TLC Evaluation Guide

TRIPWIRE LOG CENTER 7.
0
EVALUATION GUIDE
2003-2013 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. All other brand or product names may be trademarks or registered trademarks of their respective companies or organizations.
Tripwire, Inc. One Main Place 101 SW Main St., Suite 1500 Portland, OR 97204 US Toll-free: 1.800.TRIPWIRE main: 1.503.276.7500 fax: 1.503.223.0182
http://www.tripwire.com tripwire@tripwire.com TW1139-02
Contents
About This Guide
Overview Document List Document Conventions Contact Information
7
7 8 9 10
Chapter 1. Overview
About the TLC Evaluation What is Tripwire Log Center? How does TLCcollect, normalize, and correlate log messages?
11
12 13 14
Chapter 2. Installation and Configuration

Installing Tripwire Log Center Configuring Tripwire Log Center Step 1. Configure your Log Sources Step 2. Configure your TLCConsole Step 3. Import the Latest Normalization Rules Step 4. Configure your Asset Groups Step 5. Configure your Collectors Step 6. Push Updates to your Manager Step 7. Create and Configure your Assets Step 8. Confirm Log-Message Collection Step 9. Assign Correlation Rules to the Correlation Engine Step 10. Create an Email Action Working with the TLCConsole Step 1. Verify Collector Installation and Review the Audit Logger Directory Step 2. View the Regular Expression defined by a Normalization Rule Step 3. Create a Layout in the Dashboard
16
17 18 18 21 24 25 30 32 32 36 37 39 42 42 44 47
Tripwire Log Center 7.0 Evaluation Guide
Contents
Chapter 3. Scenarios
Scenario 1. Detecting User Activity Step 1.1 - Detect and Evaluate Unauthorized User Activity Step 1.2 - Investigate a 'Brute Force Attack' Scenario 2. Monitoring and Reporting System Activity Step 2.1 - Analyze Event Data with the Dashboard Step 2.2 - Generate a Report on Event Data Scenario 3. Analyzing System Activity Step 3.1 - Query the Audit Logger for Evidence of System Activity Step 3.2 - Graph and Diagram Event Data Step 3.3 - Identify Recurrent Issues Step 3.4 - Generate a Report on Log-Message Data Scenario 4. Correlating SSH Logon Events Step 4.1 - Create a Correlation List Step 4.2 - Create a Correlation Rule Step 4.3 - Analyze Correlated Events in the Event-Database Viewer Step 4.4 - Generate a Report on User-Logon Activity
51
52 52 57 61 62 66 71 71 73 77 81 83 84 85 90 93
Chapter 4. Summary
Evaluation Guide Summary Professional Services Contact Us
95
96 97 98
Tripwire Log Center Glossary Index
99 111
Contents
About This Guide Overview

The Tripwire Log Center Evaluation Guide presents a collection of step-by-step scenarios to introduce prospective and novice Tripwire Log Center (TLC) users (i.e. security administrators and analysts) to application features and functionality. This guide includes the following chapters:
l
Chapter 1: Overview (on page 11) introduces TLC and provides further details about the evaluation process. Chapter 2: Installation and Configuration (on page 16) explains how to install and configure Tripwire Log Center Manager, Tripwire Log Center Console, and your EventManagement Database software. Chapter 3: Scenarios (on page 51) provides a collection of hypothetical scenarios in which you will work with Tripwire Log Center to achieve specific goals. Chapter 4: Summary (on page 95) recaps what you learned in the evaluation process and provides resources for more information about TLC.
About This Guide
Document List
The documentation set for Tripwire Log Center (TLC)includes the following guides.
l
The Tripwire Log Center Evaluation Guide presents a collection of step-by-step scenarios to introduce prospective and novice TLC users (i.e. security administrators and analysts) to application features and functionality. The Tripwire Log Center Installation Guide provides system administrators with step-bystep instructions for installing or upgrading TLC software, as well as the database software for storage of critical log messages and events. The Tripwire Log Center User Guide is a reference manual for security administrators and analysts working with Tripwire Log Center. This guide introduces TLCterms and concepts, explains how to configure TLC, and provides step-by-step instructions and related field descriptions for TLC procedures.
PDF versions of these documents are available on the Tripwire Customer Center:
https://tripwire.secure.force.com/customers/
In addition, the TLConline help provides the content in the PDFs above and may be accessed from the Tripwire Log Center Console:
http://tlcdocumentation.tripwire.com/
About This Guide
Document Conventions
Convention Bolding Description Indicates:
l l l l l
The labels of buttons, menus, fields, drop-downs, and check boxes. Options selected from a drop-down list or menu. Keystrokes and menu paths. Introductory sentences for procedures. The first reference of a term.
Examples:
l l
In the Monitor dialog, select the Activate check box. Press CTRL+DELETE.
Italics
Indicates cross references to sections and chapters in this book, as well as the titles of other books. Example: "For more information, see Creating a Node."
Sans Serif
Indicates:
l l l
URLs and e-mail addresses Directory paths and file names Command-line entries
Examples:
l l
www.tripwire.com C:\Program Files\
Brackets
Indicates a set of possible user-entered options; individual options are separated by the pipe (|) character. Example: [1 | 2 | 3]
Angle brackets
Indicates placeholders for user-entered values. Example: <a_variable>
About This Guide
Contact Information
Tripwire US
Web site: http://www.tripwire.com E-mail: sales@tripwire.com Phone: 1.800.TRIPWIRE (1.800.874.7947)
Tripwire International
Web site: http://europe.tripwire.com E-mail: intl@tripwire.com
Tripwire Technical Support

