific type of Log Source.

l If the Normalization Engine processes a log message for an Asset that has an Event-

Management Database as an Output Destination, and the message satisfies the conditions

defined by your Normalized-Message Filters, TLC saves the Normalized Message as an

Event in the database.

l If the Correlation Engine is assigned as an Output Destination for the Asset, TLC

forwards the Normalized Message to the Correlation Engine.

To identify events of interest, the Correlation Engine applies Correlation Rules to the

Normalized Messages received from the Normalization Engine. A Correlation Rule consists of a

logical flow of one or more conditions, which are known as Decisions. If a Normalized

Message satisfies a rule's Decisions, TLC initiates the response(s) defined by the rule.

Responses (or 'Outputs') may include:

l saving the Normalized Message in an Event-Management Database

l creating a work ticket in the Ticket Center

l running an Action (for example, sending a notification email to your Security

Administrator or running a command)

Figure 1 on the next page illustrates the high-level steps involved in the processing of log

messages.


Notes Types of Event-Management Databases include Event Databases, IDS Databases,

and Firewall Databases. For this evaluation, you will only work with the default

Event Database created by the TLC Manager installer.

To support the Common Event Expression (CEE) Architecture, TLC provides a

collection of Tripwire-defined Classification Tags for classification descriptions

defined by the CEE Dictionary and Event Taxonomy (CDET). TLC also gives you

the ability to create custom Classification Tags. Once TLC has associated log

messages with Classification Tags, you can run queries and Reports based on

those Classification Tags.

Figure 1. Collection, normalization, and correlation of log messages


Chapter 2.Installation andConfiguration

Installing Tripwire Log Center

To begin the evaluation, download the TLC evaluation zip file from the Product Downloads

section of the Tripwire Customer Center. This zip file contains PDFs of the TLC Installation

Guide and TLC User Guide. (For assistance with the evaluation zip file, contact Tripwire

Customer Support.)

Once done, install the following software on your host system (see About the Installation

Process in the Tripwire Log Center Installation Guide):

1. Your Event-Management Database software (either MySQL Server or Microsoft SQL

Server)

2. Tripwire Log Center Manager

3. Tripwire Log Center Console

Caution Prior to installing each of these software packages, you should first verify that

your system conforms with requirements. For further details, see the following

topics in the Tripwire Log Center Installation Guide:

l Requirements for your Database Software

l Requirements for Tripwire Log Center Manager

l Requirements for Tripwire Log Center Console

Since you will only install TLC Manager software on a single system, this system will act as

your Primary Manager. To manage more complex environments, you can install TLC Manager

software on multiple systems. Each additional TLC Manager system is known as a Secondary

Manager.

When you install the TLC Manager software on your Primary Manager, be sure to complete the

following steps in the TLC Manager Configuration Wizard:

1. In the Log Source Types page, select Generic, Linux, Tripwire, and allWindows Log

Source types.

2. In the AutoDiscover Log Sources page, clear the Enable AutoDiscovery check box.

If Auto-Discovery were enabled, the installer would create an Asset for each Linux and

Windows system in your TLC environment. For the evaluation, you will instead create an Asset

for a Windows system and another Asset for a Linux system later in the evaluation process (see

Step 7. Create and Configure your Assets on page 32). You will then work with log messages

collected from these two Log Sources to complete the evaluation.

Tip For the evaluation, you also need access to an email server. If you do not have an

email server, you may configure an email server on the Linux system configured in

Step 1. Configure your Log Sources on the next page. For directions, see your Linux

documentation.

Tripwire Log Center 7.0 Evaluation Guide 17 Chapter 2. Installation and Configuration

Configuring Tripwire Log Center

Step 1. Configure your Log Sources

To set up your TLC environment for this evaluation, you first need to configure a Windows

system and a Linux system to send log messages to TLC. These systems will act as the Log

Sources from which TLC will collect log messages.

Windows Configuration

To configure the Windows system:

1. Install Tripwire VIA Agent software on the system, as described in the Tripwire Log

Center Installation Guide.

2. Configure the Audit Policy settings specified in Table 1 below. For further details, see

your Microsoft Windows documentation for information about the Security Policy Editor.

Audit Policy Security Setting

Audit account logon events Success, Failure

Audit account management Success, Failure

Audit logon events Success, Failure

Table 1. Minimum Audit Policy Settings

Linux Configuration

Recommended Linux software for this evaluation: CentOS, Debian, Fedora Core, Red Hat

Linux, or Ubuntu

Tips If you are a novice with Linux, Ubuntu may be the easiest software with which to

work.

For a complete list of *NIX platforms supported by TLC, see:

www.tripwire.com/it-compliance-products/log-event-management/supported-devices/


http://www.tripwire.com/it-compliance-products/log-event-management/supported-devices/






To configure the Linux system:

1. Download and install the latest distribution for your Linux software (see supported

versions above). During the installation, create a user account named twadmin.

2. Install the latest patches for your Linux software.

3. Install OpenSSH or an equivalent SSH daemon.

Tip For further instructions on the preceding steps, see your Linux-distribution

documentation.

4. Edit the hosts file (/etc/hosts) and add the following lines:

<host_ip><tab><host_name><tab><host_alias><tlc_ip><tab><tlc_host_name><tab><tlc_host_alias>

Where:

<tab> is a tab character,

<host_ip> is the IP address of the Linux system,

<host_name> is the name of the Linux system,

<host_alias> is an alias for the Linux system of your choosing,

<tlc_ip> is the IP address of your TLC Manager,

<tlc_host_name> is the name of the TLC Manager host system, and

<tlc_host_alias> is an alias for the TLC Manager of your choosing.

For example:

10.10.200.1 linuxhost.tripwire.com linuxhost10.10.200.2 tlcmanager.tripwire.com tlcmanager

5. Save and close the hosts file.

6. To confirm that Syslog is running on the Linux system, enter the following command at a

command line:

ps -ef | grep syslogd

If Syslog appears in the command output, proceed to Step 2. Configure your TLC Console on

page 21. Otherwise, complete the steps below.

Tip If Syslog is running, but you wish to reconfigure Syslog as described below, enter the

following command to re-start the Syslog module:

“kill –HUP `cat /var/run/syslogd.pid`”.


To complete configuration of your Syslog module:

1. Open the configuration file (/etc/syslog.conf or /etc/rsyslog.conf).

2. In the configuration file, add the following line:

<facility>.<severity>.<location>

Where:

<facility> is one of the following keywords: auth, authpriv, cron, daemon, kern,lpr, mail, mark, news, security (same as auth), syslog, user, uucp, local0through local7.

<severity> is one of the following keywords: debug, info, notice, warn (orwarning), err (or error), crit, alert, emerg (or panic).

<location> is a local logging file or a remote machine to which the log messageswill be forwarded.

To save all log messages in a local logging file, enter the following value as the

<location>:

/<full_path_to_file>

Tip To prevent synchronization of the logging file after each log event, you can

format this entry as follows:

-/<full_path_to_file>

While you may lose some data if the system crashes after a write attempt, the

absence of synchronization should improve performance, especially if your

programs use logging in a verbose manner.

To forward all log messages to a remote machine, enter the following value as the

<location>:

*.* @<tlc_manager>

Where:

<tlc_manager> is the host name or IP address of your TLC Manager.

3. At a command prompt, enter the following command to restart the Syslog module:

/etc/init.d# ./syslogd -m 30


Step 2. Configure your TLC Console

The TLC Console is the user interface for Tripwire Log Center.

To configure a few usability features for your TLC Console:

1. Log in to TLC.

a. Select Start > Programs > Tripwire Log Center > Console.

b. In the Login dialog, clickMore.

c. Enter the Username and Password for your TLC administrator account.

Note If you forget the password for your Administrator user account, contact

Tripwire Technical Support:

http://www.tripwire.com/customers

d. In the Hostname/IP field, enter the hostname or IP address of your Primary

Manager.

e. In the Port field, enter the Manager port specified when you installed your TLC

Manager software.

f. Click Login. The TLC Console opens (see Figure 2 below). Table 2 on the next

page describes the most commonly used components in the button bar and side bar.

Figure 2. The TLC Console



ButtonTLCComponent In this component, you can ...

AdministrationManager

... manage the user accounts, user groups, permissions, and othersettings for your TLC environment.

Audit Logger ... query and review the log messages collected by Tripwire LogCenter.

ConfigurationManager

... create and configure a variety of TLC content, including Assets,Managers, Event-Management Databases, Normalization Rules,Correlation Rules, and Classification Tags.

Dashboard ... work with configurable layouts that present information aboutyour Managers and Event-Management Databases.

Event-DatabaseViewer

... query and work with the Events in your Event Databases.

Real-TimeEvent Viewer

... monitor the collection of log messages in real time.

Report Center ... run reports about the Events in your Event-ManagementDatabases.

Task Manager ... define and save queries of your Event-Management Databases.Each Task can present query results in a table, graph, or report.

Ticket Center ... create and monitor the work tickets (i.e. Event Tickets) createdfor Correlated Events in your TLC environment.

Table 2. Primary components of the TLC Console

2. From the menu bar, select View > Tabbed Forms.

With the Tabbed Forms view, TLC opens each selected TLC Console component in a tab

in the workspace. If this setting is disabled, each component opens in a separate window.

3. From the menu bar, select Options > Settings.

4. In the Miscellaneous page of the Settings dialog (see Figure 3 on the next page), select

Open Dashboard on start-up. With this setting, TLC always opens the Dashboard when

you log in. The Dashboard presents information about your TLC Manager and the log

messages collected from your Log Sources.


Figure 3. The Miscellaneous group in the Settings dialog

5. In the Table Settings page of the Settings dialog, select the following check boxes. You

will work with these features in Step 3.3 - Identify Recurrent Issues on page 77 of

Scenario 3. Analyzing System Activity on page 71.

Display 'Group by' region provides the ability to group the contents of a table by

the values in a specified table row.

Show Filter buttons in column headers embeds a Filter button in the header of

each column in a table. To sort a table's contents by the values in a column, you

simply select the column's Filter button.

6. Click OK to close the Settings dialog.


Step 3. Import the Latest Normalization Rules

For an introduction to Normalization, see How does TLC collect, normalize, and correlate log

messages? on page 14.

Tripwire maintains and regularly updates a library of pre-defined Normalization Rules.

Tip This Step requires Internet access. If your evaluation system does not have Internet

access, you can download Normalization Rules from the Tripwire Customer Center.

www.tripwire.com/customers

To download and import the latest Normalization Rules for Windows and Linux Log

Sources:

1. From the menu bar in the TLC Console, select Options > Import TLC Content >

Content.

2. In the Import Content tab, select Download via the Web the latest default file from

Tripwire and click Update.

3. In the confirmation dialog, click OK.

4. In the Select and Import Content field, expand the Normalization Rules group and select

the check box for each Normalization-Rule Group specified in Table 3 below.

5. Click Import.

In the Import Status field, TLC presents a list of the imported content.

Group These rules apply to ...

Linux CentOS ... CentOS Linux

Linux Debian ... Debian Linux

Linux Fedora ... Red Hat Fedora

Linux Red Hat ... Red Hat Linux

Linux Ubuntu ... Ubuntu Linux

Windows XP-2003 ... Windows XP and 2003

Windows Vista-2012 ... Windows Vista, 2008, 2012, and 7

Table 3. Normalization-Rule Groups for this Evaluation



Figure 4. The Import Data tab with the Normalization Rule group expanded

Step 4. Configure your Asset Groups

Tripwire recommends that you manage your Assets by assigning them to Asset Groups. When

you installed your TLC Manager software, the installer created a number of default Asset

Groups, including a group named "Windows." In this Step, you will:

1. create two additional Asset Groups (named "Linux" and "Critical Systems"), and

2. assign the Normalization-Rule Groups specified in Table 4 on the next page to these three

(3) Asset Groups.

Later in the configuration process (see Step 7. Create and Configure your Assets on page 32),

you will create an Asset for your Windows system and another for your Linux system, and then

assign these Assets to the Asset Groups configured in this Step. Once done, if TLC passes an

Asset's log message to the Normalization Engine, the Normalization Engine will normalize the

message with the Normalization Rules assigned to the Asset Group(s) containing the Asset.


Asset Group Assign ...

Linux ... the appropriate Normalization-Rule Group for the platform of your Linux LogSource; either:

CentOS

Debian

Fedora

Red Hat

Ubuntu

Windows ... the appropriate group for the platform of your Windows Log Source; either:

Windows XP-2003

Windows Vista-2012

CriticalSystems

1. The Normalization-Rule Group assigned to the Linux Asset Group, and

2. The group assigned to the Windows Asset Group.

Table 4. Normalization-Rule Groups to be assigned to each Asset Group

To configure the default Windows Asset Group:

1. In the side bar, select Resources > Configuration Manager.

2. In the side bar of the Configuration Manager, select Resources > Asset Groups.

In the workspace, TLC presents the Asset Groups created by the TLC Manager installer.

3. Double-click the Windows group in the workspace.

4. In the Asset Group properties dialog, select the Normalization Rules tab.

5. To assign the appropriate Normalization-Rule Group for your Windows Log Source (see

Table 4 above):

a. Click Add.

b. In the Modify Rules for Group dialog, expand and select the Normalization-Rule

Group.

c. Click Check Selected Rows to select all rules in the group (see Figure 5 on the

next page).

d. Click OK.


Figure 5. The Modify Rules for Group dialog with Normalization Rules selected

6. TLC adds the selected Normalization Rules to the Rules tab (see Figure 6 on the next

page).

To close the Asset Group properties dialog, click OK.

Tip When TLC normalizes a log message, the Normalization Engine will run the

rules in the order in which they appear in the Rules tab. To modify the order,

use the buttons on the right side of the tab.


Figure 6. The Normalization Rules tab in the Asset Group properties dialog

To create the Linux Asset Group:

1. In the Asset Groups page of the Configuration Manager, click Add.

2. In the Asset Group properties dialog:

a. Enter Linux in the Name field.

b. In the Description field, enter Linux Systems.

3. To assign the appropriate Normalization-Rule Group for your Linux Log Source (see

Table 4 on page 26):

a. In the Normalization Rules tab, click Add.

b. In the Modify Rules for Group dialog, expand and select the group.

c. Click Check Selected Rows to select all rules in the group.

d. Click OK.

TLC adds the selected Normalization Rules to the Normalization Rules tab.

4. To save the Linux Asset Group and close the Asset Group properties dialog, click OK.


To create the Critical Systems Asset Group:

1. In the Asset Groups page of the Configuration Manager, click Add.

2. In the Asset Group properties dialog:

a. Enter Critical Systems in the Name field.

b. In the Description field, enter Business-critical Systems.

3. To assign the two Normalization-Rule Groups specified in Table 4 on page 26:

a. In the Normalization Rules tab, click Add.

b. In the Modify Rules for Group dialog, expand and select the first group.

c. Click Check Selected Rows to select all rules in the group.

d. Expand and select the second group, and click Check Selected Rows.

e. Click OK.

TLC adds the selected Normalization Rules to the Normalization Rules tab.

4. Click OK to close the Asset Group properties dialog.

The Linux and Critical Systems Asset Groups should now appear in the workspace (see

Figure 7 below).

Figure 7. Configuration Manager with default and custom Asset Groups


Step 5. Configure your Collectors

In TLC, a Collector is a module that either actively gathers or passively listens for log

messages from your Log Sources. Table 5 below defines each type of Collector and identifies

the protocol employed by TLC to collect log messages from the Collector's Log Sources.

Type

Protocol andRequiredPorts Description

AdvancedFile

SSL: TCP/5670 If Tripwire VIA Agent is installed on a Windows or Linux system, thisCollector may be used to gather log messages from any log-generatingapplication running on the host system.

AdvancedWindows

SSL: TCP/5670 If Tripwire VIA Agent is installed on a Windows system, this Collectormay be used to gather the system's Windows Event Logs.

CheckPoint

OPSEC andLEA:TCP/18184;UDP/18184

Listens for log messages from Check Point firewalls.

Cisco IDS SDEE: TCP/443 Gathers log messages from Cisco IDS sensors.

Database MySQL:TCP/3306

MS-SQL:TCP/1433

Gathers log messages from an application that logs to an ExternalDatabase. For a list of supported applications, see the Tripwire CustomerCenter:

https://secure.tripwire.com/customers/

File SMB: TCP/135-139; TCP/445

SFTP: TCP/22

FTP: TCP/21

Gathers or receives log messages from Log Sources that store messagesin an ASCII log file.

Network Syslog:UDP/514;TCP/1468

SNMP:TCP/162;UDP/162

Listens for Syslog and SNMP-based messages from network devices.

OracleDatabase

TCP/IP: 1521 Gathers log messages from Oracle database audit logs. For a list ofsupported Oracle versions, see the Tripwire Customer Center:


WinLog WMI: TCP/135,TCP/1024+

Gathers log messages from Windows Event Logs.

Note: Synchronous Connectivity requires only TCP/135.

Table 5. Types of Collectors

In the properties of your Primary Manager, the TLC Manager installer automatically assigns the

appropriate Collector for each type of Log Source selected in the TLC Manager Configuration

Wizard. For this evaluation, you selected the check box for each type of Windows and Linux

Log Source (see Installing Tripwire Log Center on page 17).




In this step, you will confirm that the Advanced Windows Collector and Network Collector

have been assigned to your TLC Manager. In addition, you will enable AutoDiscovery of

Windows systems by the Advanced Windows Collector.

To configure your Collectors:


2. In the side bar of the Configuration Manager, select Resources > Managers.

3. In the workspace, double-click your Primary Manager.

4. In the Manager's properties tab, select the Installed Modules tab.

Since you selected Windows and Linux Log Sources in the TLC Manager Configuration

Wizard, this tab includes the Advanced Windows Collector and the Network Collector

(see Figure 8 below).

Figure 8. The Installed Modules tab in the Manager properties tab

5. In the Advanced Windows Collector tab, select the Enable AutoDiscovery check box.

With this setting enabled, TLC will AutoDiscover the Windows system on which you

installed Tripwire VIA Agent software (see Step 1. Configure your Log Sources on page

18). TLC will then create a new Asset and assign the Advanced Windows Collector to the

Asset.

6. Click OK to close the Manager properties tab.


Step 6. Push Updates to your Manager

In the following Steps, you added and modified objects in the Configuration Manager:

Step 4. Configure your Asset Groups on page 25

Step 5. Configure your Collectors on page 30

Whenever you make changes in the Configuration Manager, you must 'push updates' to the

Managers in your TLC environment.

To push updates to your Primary Manager:



3. In the main pane, select the Manager's table row by clicking the arrow to the left of the

row.

4. Click Push Updates to Manager.

Step 7. Create and Configure your Assets

In Step 4. Configure your Asset Groups on page 25, you reviewed the Asset Groups created by

the TLC Manager installer, which included a group namedWindows. You also created two new

Asset Groups; one named Linux and another named Critical Systems.

In Step 5. Configure your Collectors on page 30, you configured the Advanced Windows

Collector to AutoDiscover your Windows Log Source, and then you pushed these changes to

your Primary Manager in Step 6. Push Updates to your Manager above. You are now ready to 1)

configure the Asset created by TLC for your AutoDiscovered Windows Log Source, and 2)

create and configure a new Asset for your Linux Log Source.

Tip To ensure the accuracy of timestamps in collected log messages, Tripwire

recommends the use of the Network Time Protocol (NTP) on each Log Source host

system.


Configuring your Windows Asset

To configure the Asset for your Windows Log Source, complete the following steps:


2. In the side bar of the Configuration Manager, select Resources > Assets.

The workspace displays the AutoDiscovered Asset for your Windows Log Source (see

Figure 9 below).

Tip If your Windows Asset does not appear in the workspace, and an operating-

system firewall or network firewall is positioned between the Windows system

and your TLC Manager, confirm that the required ports are open. For further

assistance, contact Tripwire Technical Support.

Figure 9. The AutoDiscovered Windows Asset in the workspace

3. Double-click the Asset to open the Asset properties dialog.

4. In the Name field, replace the existing name withMy_Windows_Asset.

Note In the Collector field of the Settings tab, TLC automatically assigned the

Advanced Windows Collector to the Asset.

5. In the Asset Groups tab, associate the Asset with the Windows Asset Group and the

Critical Systems Asset Group.

To associate the Asset with a group:

a. Click Add.

b. From the Host Group drop-down, select the group and click Add.

Figure 10 on the next page shows the Asset Groups tab with the two groups assigned to

the Windows Asset.


Figure 10. The Asset Groups tab in the Asset properties dialog

6. In the Output Destinations tab, the Correlation Engine is automatically assigned by

default. To assign the Audit Logger as an Output Destination:

a. Click Add.

b. From the Output Destination drop-down, select the Audit Logger and click Add.

7. To save the Asset, click OK in the Asset Properties dialog.

Creating and Configuring your Linux Asset

To create and configure an Asset for your Linux Log Source, complete the following steps:


2. In the side bar of the Configuration Manager, select Resources > Assets.

3. Click Add Asset.


4. Complete the top of the Asset properties dialog.

a. In the Name field, enterMy_Linux_Asset.

b. (optional) Enter a description.

c. Confirm that the Enabled check box is selected.

5. In the Settings tab (see on page 32):

a. Enter the IP Address of the Linux system.

b. From the Type drop-down, select Linux System.

c. From the Collector drop-down, select TLC Network Collector.

d. Click Apply.

6. In the Asset Groups tab, associate the Asset with the Linux Asset Group and the Critical

Systems Asset Group.

To associate the Asset with a group:

a. Click Add.

b. From the Host Group drop-down, select the group and click Add.

7. In the Output Destinations tab, assign the Correlation Engine and Audit Logger as

Output Destinations for the Asset.

To assign an Output Destination:

a. Click Add.

b. From the Input Type drop-down, select Syslog.

c. From the Output Destination drop-down, select the destination and click Add.

8. To save the Asset, click OK in the Asset Properties dialog.

The Configuration Manager now contains each of your new Assets (see Figure 11 below).