Online support: https://tripwire.secure.force.com/customers/ Support policies: http://www.tripwire.com/customers/support-policy.cfm US toll-free: 1.866.TWSUPPORT (1.866.897.8776; 6am-6pm PST/PDT) EMEA toll-free:00 800-77517751 (9am-9pm CET/CEST) Australia toll-free:1800 193 879 Direct phone: 1.503.276.7663
Tripwire Professional Services

Tripwire Professional Services provides a wide range of services, including Tripwire Quickstarts, Turnkey Implementations, Change Auditing, and Process Improvement. For more information, please visit http://www.tripwire.com/services or contact your Tripwire sales representative.
Tripwire Educational Services

Tripwire Educational Services provides hands-on technical training for the installation, configuration, and maintenance of your Tripwire software. All courses are taught by Tripwire Certified Instructors. For more information, please contact your Tripwire sales representative or visit http://www.tripwire.com/services/training/.
10
About This Guide
Chapter 1. Overview
About the TLC Evaluation

To demonstrate Tripwire Log Center (TLC)features and capabilities, the Tripwire Log Center Evaluation Guide walks novice users through the process of installing, configuring, and using the software. To fully benefit from the evaluation process, you should work through the Evaluation Guide sequentially (i.e., read it from beginning to end). The Evaluation Guide consists of the following parts:
l
Chapter 1: Overview (on the previous page). The Overview provides an introduction to basic TLC terms and functionality. Installing Tripwire Log Center on page 17 and Configuring Tripwire Log Center on page 18. To begin the evaluation process, you will prepare TLC to normalize, correlate, and analyze log messages collected from Log Sources in your TLCenvironment. Working with the TLCConsole on page 42. This part of the evaluation introduces you to a few key components of the TLC user interface, as well as the directory structure in which the Audit Logger stores log messages. Chapter 3: Scenarios (on page 51). The evaluation Scenarios illustrate how TLCdetects, reports, and analyzes activity in your TLC environment. In a series of Steps, each Scenario explains how TLC may be used to detect, evaluate, and resolve potential issues. Chapter 4: Summary (on page 95). To conclude the evaluation, you will review what you learned in the Scenarios. In addition, the Summary provides a few resources for more information about TLC.
12
Chapter 1. Overview
What is Tripwire Log Center?

Tripwire Log Center (TLC) is a fully integrated log- and event-management solution from Tripwire, Inc. The TLC software suite consists of the following applications:
l
Tripwire Log Center Manager (or TLC Manager) is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices. Tripwire Log Center Console (or TLC Console) is the software for the TLC graphic user interface (GUI). Through the TLC Console, you can configure TLC and work with collected data. Note TLC Console is also the term for the TLC GUI itself, and a Manager is a system on which TLCManager software has been installed.
Installed on a Windows or Linux system, Tripwire VIA Agent is a service that collects log messages from any log-generating application running on the system. When installed on a Windows system, VIA Agent can also collect the system's Windows Event Logs via the Secure Sockets Layer (SSL) protocol.
Tripwire Log Center:

l
securely collects log messages from systems (i.e. 'Log Sources') on your network identifies events of interest in real time securely archives log messages with AES-256 encryption in a flat-file storage structure correlates detailed changes with events and event sequences responds to events of interest by taking appropriate action provides a robust set of analysis tools, including customizable reports, graphs, and network diagrams
13
Chapter 1. Overview
How does TLCcollect, normalize, and correlate log messages?