Figure 11. The Configuration Manager with your Windows Asset and Linux Asset


9. To push updates to your Manager:

a. In the side bar of the Configuration Manager, select Resources >

Managers.

b. In the main pane, select the Manager's table row by clicking the arrow to the left of

the row.

c. Click Push Updates to Manager.

Step 8. Confirm Log-Message Collection

At this point in the configuration process, TLC should be collecting log messages from your

Windows Asset and Linux Asset.

To confirm that TLC is successfully collecting log messages, complete the following steps

for each Asset:

1. In the side bar, select Events > Real-Time Event Viewer.

2. In the IP Address field, enter the IP address of the Asset's Log Source.

3. From the Collector drop-down, select the appropriate Collector for the Asset.

4. Click Start.

If TLC displays log messages in the Real-Time Event Viewer (see Figure 12 on the next

page), then the Asset has been properly configured.

5. Click Stop and close the Real-Time Event Viewer.

Tip If the Real-Time Event Viewer does not display log messages, complete the

following steps to troubleshoot the issue:

1. If the system is inactive, try logging in and out of the system to generate

log messages.

2. If you have an operating-system firewall or network firewall in your

TLC environment, verify that the required ports are open.

3. Review and verify the properties of the Asset (see Step 7. Create and

Configure your Assets on page 32). Most importantly, confirm that the

IP Address is correct.

If these steps fail to resolve the issue, contact Tripwire Technical Support:




Figure 12. Log messages in the Real-Time Event Viewer

Step 9. Assign Correlation Rules to the Correlation Engine

In Step 7. Create and Configure your Assets on page 32, you assigned the Correlation Engine as

an Output Destination for both your Windows Asset and Linux Asset. Consequently, if TLC

normalizes a log message for one of these Assets, TLC will forward the Normalized Message to

your Manager's Correlation Engine. To identify events of interest, the Correlation Engine

applies Correlation Rules to these Normalized Messages.

In this Step, you will add pre-defined Correlation-Rule Groups to your Manager's Correlation

Engine.

Note In Scenario 4. Correlating SSH Logon Events on page 83, you will learn how to

create a Correlation Rule of your own.

To add the Correlation-Rule Groups to your Manager's Correlation Engine:


2. In the side bar of the Configuration Manager, select Correlation > Engines.

3. In the workspace, double-click the Correlation Engine.

4. In the Correlation Engine tab, click Add.


5. To add the Correlation-Rule Groups:

a. In the Modify Rules for Correlation Engine dialog, press CTRL and select the

following groups:

Authentication

Internal Rules

Network Audit

System Audit

User Audit

Tip For optimal performance, Tripwire recommends that you only add

Correlation-Rule Groups that apply to your environment.

b. Click Check Selected Rows to select all rules in the groups (see Figure 13

below), and click OK.

Figure 13. Modify Rules for Correlation Engine dialog with Correlation Rules selected

6. TLC adds the selected Correlation Rules to the Correlation Engine.

Click OK to close the Correlation Engine tab.

Tip When TLC correlates a Normalized Message, the Correlation Engine will run

the rules in the order in which they appear in the Correlation Engine tab. To

modify the order, use the buttons on the right side of the tab.


Step 10. Create an Email Action

An Action (or Correlation Action) initiates a response to events of interest (i.e. Correlated

Events) identified by your Manager's Correlation Engine. Table 6 below defines each type of

Action in TLC.

Type Description

Email Sends an email alert to specified recipients.

Notification Creates a Notification in the Notifications dialog of the TLC Console. For further details,see Working with Notifications in the Tripwire Log Center User Guide.

Script Runs a Windows command.

Syslog Sends a Syslog message to a specified Syslog server.

Table 6. Types of Actions

By default, the TLC Manager installer creates a Notification Action with no defined

Notifications. In this step, you will create an Email Action to send email alerts to yourself. In

Scenario 4. Correlating SSH Logon Events on page 83, you will assign this Action as an Output

in a Correlation Rule.

To create the new Email Action:



3. In the workspace, double-click your TLC Manager.

4. In the Email tab of the Manager's properties tab (see Figure 14 on the next page):

a. In the SMTP Server field, enter the IP address of your email server.

b. Complete any remaining fields required for authentication by your email server.

c. Click OK to close the Manager's properties tab.


Figure 14. Email tab in the Manager's properties tab

5. In the side bar of the Configuration Manager, select Correlation > Actions

In the workspace, TLC presents the two Actions created by the installer.

6. Click Add Action.

7. In the Action properties dialog (see Figure 15 on the next page):

a. Enter Email to me in the Name field.

b. In the Type Settings tab, click Add Email Address.

TLC adds a row to the Type Settings tab.

c. In the Email Address field, enter the email address for the Action and click OK.


Figure 15. The Action properties dialog



Managers.


the row.



Working with the TLC Console

Step 1. Verify Collector Installation and Review the Audit LoggerDirectory

Now that your Tripwire Log Center (TLC) environment has been configured, let's take a

moment to review a few product features before proceeding with the evaluation Scenarios.

The Audit Logger is TLC's log-archive tool, and TLC stores collected log messages in the

Audit Logger File Store, a series of compressed flat files.

When TLC receives a log message from a Collector, TLC first places the message in an internal

cache known as the Audit Logger Cache (or Audit Logger Buffer). When the log messages in

the cache exceed specified time or size thresholds, or when you flush the cache, TLC:

1. calculates 256-SHA checksums to verify the integrity of each file created when the cache

is flushed to disk,

2. saves each message (in its original format) in the Audit Logger File Store, and

3. indexes the key terms in each message (to support standard search-engine queries).

Note With a production license of Tripwire Log Center, you would also have the

option of encrypting log messages with the AES-256 algorithm.

Due to this unique design, TLC provides high-speed performance capable of archiving all log

messages generated by the Log Sources on your network.

To learn more about the Audit Logger File Store, complete the following steps:



3. In the workspace, double-click your Manager.


4. Complete the following steps in the Manager properties tab:

a. In the Installed Modules tab (see Figure 16 below), verify that the following

modules are installed and enabled -- Network Collector, Advanced Windows

Collector, Schedule Engine, License Service, Correlation Engine, and Audit Logger.

Note In the Installed Modules tab, TLC automatically adds the Collectors

required for each 'Product Type' (i.e. Log Source) specified in the TLC

Manager Configuration Wizard (see Installing Tripwire Log Center on

page 17). If you add other types of Log Sources to TLC, you can install

the required Collectors in this tab. For more information, see

Configuring a Collector in the Tripwire Log Center User Guide and

Step 5. Configure your Collectors on page 30.

b. In the Audit Logger tab, copy the path of the Audit Logger File Store directory.

By default, this directory is:

C:\Program Files\Tripwire\Tripwire Log Center Manager\Audit Logger\

Figure 16. The Installed Modules tab in the Manager's properties

5. In Windows Explorer, navigate to the Base Log Directory and review its contents (see

Figure 17 on the next page).

l In the Audit Logger\0\ sub-directory, TLC creates a sub-folder for each day since

you installed TLC Manager. TLC uses the current date to name each sub-folder,

and each sub-folder contains one or more zip files with the data in the Audit

Logger.

l The Audit Logger\Index\ sub-directory consists of sub-folders with zip filescontaining key terms in the Audit Logger File Store.


Figure 17. The Base Log Directory in Windows Explorer

Step 2. View the Regular Expression defined by a Normalization Rule

TLC normalizes log messages with regular expressions defined by Normalization Rules. You

will now review a regular expression defined by one of the Normalization Rules downloaded

from the Tripwire Web site during configuration (in Step 3. Import the Latest Normalization

Rules on page 24).

To open the properties of a Normalization Rule:

1. In the side bar, select Resources > Configuration.

2. In the side bar of the Configuration Manager, select Normalization > Rules.

3. Expand and select a rule group under Rules.

4. In the workspace, double-click a rule.

5. In the Normalization Rule properties dialog, select the Rule Details tab (see Figure 18 on

the next page).

The Quick Match field specifies a string. If a log message contains the string, TLC runs

the regular expression defined in the Rule field.

The Description tab contains a value saved in the properties of Events created by the

rule. The description may consist of literal strings and variables for Event-field values

(e.g. <Dst IP>).


Figure 18. The Rule Details tab in the Normalization Rule properties dialog

6. Tripwire recommends that you do not modify the regular expression defined by a

Normalization Rule downloaded from the Tripwire Web site. However, you can create

Normalization Rules of your own, or create a copy of a downloaded rule. In such cases,

you may edit the rule's regular expression with the Rule Editor.

To open the Rule Creator (see Figure 19 on the next page), click Rule Editor.

Each rule's regular expression:

a. parses specified name/value pairs in the content of log messages, and

b. specifies the columns in which the parsed values will be saved in Event-

Management Databases.


When defining a regular expression in the Rule Editor, you can:

l include one or more Aliases in the expression. Each Alias is a custom variable that

represents a partial or complete regular expression. At this point in the evaluation,

your TLC environment may not contain any Aliases.

l define find-and-replace values in the Replace tab for columns in the content of log

messages.

l test the expression by entering the content of a log message in the Input Data tab

and clicking Test. TLC then displays the result in the Output field.

Figure 19. The Rule Editor


Step 3. Create a Layout in the Dashboard

A component of the TLC Console, the Dashboard presents information about a Manager or

Event-Management Database in a Layout, a customizable configuration of panels containing

fields, tables, and/or graphs.

l A Manager Layout shows information about 1) a selected Manager’s system resources

and configuration, and 2) the log messages collected by the Manager's Collectors.

l A Database Layout presents data for the Events in a selected Event-Management

Database.

The panels in a Layout are known as Layout Panels, and Table 7 below describes each type of

Layout Panel.

Type Description

ConfigurationDiagram

(Manager Layouts only) Displays a diagram of the Log Sources, Collectors, Managers,Audit Loggers, Correlation Engines, and Event-Management Databases in your TLCenvironment.

Map (Database Layouts only) Displays the geographic locations of IP addresses involved inEvents on a map.

Text Presents data in a table.

Time Graph Presents a timeline of log messages or Events in a graph.

Top Graph (Database Layouts only) Displays the Top N items in a graph or chart.

Table 7. Types of Layout Panels

To add a panel to a Layout, you must first create a Layout-Panel Task in the Task Manager.

Table 8 on the next page describes each type of Task in TLC.

Note In the Task Scheduler, you can define schedules for Copy, Delete, Archive, and

Report Tasks.


Type Description

Layout-Panel Creates a Layout Panel that may be added to a Layout in the Dashboard.

Administrative Performs an administrative operation on specified data in an Event-ManagementDatabase.

An Archive Taskmoves the data from one database to another.

A Copy Task copies the data from one database to another.

A Delete Task removes the data from the database.

Search Performs a query of data in an Event-Management Database.

A List Task presents the query results in a table.

A Graph Task presents the query results in the form of a graph or chart.

A Report Task compiles and formats the query results in a Report. In Scenario 2.Monitoring and Reporting System Activity on page 61, you will create and run aReport Task.

Table 8. Types of Tasks in the Task Manager

In Scenario 2. Monitoring and Reporting System Activity on page 61, you will:

1. create and run a Report Task, and

2. work with a custom Layout in the Dashboard.

To prepare TLC for your work in the Dashboard, you will now create a Layout-Panel Task, and

then add the panel to the new Layout.

To complete this Step:

1. In the side bar, select Events > Task Manager.

2. To create the Layout-Panel Task:

a. In the workspace, enterMedium and High Priority Events in the Name field.

b. From the 'Task type' drop-down, select Layout Panel.

c. From the Output drop-down, select Text Panel, and then select Top Priorities from

the adjacent Type drop-down.

d. Click Save.

TLC adds the new Layout-Panel Task to the Task Manager's side bar under Layout-Panel

Tasks group in the Task Manager's side bar.


Figure 20. The new Layout-Panel Task in the Task Manager

3. To create the new Database Layout:

a. In the side bar, select Events > Dashboard.

b. From the 'Display data for' drop-down, select Events.

c. From the Layout drop-down, select New Layout.

d. Click Add and select Text Panels > Medium and High Priority Events (see


e. Click Save.

f. In the Save As dialog, enter Priority_Events as the name of the new Layout file

and click Save.

The new Layout should now be available in the Dashboard's Layout drop-down.


Figure 21. The Layout drop-down with the new Database Layout

4. Close the Dashboard and Task Manager.


Chapter 3.Scenarios

Scenario 1. Detecting User Activity

To begin the evaluation, this Scenario demonstrates how Tripwire Log Center (TLC) can detect

and respond to unauthorized user activity in your TLC environment. In Step 1.1 - Detect and

Evaluate Unauthorized User Activity below, you will create new user accounts on your

Windows Log Source and then employ the Real-Time Event Viewer and Audit Logger to

evaluate this activity. In Step 1.2 - Investigate a 'Brute Force Attack' on page 57, you will

analyze the log messages generated in response to a simulated 'Brute Force Attack.'

Step 1.1 - Detect and Evaluate Unauthorized User Activity

In this Step, you will:

l create two (2) new user accounts on your Windows Log Source

l monitor the Real-Time Event Viewer for log messages documenting the creation of the

user accounts

l create a Custom Command to look up IP addresses on the Network Solutions WHOIS

Web site

Note A Custom Command is a command that users can run when they select

certain fields in a table in the TLC Console.

l simulate a logon failure by attempting to log in to the Windows system with incorrect

authentication credentials

l search TLC for the log message generated by the logon failure

l run the Custom Command to display the WHOIS details for an IP address in the log

message

l email the log message to your Security Administrator for further analysis



2. In the Real-Time Event Viewer, complete the following steps.

a. In the Message-content filter field, enter:

TLC_*

b. In the IP Address field, enter the IP address of your Windows Log Source.

c. From the Collector drop-down, select Advanced Windows Collector.

d. Select the Wrap Text check box and click Start.

TLC begins displaying log messages from the Windows system in real time.

Tripwire Log Center 7.0 Evaluation Guide 52 Chapter 3. Scenarios

3. On the Windows system:

a. Create a Windows user account named "TLC_GOOD_USER," and add this account

to the Administrators group.

b. Create a Windows user account named "TLC_BAD_USER."

Tips Make a note of the password for each account.

For further directions, refer to your Microsoft Windows documentation.

4. Monitor the Real-Time Event Viewer in TLC. You should see the log messages related to

the creation of each new user account (see Figure 22 below).

Note As needed, you can use the Real-Time Event Viewer to verify collection of

log messages from any Log Source in your TLC environment.

Figure 22. Real-Time Event Viewer with log messages for new Windows user accounts


6. From the menu bar in the TLC Console, select Options > Settings.

7. In the side bar of the Settings dialog, select User Settings > Custom Commands and

click Add.


8. Complete the Custom Command dialog (see Figure 23 below).

a. In the Name field, enter Network Solutions WHOIS Lookup.

b. Select the Enabled check box.

c. From the Data Type drop-down, select IP Address.

d. For the Output drop-down, accept the default value of DOS Command.

e. In the Command field, enter:

http://www.networksolutions.com/whois/results.jsp?ip=<ip>

f. To test the command, click Test.

g. In the Test dialog, enter 192.168.1.100 and click Test.

If the test is successful, TLC will present a Web page with the WHOIS results for

the IP address.

h. Click OK to save your work and close the Custom Command dialog.

i. In the Settings dialog, click OK.

Note Network Solutions is unaffiliated with Tripwire, Inc.

Figure 23. Custom Command dialog

9. Attempt to log in to the Windows system with incorrect authentication credentials.


10. To search for log messages related to the failed logon attempt:

a. In the side bar, select Events > Audit Logger.

b. Select the Query tab (see Figure 24 below).

c. From the Output drop-down, select List Events - Processed.

d. In the Classification Tags field, enter User Logon Failure.

e. From the two Assets drop-downs, select IP Address and your Windows Asset.

f. To run the search, click Start.

TLC queries the Audit Logger File Store for log messages collected from the

Windows system with which the Classification Tags User, Logon, and Failure are

associated. TLC then normalizes the log messages with the Normalization Rules

assigned to the Windows and Critical Systems Asset Groups, and presents the

results in the Query Results - Normalized Messages tab (see Figure 25 on the next

page).

Figure 24. The Query tab in the Audit Logger


Figure 25. The Query Results - Normalized Messages tab

11. To run the Custom Command:

a. In the Processed Logs tab, select and right-click an IP address in a log message for

a failed logon attempt (see Figure 26 on the next page).

b. From the right-click menu, select Run Custom Command on selected IP address

> Network Solutions WHOIS Lookup.

TLC runs the Custom Command and opens a Web Browser tab containing a page

from the Network Solutions Web site. The page presents information about the

selected IP address.

Note Network Solutions is unaffiliated with Tripwire, Inc.

c. Close the Web Browser tab.


12. Close the Audit Logger.

Figure 26. The right-click menu in the Query Results - Normalized Messages tab

Step 1.2 - Investigate a 'Brute Force Attack'

In this Step, you will simulate a ‘Brute Force Attack’ by attempting to log in to the Windows

system with an incorrect password for the TLC_GOOD_USER account (created in Step 1.1 -

Detect and Evaluate Unauthorized User Activity on page 52, and then changing the account's

password. You will then query and review the log messages generated by the Windows system

in response to the Brute Force Attack.

Caution To complete this Step, your Windows system should not have an enabled policy

that locks a Windows user account after five (5) or fewer failed login attempts.



1. To simulate a "Brute Force Attack" on your Windows system:

a. Using an incorrect password for the TLC_GOOD_USER account, attempt to log in

to the Windows system five (5) times.

b. Using the correct password, log in to the system with the TLC_GOOD_USER

account.

c. Change the password for the TLC_GOOD_USER account, and make a note of the

new password.

For further directions, refer to your Microsoft Windows documentation.

2. To search for log messages generated by the failed logon attempts:


b. In the Audit Logger, select the Query tab.

c. From the Output drop-down, accept the default option of List Events - Raw. With

this option, TLC will query the Audit Logger File Store for log messages in their

original, un-normalized state.

d. In the Classification Tags field, enter User Logon Failure.

e. From the two Assets drop-downs, select IP Address and your Windows Asset.

f. From the Date and Time drop-down, select Newer/older than.

g. In the Time Span drop-downs, enter Newer than 10 Minutes.

Note If more than 10 minutes have passed since you simulated the Brute

Force Attack, you will need to adjust the Time Filter accordingly.

h. To run the search, click Start.

TLC presents the query results in the Raw Logs tab (see Figure 27 on the next

page).


Figure 27. The logon failure messages in the Raw Logs tab

3. To search for the log message generated by the Windows system when you changed the

password of the TLC_GOOD_USER account:

a. In the Audit Logger, select the Query tab.

b. From the Output drop-down, accept the default option of List Events - Raw.

c. In the Classification Tags field, enter Password.

d. From the two Assets drop-downs, select IP Address and your Windows Asset.

e. In the Time Span drop-downs, enter Newer than 10 Minutes.


TLC presents the query results in the Raw Logs tab (see Figure 28 on the next

page). Locate the log message and review the content.

4. Close the Audit Logger.


Figure 28. The Password Change log message in the Raw Logs tab


Scenario 2. Monitoring and Reporting System Activity

In addition to the storage of log messages in the Audit Logger, Tripwire Log Center (TLC) also

saves data in the following databases.

l The System Database retains a record of all user logons and logouts, as well as TLC

content, such as Assets and Normalization Rules.

l An Event-Management Database stores Events. Each Event is either:

a. A Normalized Message (see How does TLC collect, normalize, and correlate log

messages? on page 14), or

b. An event imported from a supported scanner, such as Tripwire IP360 or Tenable

Nessus.

Table 9 below describes each type of Event-Management Database. By default, the TLC

Manager installer creates a single Event Database called 'Events.' With the Database Viewers

in the TLC Console, you can access information about the Events in your Event-Management

Databases.

Type Stores Events from ...DatabaseViewer

EventDatabase

... any Log Source and/or any supported scanner

Notes: An Event Database can also store firewall Events, as well as Eventsfrom an IDS or IPS.

For IDS and IPS Events, an Event Database excludes the packet payloads. Tostore the packet payloads, you should store Events in an IDS Database.

Event-DatabaseViewer

FirewallDatabase

... firewalls Firewall-DatabaseViewer

IDSDatabase

... IDS and IPS devices IDS-DatabaseViewer

Table 9. Types of Event-Management Databases and Database Viewers

In this Scenario, you will work with the Dashboard to review Events with a high Priority.

Priorities indicate the relative importance of Events. For an introduction to the Dashboard, see

Step 3. Create a Layout in the Dashboard on page 47.


Step 2.1 - Analyze Event Data with the Dashboard


l review the default Events Overview Layout in the Dashboard

Note The Events Overview Layout is automatically created by the TLC Manager

installer.

l open and review the custom Layout (Priority_Events) created in Step 3. Create a Layout in

the Dashboard on page 47

l add another Layout Panel to the custom Layout

l search for Events with a high Priority

l create a Decision for a Correlation Rule

Note In Scenario 4. Correlating SSH Logon Events on page 83, you will create a

Correlation Rule involving this Decision.


1. In the side bar, select Events > Dashboard.

2. To open the Events Overview Layout (see Figure 29 on the next page):

a. From the 'Display data for' drop-down, select Events.

b. From the Layout drop-down, select Overview.

The Layout Panels in this Database Layout present information about the Events in the

default Events Database.

l The top panel presents the total number of Events in the database, along with the

number of Normalization Rules used to normalize those Events.

l The middle panel presents a collection of 'Top 10' panels. Each of these panels

displays the most common values for a specific field in the database's Events. For

example, the Top 10 Priorities panel shows the total number of Events for each

Priority.

l The bottom panel is a Time Graph Panel. For each of the past 24 hours, this panel

shows the total number of Events saved to the database. For each one-hour period,

the graph also shows how many Events were saved for each Priority (High,

Medium, Low, and Info).