A Collector is a TLC module that gathers or receives log messages from Log Sources. A Log Source is any application, system, database, or device from which TLC collects log messages. In the TLC Console, an Asset represents a Log Source from which TLC collects log messages. When a Log Source passes a log message to a Collector, TLC displays the content of the message in the Real-Time Event Viewer . If the log message satisfies criteria defined by your configuration of TLC, the log message is also forwarded to the Output Destinations assigned to the Log Source's Asset. Output Destinations may include the following TLC components:
l
The Audit Logger is the log-management tool in which TLCsaves log messages with their original format and content. The Correlation Engine determines if log messages indicate events of interest. Event-Management Databases store log messages that have been 'normalized' by TLC.
If the Asset has the Correlation Engine or an Event-Management Database as an Output Destination, TLCsends the log message to the Normalization Engine . Normalization is the process of standardizing log messages for further use by TLC. To normalize log messages, the Normalization Engine uses the Normalization Rules in your TLC Console. Each Normalization Rule defines a regular expression to parse the name/value pairs in log messages, and each rule can only be used to normalize messages generated by a specific type of Log Source.
l
If the Normalization Engine processes a log message for an Asset that has an EventManagement Database as an Output Destination, and the message satisfies the conditions defined by your Normalized-Message Filters, TLCsaves the Normalized Message as an Event in the database. If the Correlation Engine is assigned as an Output Destination for the Asset, TLC forwards the Normalized Message to the Correlation Engine.
To identify events of interest, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine. A Correlation Rule consists of a logical flow of one or more conditions, which are known as Decisions. If a Normalized Message satisfies a rule's Decisions, TLC initiates the response(s) defined by the rule. Responses (or 'Outputs') may include:
l
saving the Normalized Message in an Event-Management Database creating a work ticket in the Ticket Center running an Action (for example, sending a notification email to your Security Administrator or running a command)
Figure 1 on the next page illustrates the high-level steps involved in the processing of log messages.
14
Chapter 1. Overview
Notes
Types of Event-Management Databases include Event Databases, IDS Databases, and Firewall Databases. For this evaluation, you will only work with the default Event Database created by the TLCManager installer. To support the Common Event Expression (CEE) Architecture, TLCprovides a collection of Tripwire-defined Classification Tags for classification descriptions defined by the CEE Dictionary and Event Taxonomy (CDET). TLCalso gives you the ability to create custom Classification Tags. Once TLC has associated log messages with Classification Tags, you can run queries and Reports based on those Classification Tags.
Figure 1. Collection, normalization, and correlation of log messages
15
Chapter 1. Overview
Installing Tripwire Log Center

To begin the evaluation, download the TLCevaluation zip file from the Product Downloads section of the Tripwire Customer Center. This zip file contains PDFs of the TLC Installation Guide and TLC User Guide . (For assistance with the evaluation zip file, contact Tripwire Customer Support.) Once done, install the following software on your host system (see About the Installation Process in the Tripwire Log Center Installation Guide ): 1. Your Event-Management Database software (either MySQL Server or Microsoft SQL Server) 2. Tripwire Log Center Manager 3. Tripwire Log Center Console Caution Prior to installing each of these software packages, you should first verify that your system conforms with requirements. For further details, see the following topics in the Tripwire Log Center Installation Guide :
l
Requirements for your Database Software Requirements for Tripwire Log Center Manager Requirements for Tripwire Log Center Console
Since you will only install TLCManager software on a single system, this system will act as your Primary Manager . To manage more complex environments, you can install TLC Manager software on multiple systems. Each additional TLC Manager system is known as a Secondary Manager . When you install the TLC Manager software on your Primary Manager, be sure to complete the following steps in the TLC Manager Configuration Wizard: 1. In the Log Source Types page, select Generic , Linux, Tripwire , and all Windows Log Source types. 2. In the AutoDiscover Log Sources page, clear the Enable AutoDiscovery check box. If Auto-Discovery were enabled, the installer would create an Asset for each Linux and Windows system in your TLC environment. For the evaluation, you will instead create an Asset for a Windows system and another Asset for a Linux system later in the evaluation process (see Step 7. Create and Configure your Assets on page 32). You will then work with log messages collected from these two Log Sources to complete the evaluation. Tip For the evaluation, you also need access to an email server. If you do not have an email server, you may configure an email server on the Linux system configured in Step 1. Configure your Log Sources on the next page. For directions, see your Linux documentation.
17
Configuring Tripwire Log Center