Figure 29. The Events Overview Layout in the Dashboard

3. To access your custom Layout:

a. From the Layout drop-down, select Priority_Events.

b. Click Refresh to populate the Layout Panel with data (see Figure 30 below).

Figure 30. The custom Layout in the Dashboard

4. To add another Layout Panel to the Priority_Events Layout (see Figure 31 on the next

page):

a. Click Add and select Time Graph Panels > Last 24 Hours.

b. Click Refresh.


Figure 31. The custom Layout with the new Layout Panel

5. To search the Events Database for Events with a High Priority:

a. In one of the Layout's panels, select a High Priority table row or graph segment.

b. Right-click the High Priority row or segment, and select Search for Events (see


The Task Manager opens (see Figure 33 on the next page). In the Filter Wizard tab,

TLC automatically adds a single search filter for High Priority Events.

c. Select the filter's Enable check box and click Start.

TLC queries the database and presents the High Priority Events in a new tab.

d. Review the search results and then close the tab.


Figure 32. The Correlation Search right-click option

Figure 33. The Filter Wizard tab in the Task Manager

6. To create a Correlation Rule Decision based on the search filter:

a. Click Create Correlation Rule Decision in the Filter Wizard tab of the Task

Manager (see Figure 33 above).

b. In the Enter Decision Information dialog, enter High Priority Events in the Name

field.

c. From the Group drop-down, select System Security and click Add.

d. In the Confirmation dialog, click No.

TLC creates and saves the Decision. In Scenario 4. Correlating SSH Logon Events

on page 83, you will add the Decision to a new Correlation Rule.

7. Close the Task Manager and the Dashboard.


Step 2.2 - Generate a Report on Event Data


1. create a Report Task to define a Report about the Events in the default Events Database

2. run the Report Task and view the results in the Report Center

In the Report's output, you will locate the Events related to the simulated 'Brute Force Attack'

conducted in Scenario 1. Detecting User Activity on page 52), and then save the output as a PDF

file to share with your co-workers.


1. In the side bar, select Events > Task Manager.

2. In the Task Manager, the side bar groups the default and custom Tasks in your TLC

environment.

Note The Search group contains List Tasks, and the Dashboard Panels group

contains Layout-Panel Tasks.

To create your Report Task, complete the following steps in the workspace.

a. In the Name field, enter System Activity by Classification.

b. From the Database drop-down, accept the default value of Events.

c. From the Output drop-down, select Report.

d. From the Type drop-down, select Events by Legacy Classification - Detailed.

e. Click Save.

In the Task Manager side bar, TLC adds the new Report Task under Report Tasks

> Events group (see Figure 34 on the next page).


Figure 34. New Report in the Task Manager

3. In the Task Manager, you can run a Report Task by opening the Task and clicking Start.

However, you can also access and run Report Tasks in the Report Center, as well as a

wide variety of pre-defined Reports.

To run the new Report Task in the Report Center:

a. In the side bar, select Events > Report Center.

b. From the Database drop-down, select Events.

c. Expand the Standard Reports group and select the System Activity by

Classification Report.

d. From the Time Filter drop-down, select 24 Hours.

e. Click Run Report.

TLC presents the report output in the workspace (see Figure 35 on the next page).


Figure 35. The output of the System Activity by Classification Report

4. The report output includes:

l A collection of graphs illustrating the frequency of Event types and the systems

involved in those Events, and

l A detailed list of the Events.

In the output, scroll down the list to locate the Events for the simulated 'Brute Force

Attack' completed in Scenario 1. Detecting User Activity on page 52 (see Figure 36 on the

next page). To generate these Events, TLC used the Correlation Rules assigned to the

Correlation Engine in Step 9. Assign Correlation Rules to the Correlation Engine on page

37.


Figure 36. The Events for the simulated 'Brute Force Attack'

5. To add a watermark to the Report output:

a. Click Watermark.

b. In the Watermark dialog (see Figure 37 on the next page), enter 'Classified' in the

Text field.

c. From the Size drop-down, select 54.

d. Adjust the Transparency slider bar to a value of 160, and click OK.

TLC adds the watermark to the Report output.


Figure 37. Watermark dialog

6. To save the Report output as a PDF file:

a. Click Export to and select PDF File.

b. In the PDF Export Options dialog, click OK.

c. In the Save As dialog, select your Desktop from the Save in drop-down, and then

click Save.

d. In the Export confirmation dialog, click Yes.

TLC opens the PDF file with the Report output.

7. When you finish reviewing the output in the PDF file, close the file and the Report Center.


Scenario 3. Analyzing System Activity

The Audit Logger and Event-Database Viewer provide a number of tools with which you can

analyze your TLC data, including:

l a wide variety of graphs - pie charts, line graphs, and bar graphs

l Event-Relationship Diagrams that depict and replay communications between systems

involved in queried Events

l a robust set of customizable Reports

This Scenario guides you through the process of detecting and analyzing SSH-related activity on

your Linux Log Source. Along the way, you will use these tools to illustrate this activity and

identify events of interest. In addition, you will create an Event Ticket to track related work.

Step 3.1 - Query the Audit Logger for Evidence of System Activity


l start (or restart) the SSH Daemon, log in via SSH, and clear the system log file on your

Linux Log Source

l search for log messages generated by the Linux system for the SSH Daemon


1. On your Linux system:

a. Restart the SSH Daemon.

b. Log in to the Linux system via SSH with the twadmin user account (created in LinuxConfiguration on page 18).

c. Create a new Linux user account named twuser.

For further details, refer to your Linux documentation.

2. To search for the log messages:


b. In the Audit Logger, select the Query tab.

c. From the Output drop-down, select List Events - Processed.

d. In the Terms field, enter SSH*.


Tips For query-syntax characters that may be entered in the Query field, see

Table 10 on the next page.

To search for a special character in log messages, enter a regular

expression with the character in the Query field and insert a forward

slash (/) before the character (i.e. escape the special character with /).

To optimize performance, enter the most unique terms first. For

example, "jhammond user failed" would be faster than "user failed

jhammond."

e. From the two Assets drop-downs, select Asset Group and the Linux Asset Group.


TLC queries the Audit Logger File Store for log messages containing SSH*, and

then normalizes the messages with the Normalization Rules assigned to the Linux

Asset Group. The Query Results - Normalized Messages tab (see Figure 38 below)

presents the results.



Character Description Example

space An AND operator Write Data

| An OR operator Write | Data

? Wildcard for a single character Wr?te

* Wildcard for zero or more charactersat the end of a term

Wri*

|| Separates multiple queries Permit 192.168.0.1 || Deny 192.168.0.2

An example of a nested query:

(Permit | Allow) 192.168.0.1 || (Permit| Allow) 192.168.0.2

" " A literal value "Failed Login"

\ Separates a Location name from anIP address

Miami\192.168.129.1

Table 10. Query-syntax characters

Step 3.2 - Graph and Diagram Event Data

In this Step, you will complete the following steps in the Event-Database Viewer.

l Generate a Graph to show all Events added to the default Events Database over the past

24 hours

l Generate an Event-Relationship Diagram to illustrate the communications between the

host systems involved in these Events

l Create an Event Ticket with which your organization can track related work


1. In the side bar, select Events > Event-Database Viewer.

2. To generate the Graph:

a. In the side bar of the Event-Database Viewer, expand Events > Graphs.

b. Under Graphs, select Last 24 Hours.

TLC generates and presents the graph in the main pane (see Figure 39 on the next page).


Figure 39. Last 24 Hours Graph in the Event-Database Viewer

3. To generate the Event-Relationship Diagram:

a. In the Graph, right-click a High Priority section of a bar (in red) and select View

related items from the right-click menu.

b. In the list of queried Events, select at least two (2) Events while holding the CTRL

key.

c. Click Diagram Events.

TLC presents the Event-Relationship Diagram in the main pane (see Figure 40 on

the next page). The diagram shows the communications between the host systems

with IP addresses in the Source IP address (Src IP) and Destination IP address

(Dst IP) fields of the selected Events. In a production environment, an Event-

Relationship Diagram may depict an unlimited number of hosts and communications.

d. To run a replay of the sequence of communications depicted in the diagram, move

your pointer over the Replay Events tab at the bottom of the workspace and click

Start. TLC highlights the diagram's arrows in the order in which the

communications occurred.

e. Close the Event Relationship tab.


Figure 40. An Event-Relationship Diagram

4. To create the Event Ticket:

a. In the side bar of the Event-Database Viewer, expand Events > Events >

Destination IPs.

b. In the Destination IPs group, select the IP address of your Linux Log Source.

c. Locate and select the Event for the creation of the twuser Linux user account(completed in Step 3.1 - Query the Audit Logger for Evidence of System Activity on

page 71). To determine the user account associated with each Event, select the

Details tab at the bottom of the workspace (see Figure 41 on the next page).

d. In the button bar, click Assign selected items to Event Ticket > Create Ticket

to open the Ticket tab (see Figure 42 on page 77).


Figure 41. The Details tab

5. To complete and save the Event Ticket:

a. In the Name field, enter Unauthorized User Account.

b. From the Priority drop-down, select High.

c. From the Status drop-down, select New.

d. From the Assigned Group drop-down, select User Admin.

e. From the Ticket Group drop-down, select DMZ.

f. From the Category drop-down, select Suspicious Activity.

g. In the Description tab, enter:

Suspect user account created. Requires further investigation.

h. Click Save & Close.

Tip In the TLC Ticket Center, you can create, review, and update Event Tickets.

As needed, you can also modify the list of available values for any drop-down.


Figure 42. The completed Ticket tab

Step 3.3 - Identify Recurrent Issues


l search for log messages saved in the Audit Logger over the past 30 days

l sort and group the log messages in the search results

l generate a pie chart to illustrate the five (5) most frequent names of log messages

collected by TLC


1. In the side bar, select Events > Audit Logger.

2. In the Audit Logger, select the Query tab.


3. To query the Audit Logger for log messages generated within the last 24 hours, complete

the following steps in the Search tab (see Figure 24 on page 55):

a. Select List Events - Processed from the Output drop-down.

b. From the two Assets drop-downs, accept the default values of IP Address and any.

c. From the Date and Time drop-down, select Newer/Older than.

d. From the Time Span drop-downs, select Newer than 30 Days.

e. Click Start.

TLC queries the Audit Logger File Store and normalizes the log messages generated

by the Windows and Linux systems within the past 30 days. TLC then presents the

Normalized Messages in the Query Results - Normalized Messages tab (see Figure

43 below).



4. To sort and group the messages in the Query Results - Normalized Messages tab:

a. Scroll to the right to locate the User column, and then click the User column header

(see Figure 44 below). TLC sorts the Normalized Messages by the user account that

performed the action.

Click the User column header again to reverse the order.

b. To group the messages by the TLC Normalization Rules that normalized the

messages, click-and-drag the Rule ID column header to the grouping region (see

Figure 44 below).

TLC groups the Normalized Messages by rule numbers (see Figure 45 on the next

page).

Tip To view the grouped messages, you may need to scroll to the left.

Figure 44. Grouping region above the Rule ID and User columns


Figure 45. Normalized Messages grouped by Rule ID

5. To generate the graph, complete the Query tab (see Figure 24 on page 55):

a. From the Output drop-down, select Graph Events - Processed.

b. From the Template drop-down, select Pie Chart.

c. From the Events per Query drop-down, select ALL.

In the Group tab at the bottom of the Query tab:

a. Click Add.

b. From the Column drop-down, select category.

In the Column tab:

a. Click Add.

b. From the Column Name drop-down, select category.

c. Click Add.

d. From the Column Name drop-down, select Count.

e. From the Sort Column drop-down, select Count.

Tip In the Column tab, you must add at least one column with a text format,

and another column with a numeric format. In this case, the category

column has a text value, while the Count column contains whole

numbers.


6. Click Start.

TLC queries the Audit Logger File Store and generates the Graph with the query results

(see Figure 46 below).

Tip With the buttons along the top of the Query Results - Graph tab, you can

modify and work with the graph. You can also customize the graph by right-

clicking a pie piece and selecting an option from the right-click menu.

Figure 46. The Query Results - Graph tab

7. To clear the fields in the Query tab, click the Clear Form button.

Step 3.4 - Generate a Report on Log-Message Data

In this Step, you will run an Audit Logger Report to show:

l the number of log messages collected on each day of the prior month

l the most common properties of those log messages

l further details about the log messages generated by each Log Source


1. In the side bar, select Events > Audit Logger.

2. In the Audit Logger, select the Query tab.


3. In the Query tab:

a. From the Output drop-down, select Report.

b. From the Report drop-down, select Events by Name - Detailed.

c. Click Start.

TLC presents the report output in the workspace (see Figure 47 below). With the

buttons along the top of the Report tab, you can review, print, re-format, save, and e-

mail the Report.

Figure 47. The output of the Audit Logger Report


Scenario 4. Correlating SSH Logon Events

When you configured Tripwire Log Center (TLC), you assigned the Correlation Engine as an

Output Destination for your Windows Asset and Linux Asset (Step 7. Create and Configure your

Assets on page 32). Consequently, if TLC normalizes a log message from these Log Sources, the

Normalization Engine forwards the Normalized Message to the Correlation Engine. To identify

events of interest, the Correlation Engine applies Correlation Rules to the Normalized

Messages.

Each Correlation Rule in TLC is constructed with a flowchart containing the following

components:

l An Input specifying the source of Normalized Messages to be correlated by the rule (for

example, the Collector that collected the original log message). If the message originated

with the specified Input, the Correlation Engine applies the rule's Decisions to the

message.

l One or more Decisions. Each Decision defines criteria to evaluate each Normalized

Message processed by the rule.

l One or more Outputs. An Output is a response to any Normalized Message that satisfies

the criteria specified by the rule's Decisions.

A Correlated Event is an event of interest identified by the Correlation Engine. If a

Normalized Message satisfies the Decisions in a Correlation Rule, the Correlation Engine

creates a Correlated Event and initiates the response(s) defined by the rule's Output(s). An

Output can be any of the following actions:

l Saving the Correlated Event in an Event-Management Database

l Creating an Event Ticket in the Ticket Center

l Running an Action

TLC includes an extensive set of pre-defined Inputs, Decisions, and Outputs. You can also

create custom Decisions to suit your organization's needs, as you did in Scenario 2. Monitoring

and Reporting System Activity on page 61.

In this Scenario, you will create a Correlation Rule and then query the Events Database for

Correlated Events created by the new rule.


Step 4.1 - Create a Correlation List

In this Step, you will create a Correlation List to be used in a Decision in the Correlation Rule

you will create in Step 4.2 - Create a Correlation Rule on the next page. The list will consist of

the following user accounts on your Linux Log Source: root, twadmin, sysadmin, andsuperuser.



2. In the side bar of the Configuration Manager, select Correlation > Lists.

3. Click Add.

TLC opens the List tab.

4. In the List tab:

a. Enter Linux User Accounts in the Name field.

b. From the 'Field type' drop-down, select User.

5. Add the root, twadmin, sysadmin, and superuser accounts to the Correlation List.

To add each account:

a. Click Add to add a row to the list.

b. In the row's Value field, enter the user account.

Figure 48 below shows the Correlation List with all four user accounts.

Figure 48. The Correlation List with the Linux user accounts


6. Click Save to close the List tab.



Managers.


the row.


Step 4.2 - Create a Correlation Rule

In this Step, you will create a Correlation Rule consisting of:

l an Input for Events collected by the Manager’s Network Collector

l the Decision for High Priority Events created in Scenario 2. Monitoring and Reporting

System Activity on page 61

l two (2) Outputs; one for the default Event Database, and another for the Email Action

created when you configured TLC (see Step 10. Create an Email Action on page 39)

With this rule, TLC will save an Event in the default Event Database and run the Email Action

if the Event has 1) a High Priority, and 2) a field with one of the user accounts specified by the

Correlation List created in Step 4.1 - Create a Correlation List on the previous page.

To create the Correlation Rule:


2. In the side bar of the Configuration Manager, select Correlation > Rules.

In the workspace, TLC presents a list of all Correlation Rules in your TLC environment.

3. In the side bar of the Configuration Manager, expand the Rules group to see the existing

Correlation-Rule Groups in your TLC environment.

4. Click Add.

TLC opens the Correlation Rule tab.


5. In the Rule Settings tab (see Figure 49 below) at the bottom of the Correlation Rule tab:

a. Enter SSH Login Detection in the Name field.

b. From the Group drop-down, select Authentication.

Note The Correlation Rule will create a Correlated Event for any failed login

attempt. However, if you 1) select one or more fields in the Track

Event By region, and 2) enter a value in the Suppress field of the

Decision Settings tab (see below), the rule would only create a

Correlated Event when the number of failed logins exceeds the value

entered in the Suppress field.

Figure 49. The Rule Settings tab

6. Select the Correlation Engine tab and select the Enabled check box for your Manager's

Correlation Engine.

7. To add the Network Collector as the rule's Input:

a. Expand Inputs > Collectors > TLC Network Collector in the side bar.

b. Drag-and-drop the TLC Network Collector from the TLC Network Collector

group to the workspace.

Tips The button bar at the top of the workspace contains a number of helpful

buttons. For example, the Zoom buttons adjust the magnification of the

workspace, and the Save button will save your work.


8. To add the High Priority Events Decision:

a. Expand Decisions > System Security in the side bar.

b. Drag-and-drop the High Priority Events Decision from the System Security group

to the workspace, and position it directly below the Network Collector Input (see

Figure 50 below).

Figure 50. The new rule with an Input and Decision

9. To add a criterion to the Decision, complete the following steps in the Decision Settings

tab (see Figure 51 on the next page):

a. With the Decision selected in the workspace, click Add to add a new table row

to the tab.

b. From the Type drop-down in the new row, select User.

c. From the Condition drop-down, select =.

d. From the Value drop-down, select LIST: Linux User Accounts.

Note Figure 54 on page 90 shows the Correlation Rule in its final form.


Figure 51. The Decision Settings tab with the new criterion

10. To connect the Input with the Decision, draw a connector between these two building

blocks (see Figure 52 below).

a. In the workspace, select the Input.

b. Click the mid-point on the bottom border of the Input and drag to the top point of the

Decision diamond.

Figure 52. The Input and Decision with a connector

11. To add the default Event Database as an Output:

a. Expand Outputs > Databases in the side bar.

b. Drag-and-drop the Events database from the Databases group to the workspace, and

position the Output to the lower-left of the High Priority Events Decision.

c. Draw a connector between the Decision and the Output.

12. To add the Email Action created in Step 10. Create an Email Action on page 39as an

Output:

a. Expand Outputs > Actions in the side bar.

b. Drag-and-drop the Email to me Action from the Actions group to the workspace,

and position the Output to the lower-right of the High Priority Events Decision.

c. Draw a connector between the Decision and the Output.


13. To configure the Email Action Output, select the Output in the workspace and complete

the following steps in the Action Settings tab:

a. In the 'Message content' field, delete <evt_name>.

b. From the 'Content values' drop-down, select User and click Insert.

TLC adds <evt_user> to the 'Message content' field.

c. In the 'Email subject' line, enter:

Privileged user account added

d. In the 'Message content' field, enter the following sentence after <evt_user> (seeFigure 53 below):

This privileged user account has been added to the Linux Log Source.

The 'Message content' will appear as the content of email messages sent by TLC

when an Event contains a field with a user account specified by the Correlation List

in the Decision.

Figure 53. The Action Settings tab

14. The rule's process flow should now match Figure 54 on the next page. When you are

satisfied with your work, click Save and Exit to close the Correlation Rule tab.


Figure 54. The completed Correlation Rule



Managers.


the row.


16. Close the Configuration Manager.

Step 4.3 - Analyze Correlated Events in the Event-Database Viewer


l log in to your Linux Log Source via SSH to prompt the creation of a Correlated Event with

the Correlation Rule added in Step 4.2 - Create a Correlation Rule on page 85

l review the properties of the Correlated Event in the Event-Database Viewer

l adjust the Correlation Rule so it only creates Correlated Events when the twadmin useraccount logs in to the Linux Log Source

l log in to your Linux Log Source with the twadmin user account, and then log in with thetwuser account

l open the Real-Time Event Viewer to verify that TLC collected a log message for the

logon by the twadmin user account, but not the twuser account



1. Log in to your Linux Log Source via SSH with the twadmin user account to create theCorrelated Event.

2. To query the Events Database for the Correlated Event:

a. In the side bar, select Events > Event-Database Viewer to open the Event-

Database Viewer.

b. In the side bar of the Event-Database Viewer, select Events > Events > Priorities.

TLC presents a pie chart showing the number of Events in the database for each

Priority.

c. Right-click the pie piece for High Priorities, and select View related items (see

Figure 55 below).

TLC presents a list of all Events with a High Priority in the database.

Figure 55. 'View related items' command for High Priorities


3. To adjust the Correlation Rule:

a. In the side bar, select Resources > Configuration Manager.

b. In the side bar of the Configuration Manager, select Correlation > Rules >

Authentication.

c. In the workspace, double-click SSH Login Detection.

d. In the Correlation Rule tab, select the High Priority Events Decision.

e. In the Decision Settings tab (see Figure 56 below), change the Value of the User

line from the Correlation List to "twadmin."

f. Click Save and Exit to close the Correlation Rule tab.

Figure 56. Decision Settings tab



Managers.


the row.



6. In the Real-Time Event Viewer, complete the following steps.

a. In the IP-address filter field, enter the IP address of your Linux Log Source.

b. From the Collector drop-down, select TLC Network Collector.

c. Select the Wrap text check box and click Start.

TLC begins displaying log messages from your Linux Log Source in real time.


7. On the Linux Log Source:

a. Log in and out with the twadmin user account.

b. Log in and out with the twuser account.

8. Monitor the Real-Time Event Viewer in TLC. You should see log messages for the logon

events by the twadmin user account (see Figure 57 below).

Note As needed, you can use the Real-Time Event Viewer to verify collection of

log messages from any Log Source in your TLC environment.