Step 1. Configure your Log Sources
To set up your TLC environment for this evaluation, you first need to configure a Windows system and a Linux system to send log messages to TLC. These systems will act as the Log Sources from which TLCwill collect log messages.
Windows Configuration
To configure the Windows system: 1. Install Tripwire VIAAgent software on the system, as described in the Tripwire Log Center Installation Guide . 2. Configure the Audit Policy settings specified in Table 1 below. For further details, see your Microsoft Windows documentation for information about the Security Policy Editor.
Table 1. Minimum Audit Policy Settings Audit Policy Audit account logon events Audit account management Audit logon events Security Setting Success, Failure Success, Failure Success, Failure
Linux Configuration
Recommended Linux software for this evaluation: CentOS, Debian, Fedora Core, Red Hat Linux, or Ubuntu Tips If you are a novice with Linux, Ubuntu may be the easiest software with which to work. For a complete list of *NIX platforms supported by TLC, see:
www.tripwire.com/it-compliance-products/log-eventmanagement/supported-devices/
18
To configure the Linux system: 1. Download and install the latest distribution for your Linux software (see supported versions above). During the installation, create a user account named twadmin. 2. Install the latest patches for your Linux software. 3. Install OpenSSH or an equivalent SSH daemon. Tip For further instructions on the preceding steps, see your Linux-distribution documentation.
4. Edit the hosts file (/etc/hosts) and add the following lines:
<host_ip><tab><host_name><tab><host_alias> <tlc_ip><tab><tlc_host_name><tab><tlc_host_alias>
Where:
<tab> is a tab character, <host_ip> is the IP address of the Linux system, <host_name> is the name of the Linux system, <host_alias> is an alias for the Linux system of your choosing, <tlc_ip> is the IP address of your TLCManager, <tlc_host_name> is the name of the TLCManager host system, and <tlc_host_alias> is an alias for the TLCManager of your choosing.
For example:
10.10.200.1 10.10.200.2 linuxhost.tripwire.com tlcmanager.tripwire.com linuxhost tlcmanager
5. Save and close the hosts file. 6. To confirm that Syslog is running on the Linux system, enter the following command at a command line:
ps -ef | grep syslogd
If Syslog appears in the command output, proceed to Step 2. Configure your TLCConsole on page 21. Otherwise, complete the steps below. Tip If Syslog is running, but you wish to reconfigure Syslog as described below, enter the following command to re-start the Syslog module:
kill HUP `cat /var/run/syslogd.pid`.
19
To complete configuration of your Syslog module: 1. Open the configuration file (/etc/syslog.conf or /etc/rsyslog.conf). 2. In the configuration file, add the following line:
<facility>.<severity>.<location>
Where:
<facility> is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, local0 through local7. <severity> is one of the following keywords: debug, info, notice, warn (or warning), err (or error), crit, alert, emerg (or panic). <location> is a local logging file or a remote machine to which the log messages
will be forwarded. To save all log messages in a local logging file , enter the following value as the <location>:
/<full_path_to_file>
Tip
To prevent synchronization of the logging file after each log event, you can format this entry as follows:
-/<full_path_to_file>
While you may lose some data if the system crashes after a write attempt, the absence of synchronization should improve performance, especially if your programs use logging in a verbose manner. To forward all log messages to a remote machine , enter the following value as the <location>:
*.* @<tlc_manager>
Where:
<tlc_manager> is the host name or IP address of your TLC Manager.
3. At a command prompt, enter the following command to restart the Syslog module:
/etc/init.d# ./syslogd -m 30
20
Step 2. Configure your TLCConsole