Figure 57. Real-Time Event Viewer with log messages for twadmin logon event


Step 4.4 - Generate a Report on User-Logon Activity

To complete this Scenario, you will open the Report Center and run a Report to analyze the

logon events for each user account on your Linux Log Source.


1. In the side bar, select Events > Report Center.

2. In the side bar of the Report Center:

a. From the Database drop-down, select Events.

b. Select Standard Reports > Events by User.

c. From the 'Time filter' drop-down, select 30 Days.

d. Click Run Report.


TLC presents the report output in the workspace (see Figure 58 below). The output

includes:

l A pie chart showing the most common hosts on which events occurred over the

previous 30 days,

l A pie chart showing the user accounts most frequently involved in those events, and

l All logon events grouped by user account.

Figure 58. Output of the Events by User Report


Chapter 4.Summary

Evaluation Guide Summary

In this evaluation, you learned how Tripwire Log Center (TLC) handles:

l Installation and configuration. To begin the evaluation, you successfully installed and

configured TLC. In addition, you learned how to customize and work with your

TLC Console.

l Log management. In the Real-Time Event Viewer, you monitored the collection of log

messages from your Log Sources in real time. With the Audit Logger, you queried log

messages saved in your Audit Logger File Store, and generated informative graphs and

reports.

l Event management. From the Tripwire Web site, you downloaded and imported pre-

defined Normalization Rules with which TLC normalizes log messages. In the

Configuration Manager, you created an Email Action and Correlation List. With these

'building blocks,' you then designed a new Correlation Rule to define criteria that

determine if Normalized Messages are saved as Events in the default Event Database.

You also queried, graphed, and analyzed your Event data with the Event-Database

Viewer.

l Data analysis. In addition to analyzing data in the Audit Logger and Event-Database

Viewer, you created a Layout in the Dashboard and ran a Report in the Report Center.

This concludes the TLC evaluation. For more information about TLC, visit the Tripwire

Customer Center:


Tripwire Log Center 7.0 Evaluation Guide 96 Chapter 4. Summary


Professional Services

From initial planning through post-deployment operation of your Tripwire Log Center (TLC)

implementation, Tripwire Professional Services can assist you every step of the way. Our team

can help you devise the perfect plan to achieve your goals with TLC. We can then continue to

assist you with extensive deployment and post-deployment services.

The Professional Services team offers the following services:

l Deployment Services enable you to swiftly put TLC to work. From pre-deployment

planning to customization, we assure that TLC is up and running as quickly and

effectively as possible.

l Post-Deployment Services have been designed with your specific needs in mind. With

Post-Deployment Services, our team of experts can make our solutions work harder for

you and deliver greater value in many different ways.

l Professional Services ensure that you benefit fully from your investment in TLC. Our

team of experts will work directly with your organization to address challenges in any of

the following areas:

- Audit and compliance preparedness

- Change and configuration management

- Security enforcement

- Best practices and process improvement

For more information, visit the Tripwire Professional Services Web site:

www.tripwire.com/services


http://www.tripwire.com/services

Contact Us

We look forward to showing you more ways in which Tripwire Log Center can assist you. For

further information, please contact us at:


Phone: 1-800-TRIPWIRE (1-800-874-7947)


mailto:[email protected]

Tripwire Log Center Glossary

Action

A TLC object that initiates a response to Correlated Events created by Correlation Rules.

Administration Manager

In this page, you can manage the user accounts, user groups, permissions, and Global Settings for your

TLC environment.

Administrative Task

A type of Task that performs an administrative operation on specified data in an Event-Management Data-

base. Types of Administrative Tasks include Archive, Copy, and Delete Tasks.

Advanced File Collector

A type of Collector that collects log messages from log-generating applications running on a VIA Agent

host system via the Secure Sockets Layer (SSL) protocol.

Advanced Windows Collector

A type of Collector that collects log messages from Windows Event Logs on VIA Agent systems via the

Secure Sockets Layer (SSL) protocol.

Agent

See Tripwire VIA Agent

Alias

A custom variable that represents a partial or complete regular expression.

Archive Task

A type of Administrative Task that moves specified data from one Event-Management Database to

another.

Asset

An object in TLC that represents a Log Source from which TLC collects log messages directly.

Tripwire Log Center 7.0 Evaluation Guide 99 Tripwire Log Center Glossary

Audit Logger

The TLC Console component in which you can work with the log messages collected by TLC.

Audit Logger File Store

Consists of a series of compressed flat files containing the log messages collected by the Manager from

Log Sources, and an index of terms contained in the log messages.

Auto-Discovery

An automated process by which TLC creates an Asset for an unknown Log Source that generated a log

message collected by TLC.

Check Point Collector

A type of Collector that listens for log messages from a Check Point Manager.

Cisco IDS Collector

A type of Collector that gathers log messages from Cisco IDS sensors.

Classification

The process of categorizing log messages with Classification Tags.

Classification Tag

Defines a string to classify similar log messages archived in the Audit Logger File Store.

Classification Tag Set

A group of Tripwire-defined or user-defined Classification Tags.

Clean-Up Utility

A component of the Normalization Engine that standardizes the format of each name-value pair in log mes-

sages.

Collection

The gathering or receipt of log messages from Log Sources.


Collector

A TLC module that gathers or receives log messages from Log Sources.

Configuration Diagram Layout Panel

A type of Layout Panel that displays a diagram of the Log Sources, Collectors, Managers, Audit Loggers,

Correlation Engines, and Event-Management Databases in your TLC environment.

Configuration Manager

In the Configuration Manager, you can create and configure TLC Resources (Assets, Asset Groups, Man-

agers, Locations, Event-Management Databases), normalization objects (Normalization Rules, Aliases,

and Normalized-Message Filters), and correlation objects (Correlation Engines, Rules, Lists, and

Actions).

Copy Task

A type of Administrative Task that copies specified data from one Event-Management Database to

another.

Correlated Event

An event of interest identified by the Correlation Engine.

Correlation

The examination of Normalized Messages for events of interest, along with the ability to initiate appro-

priate responses; for example, sending an email notification to specified recipients.

Correlation Engine

The component of your Primary Manager responsible for identifying events of interest. To correlate

events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the

Normalization Engine.

Correlation List

A list of values that may be used to define a condition in a Decision.


Correlation Rule

Constructed with a flowchart consisting of an Input, Decision(s), and Output(s), a Correlation Rule cor-

relates log messages to identify events of interest.

Custom Command

A command that users can run when they select a field or a row in a table in the TLC Console.

Dashboard

A TLC Console component that presents information about a Manager or Event-Management Database in

a Layout.

Database Collector

A type of Collector that gathers log messages from an application that logs to an External Database.

Database Layout

A type of Layout that presents information about the Events in a selected Event-Management Database.

Database Viewer

A TLC Console component in which you can review information about Events in Event-Management Data-

bases. Types of Database Viewers include the Event-Database Viewer, IDS-Database Viewer, and Fire-

wall-Database Viewer.

Decision

A component of a Correlation Rule, a Decision defines a condition that determines if the rule continues

correlating a log message.

Delete Task

A type of Administrative Task that removes specified data from a Event-Management Database.

Dynamic Correlation List

A Correlation List consisting of items that are automatically updated by TLC when related data is changed

on another system; for example, user logins on an Active Directory server.


Email Action

A type of Action that sends an email notification to specified recipients.

Event

1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Nor-

malized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected

from a Log Source.

Event Database

A type of Event-Management Database that stores Events from any Log Source and/or scanner.

Event Management

To normalize and correlate log messages to identify events of interest, TLC uses the Normalization Rules

and Correlation Rules in the Configuration Manager. As appropriate, you may configure your Correlation

Rules to save log messages as Events in Event-Management Databases. In the TLC Console, you can then

review and query these Events in the appropriate Database Viewer.

Event Ticket

A work ticket for an Event in an Event-Management Database.

Event-Database Viewer

A type of Database Viewer in which you can query and work with the data in your Event Databases.

Event-Management Database

An optional component of your TLC environment, an Event-Management Database stores Events. Types

of Event-Management Databases include Event Databases, IDS Databases, and Firewall Databases.

Event-Relationship Diagram

A TLC-generated diagram depicting the series of communications between systems involved in two or

more Events.

File Collector

A type of Collector that gathers log messages from Log Sources that store messages in an ASCII log file.


Firewall Database

A type of Event-Management Database that stores Events from firewalls.

Firewall-Database Viewer

A type of Database Viewer in which you can query and work with the data in your Firewall Databases.

Forwarding Destination

A third-party, log-archive tool to which log messages are forwarded by the Log-Message Forwarding fea-

ture.

Graph Task

A type of Search Task that queries an Event-Management Database and presents the results in a graph.

Host

1. A Log Source or a system involved in an Event. 2. A system on which TLC Manager, TLC Console, or

Event-Management Database software is installed.

IDS Database

A type of Event-Management Database that stores Events from IDS and IPS devices.

IDS-Database Viewer

A type of Database Viewer in which you can query and work with the data in your IDS Databases.

Internet Tools

A TLC Console component in which you can run queries with conventional utilities to gather information

about Hosts (e.g. NSLookup, Ping, Traceroute, and Whois).

IP Tag

A TLC object that applies highlighting to specified IP addresses when the addresses are displayed in a list

in the TLC Console.


Layout

1. A customizable configuration of panels containing fields, tables, and/or graphs. 2. The configuration and

formatting of a table or Event-Relationship Diagram.

Layout Panel

A component of a Layout. Types of Layout Panels include Configuration Diagram, Map, Text, Time

Graph, and Top Graph.

Layout-Panel Task

A type of Task that creates a Layout Panel that may be added to a Manager Layout or Database Layout.

List Task

A type of Search Task that queries an Event-Management Database and presents the results in a table.

Location

A custom category used to classify Assets by geography.

Log Management

TLC saves collected log messages in the Audit Logger File Store. In the TLC Console's Audit Logger,

you can review and query the log messages in the file store.

log message

A data record generated by a Log Source and collected by TLC.

Log Source

Any log-generating application, operating-system service, database instance, or device from which TLC

collects log messages.

Log-Message Forwarding

A TLC feature used to forward copies of log messages to one or more third-party, log-archive tools

(known as Forwarding Destinations).


Manager Layout

A type of Layout that presents information about 1) a selected Manager’s system resources and con-

figuration, and 2) the log messages collected by the Manager's Collectors.

Map Layout Panel

A type of Layout Panel that displays the geographic locations of IP addresses on a map.

Network Collector

A type of Collector that listens for Syslog and SNMP-based log messages from network devices.

Normalization

The process of standardizing log messages for use by TLC. Standardized messages are known as Nor-

malized Messages.

Normalization Engine

The component of your Primary Manager responsible for normalizing log messages.

Normalization Rule

Defines a regular expression that can be used to normalize log messages generated by a specific type of

Log Source.

Normalized Message

A log message that has been normalized by TLC.

Normalized-Message Filter

A TLC object that defines a condition(s) to prevent TLC from forwarding some log messages to a spec-

ified Event-Management Database(s) or Correlation Engine(s).

Notification Action

A type of Action that creates a Notification in the Notifications dialog of the TLC Console.

Oracle Database Collector

A type of Collector that gathers log messages from Oracle database audit logs.


Output Destination

Assigned to an Asset, an Output Destination is either the Audit Logger, an Event-Management Database,

or a Correlation Engine that correlates Normalized Messages.

Parsing Utility

A component of the Normalization Engine that parses each name-value pair in log messages.

Primary Manager

Each TLC environment has a single Primary Manager that controls: 1. The archiving of log messages in

the Audit Logger File Store and Events in Event-Management Databases, 2. The configuration settings for

your TLC environment, and 3. User access and license management for TLC.

Real-Time Event Viewer

A TLC Console component that displays log messages as they are collected by TLC.

Report Task

A type of Search Task that queries an Event-Management Database and compiles the results in a PDF

report file.

scanner

A device that monitors systems in your TLC environment (for example, a vulnerability scanner).

Scanner Event

An Event created when you import data from a scanner to an Event Database.

Scheduled Task

Created in the Task Scheduler, a Scheduled Task defines a schedule for TLC to run: 1. A Copy Task,

Delete Task, Archive Task, or Report Task. 2. A Saved Query that generates an Audit Logger Report.

Script Action

A type of Action that runs a Windows command.


Search Task

A type of Task that performs a query of data in an Event-Management Database. Types of Search Tasks

include List, Graph, and Report Tasks.

Secondary Manager

Your TLC environment may also include one or more Secondary Managers that may be configured to

either: 1. Archive log messages (as with a Primary Manager), or 2. Forward log messages to another Man-

ager.

Syslog Action

A type of Action that sends a Syslog message to a specified Syslog server.

System Database

Installed on your Primary Manager, the System Database stores a record of all user logins and logouts, as

well as all TLC objects defined in the TLC Console; for example, Assets, Normalization Rules, and Event

Tickets

Task

Created and configured in the Task Manager, a Task queries Events, Hosts, or Scanner Events in an

Event-Management Database to perform an operation. Types of Tasks include Layout-Panel, Admin-

istrative, and Search Tasks.

Text Layout Panel

A type of Layout Panel that presents data in a table.

Ticket Center

The TLC Console component that is a complete ticketing and incident-handling system.

Time Graph Layout Panel

A type of Layout Panel that presents a timeline of log messages or Events in a graph.


TLC Console

1. Tripwire Log Center Console is the software for the TLC graphic user interface (GUI), or 2. The Trip-

wire Log Center GUI. Through the TLC Console, you can configure TLC, oversee your TLC envi-

ronment, and manage log and event data.

TLC Console host

A system on which TLC Console software has been installed.

TLC environment

Consists of all TLC software, Managers, Log Sources, Assets, Collectors, and data in your TLC instal-

lation.

TLC Manager

Tripwire Log Center Manager is the core software in your TLC environment. TLC Manager collects and

processes log messages from a wide variety of systems and devices.

TLC Manager Interface

The graphic user interface (GUI) for TLC Manager.

Top Graph Layout Panel

A type of Layout Panel that displays the Top N items in a graph or chart.

Tripwire VIA Agent

A service that may be installed on a Windows or Linux system to collect log messages from any log-gen-

erating application running on the system. When installed on a Windows system, VIA Agent can also col-

lect the system's Windows Event Logs via the Secure Socket Layer (SSL) protocol.

Tripwire VIA Agent Bridge

A component of TLC Manager through which VIA Agents deliver log messages to TLC.

User Account

A TLC object that provides a user with a collection of User Permissions to work with TLC.


User Group

A collection of User Accounts.

User Permission

A system authorization that enables a user to view, create, or otherwise modify data in TLC.

vulnerability

A potential security weakness identified by a vulnerability scanner. In an Event Database, you can import

or collect vulnerabilities detected by a scanner.

Vulnerability Event

An event imported from a vulnerability scanner.

WinLog Collector

A type of Collector that collects log messages from Windows Event Logs via the Windows Management

Instrumentation (WMI) protocol.


A

Actionscreating an Email Action 39types 39

Administration Managerin TLC Console 22

Administrative Tasksdefined 48

Advanced File Collectorsdefined 30

AdvancedWindows Collectorconfiguring 30

AdvancedWindows Collectorsdefined 30

analyzingevent data with the Dashboard 62system activity 71system activity with Event-Database Viewer 73

Archive Tasksdefined 48

Asset Groupsassigning Normalization Rules to 25configuring 25

Assetscreating 32defined 14

assigningCorrelation Rules to the Correlation Engine 37Normalization Rules to your Asset Groups 25

Audit Loggercache 42defined 14File Store 42generating a Report 81Graph 81in TLC Console 22output of Report 82query-syntax characters 73Query Results - Normalized Messages tab 56,

72, 78Query tab 55Raw Logs tab 59reviewing the Audit Logger directory 42search and graph data 77searching for logmessages 71

Audit Logger File Storedefined 42

B

button barbuttons 22

buttonsin button bar 22in side bar 22

C

Check Point Collectordefined 30

Cisco IDS Collectordefined 30

Tripwire Log Center 7.0 Evaluation Guide 111 Index

Index

collectionabout 14confirming log-message collection 36diagram 15

Collectorsconfiguring the AdvancedWindows Collector 30configuring the Network Collector 30defined 14, 30types 30verifying installation 42

Configuration Diagram Layout Panelsdefined 47

Configuration Managerin TLC Console 22

configuringAsset Groups 25Collectors 30Log Sources 18Tripwire Log Center 18Windows Asset 33your TLC Console 21

Copy Tasksdefined 48

Correlated Eventsanalyzing 90defined 83

correlatingSSH login events 83

correlationabout 14diagram 15

Correlation Engineassigning Correlation Rules to 37defined 14, 37

Correlation Listscreating 84

Correlation Rulesassigning to Correlation Engine 37completed logic flow 90creating 85

creatinga Correlation List 84a Correlation Rule 85Actions 39Assets 32Layouts 47Linux Asset 34

CustomCommandsdefined 52dialog 54

D

Dashboardabout 47analyzing event data with 62creating Layouts 47defined 47in TLC Console 22with Events Overview Layout 63

Database Collectordefined 30

Database Layoutsdefined 47

Database Viewersdefined 61

databasessee Event-Management Databases 61

Delete Tasksdefined 48

detectinga 'Brute Force Attack' 57unauthorized user activity 52user activity 52


E

Email Actionscreating 39defined 39

Evaluation Guideabout 12summary 96

Event-Database Vieweranalyze system activity with 73analyzing Correlated Events in 90defined 61Graph 74in TLC Console 22with Event-Relationship Diagram 75

Event-Management Databasesdefined 14, 61installing database software 17types 61

Event-Relationship Diagramsin Event-Database Viewer 75

Event Databasesdefined 61

Event Frameworksee Event-Database Viewer 61

Event TicketsDetails tab 76Ticket tab 77

Eventsanalyzing Correlated Events in the Event-Data-

base Viewer 90defined 14, 61for simulated 'Brute Force Attack' in Report out-

put 69generating a Report for 66

F

File Collectordefined 30

Firewall-Database Viewerdefined 61

Firewall Databasesdefined 61

G

generatinga Report 66a User Login Report 93

Graph Tasksdefined 48

Graphsin Audit Logger 77, 81in Event-Database Viewer 74

I

IDS-Database Viewerdefined 61

IDS Databasesdefined 61

importingthe latest Normalization Rules 24

installingEvent-Management Database software 17TLC 17VIA Agent on a Windows system 18

L

Layout-Panel Tasksdefined 48


Layout Panelsin a Layout 64types 47

Layoutsabout 47creating 47Events Overview Layout in the Dashboard 63types 47with Layout Panels 64

Linux Assetcreating and configuring 34

List Tasksdefined 48

logmessagesconfirming collection of 36diagram of collection, normalization, and cor-

relation 15displayed in Real-Time Event Viewer 53in Audit Logger Query Results - Normalized Mes-

sages tab 72in Audit Logger Raw Logs tab 59login event in Real-Time Event Viewer 93searching in Audit Logger 71

Log Sourcesconfiguring 18defined 14

M

Manager Layoutsdefined 47

Managersabout Primary and SecondaryManagers 17pushing updates 32

Map Layout Panelsdefined 47

monitoringsystem activity 61

N

Network Collectorconfiguring 30defined 30

normalizationabout 14defined 14diagram 15

Normalization Enginedefined 14

Normalization Rulesassigning to Asset Groups 25defined 14importing 24Rule Editor 46viewing regular expression defined by 44

Normalized-Message Filtersdefined 14

Normalized Messagesin Audit Logger 'Query Results - Normalized Mes-

sages' tab 56in Audit Logger Query Results - Normalized Mes-

sages tab 78

Notification Actionsdefined 39

O

Oracle Database Collectorsdefined 30

P

Prioritiesdefined 61

push updatesand Managers 32


Q

queriessyntax characters in Audit Logger 73

R

Real-Time Event Viewerdefined 14in TLC Console 22with displayed logmessages 53with logmessage for login event 93

regular expressionsand Normalization Rules 44

Report Centerin TLC Console 22

Report Tasksdefined 48

reportingsystem activity 61

Reportsgenerating a Report in the Audit Logger 81generating a Report on Event data 66generating a User Login Report 93new Report in TaskManager 67output of a Report in the Report Center 94output of an Audit Logger Report 82output of SystemActivity by Classification

Report 68output with Events for simulated 'Brute Force

Attack' 69Watermark dialog 70

respondingto unauthorized user activity 52

S

Scenariosanalyzing system activity 71correlating SSH login events 83detecting user activity 52monitoring and reporting system activity 61

Script Actionsdefined 39

Search Tasksdefined 48

searchingAudit Logger 77for logmessages in the Audit Logger 71

side barbuttons 22

SSH login eventscorrelating 83

summaryof Evaluation Guide 96

syntaxcharacters for Audit Logger queries 73

Syslog Actionsdefined 39

system activityanalyze with Event-Database Viewer 73analyzing 71monitoring and reporting 61

SystemDatabaseabout 61

T

TaskManagerin TLC Console 22with auto-created search filter 65with new Report 67


Taskstypes 48

Text Layout Panelsdefined 47

Ticket Centerin TLC Console 22

Time Graph Layout Panelsdefined 47

TLCabout 13about collection, normalization, and

correlation 14about the evaluation 12components 22configuring 18defined 13diagram of log-message collection, nor-

malization, and correlation 15installing 17

TLC Consoleconfiguring 21defined 13diagram of components 21working with 42

TLC Managerdefined 13

Top Graph Layout Panelsdefined 47

Tripwire Log Centersee TLC 13

Tripwire Log Center Consolesee TLC Console 13

Tripwire Log Center Evaluation Guidechapters in 7

Tripwire Log Center Managersee TLC Manager 13

Tripwire VIA Agentsee VIA Agent 13

U

user activitydetecting 52

V

VIA Agentdefined 13installing onWindows system 18

W

Windows Assetconfiguring 33

WinLog Collectordefined 30

workingwith the TLC Console 42


tlc evaluation guide

Documents