The TLC Console is the user interface for Tripwire Log Center. To configure a few usability features for your TLC Console: 1. Log in to TLC. a. Select Start > Programs > Tripwire Log Center > Console . b. In the Login dialog, click More . c. Enter the Username and Password for your TLC administrator account. Note If you forget the password for your Administrator user account, contact Tripwire Technical Support:
http://www.tripwire.com/customers
d. In the Hostname/IP field, enter the hostname or IP address of your Primary Manager. e. In the Port field, enter the Manager port specified when you installed your TLC Manager software. f. Click Login. The TLC Console opens (see Figure 2 below). Table 2 on the next page describes the most commonly used components in the button bar and side bar.
Figure 2. The TLC Console
21
Table 2. Primary components of the TLC Console TLC Component Administration Manager Audit Logger
Button
In this component, you can ... ... manage the user accounts, user groups, permissions, and other settings for your TLC environment. ... query and review the log messages collected by Tripwire Log Center. ... create and configure a variety of TLC content, including Assets, Managers, Event-Management Databases, Normalization Rules, Correlation Rules, and Classification Tags. ... work with configurable layouts that present information about your Managers and Event-Management Databases. ... query and work with the Events in your Event Databases.
Configuration Manager Dashboard
EventDatabase Viewer Real-Time Event Viewer Report Center
... monitor the collection of log messages in real time.
... run reports about the Events in your Event-Management Databases. ... define and save queries of your Event-Management Databases. Each Task can present query results in a table, graph, or report. ... create and monitor the work tickets (i.e. Event Tickets) created for Correlated Events in your TLCenvironment.
Task Manager
Ticket Center
2. From the menu bar, select View > Tabbed Forms. With the Tabbed Forms view, TLCopens each selected TLCConsole component in a tab in the workspace. If this setting is disabled, each component opens in a separate window. 3. From the menu bar, select Options > Settings.
4. In the Miscellaneous page of the Settings dialog (see Figure 3 on the next page), select Open Dashboard on start-up. With this setting, TLC always opens the Dashboard when you log in. The Dashboard presents information about your TLC Manager and the log messages collected from your Log Sources.
22
Figure 3. The Miscellaneous group in the Settings dialog
5. In the Table Settings page of the Settings dialog, select the following check boxes. You will work with these features in Step 3.3 - Identify Recurrent Issues on page 77 of Scenario 3. Analyzing System Activity on page 71. Display 'Group by' region provides the ability to group the contents of a table by the values in a specified table row. Show Filter buttons in column headers embeds a Filter button in the header of each column in a table. To sort a table's contents by the values in a column, you simply select the column's Filter button. 6. Click OKto close the Settings dialog.
23
Step 3. Import the Latest Normalization Rules

For an introduction to Normalization, see How does TLCcollect, normalize, and correlate log messages? on page 14. Tripwire maintains and regularly updates a library of pre-defined Normalization Rules. Tip This Step requires Internet access. If your evaluation system does not have Internet access, you can download Normalization Rules from the Tripwire Customer Center.
www.tripwire.com/customers
To download and import the latest Normalization Rules for Windows and Linux Log Sources: 1. From the menu bar in the TLC Console, select Options > Content. Import TLCContent >
2. In the Import Content tab, select Download via the Web the latest default file from Tripwire and click Update . 3. In the confirmation dialog, click OK. 4. In the Select and Import Content field, expand the Normalization Rules group and select the check box for each Normalization-Rule Group specified in Table 3 below. 5. Click Import.
In the Import Status field, TLC presents a list of the imported content.
Table 3. Normalization-Rule Groups for this Evaluation Group Linux CentOS Linux Debian Linux Fedora Linux Red Hat Linux Ubuntu Windows XP-2003 Windows Vista-2012 These rules apply to ... ... CentOS Linux ... Debian Linux ... Red Hat Fedora ... Red Hat Linux ... Ubuntu Linux ... Windows XP and 2003 ... Windows Vista, 2008, 2012, and 7
24
Figure 4. The Import Data tab with the Normalization Rule group expanded
Step 4. Configure your Asset Groups

Tripwire recommends that you manage your Assets by assigning them to Asset Groups. When you installed your TLC Manager software, the installer created a number of default Asset Groups, including a group named "Windows."In this Step, you will: 1. create two additional Asset Groups (named "Linux" and "Critical Systems"), and 2. assign the Normalization-Rule Groups specified in Table 4 on the next page to these three (3) Asset Groups. Later in the configuration process (see Step 7. Create and Configure your Assets on page 32), you will create an Asset for your Windows system and another for your Linux system, and then assign these Assets to the Asset Groups configured in this Step. Once done, if TLCpasses an Asset's log message to the Normalization Engine, the Normalization Engine will normalize the message with the Normalization Rules assigned to the Asset Group(s) containing the Asset.
25
Table 4. Normalization-Rule Groups to be assigned to each Asset Group Asset Group Linux Assign ... ... the appropriate Normalization-Rule Group for the platform of your Linux Log Source; either: CentOS Debian Fedora Red Hat Ubuntu Windows ... the appropriate group for the platform of your Windows Log Source; either: Windows XP-2003 Windows Vista-2012 Critical Systems 1. The Normalization-Rule Group assigned to the Linux Asset Group, and 2. The group assigned to the Windows Asset Group.
To configure the default Windows Asset Group: 1. In the side bar, select Resources > Configuration Manager . Resources > Asset Groups.
2. In the side bar of the Configuration Manager, select
In the workspace, TLCpresents the Asset Groups created by the TLC Manager installer. 3. Double-click the Windows group in the workspace. 4. In the Asset Group properties dialog, select the Normalization Rules tab. 5. To assign the appropriate Normalization-Rule Group for your Windows Log Source (see Table 4 above): a. Click Add.
b. In the Modify Rules for Group dialog, expand and select the Normalization-Rule Group. c. Click Check Selected Rows to select all rules in the group (see Figure 5 on the next page). d. Click OK.
26
Figure 5. The Modify Rules for Group dialog with Normalization Rules selected
6. TLCadds the selected Normalization Rules to the Rules tab (see Figure 6 on the next page). To close the Asset Group properties dialog, click OK. Tip When TLC normalizes a log message, the Normalization Engine will run the rules in the order in which they appear in the Rules tab. To modify the order, use the buttons on the right side of the tab.
27
Figure 6. The Normalization Rules tab in the Asset Group properties dialog
To create the Linux Asset Group: 1. In the Asset Groups page of the Configuration Manager, click 2. In the Asset Group properties dialog: a. Enter Linux in the Name field. b. In the Description field, enter Linux Systems. 3. To assign the appropriate Normalization-Rule Group for your Linux Log Source (see Table 4 on page 26): a. In the Normalization Rules tab, click Add. Add.
b. In the Modify Rules for Group dialog, expand and select the group. c. Click Check Selected Rows to select all rules in the group.
d. Click OK. TLCadds the selected Normalization Rules to the Normalization Rules tab. 4. To save the Linux Asset Group and close the Asset Group properties dialog, clickOK.
28
To create the Critical Systems Asset Group: 1. In the Asset Groups page of the Configuration Manager, click 2. In the Asset Group properties dialog: a. Enter Critical Systems in the Name field. b. In the Description field, enter Business-critical Systems. 3. To assign the two Normalization-Rule Groups specified in Table 4 on page 26: a. In the Normalization Rules tab, click Add. Add.
b. In the Modify Rules for Group dialog, expand and select the first group. c. Click Check Selected Rows to select all rules in the group. Check Selected Rows.
d. Expand and select the second group, and click e. Click OK.
TLCadds the selected Normalization Rules to the Normalization Rules tab. 4. ClickOK to close the Asset Group properties dialog. The Linux and CriticalSystems Asset Groups should now appear in the workspace (see Figure 7 below).
Figure 7. Configuration Manager with default and custom Asset Groups
29
Step 5. Configure your Collectors

In TLC, a Collector is a module that either actively gathers or passively listens for log messages from your Log Sources. Table 5 below defines each type of Collector and identifies the protocol employed by TLCto collect log messages from the Collector's Log Sources.
Table 5. Types of Collectors Protocol and Required Ports SSL: TCP/5670
Type Advanced File
Description If Tripwire VIA Agent is installed on a Windows or Linux system, this Collector may be used to gather log messages from any log-generating application running on the host system.
Advanced Windows Check Point
SSL: TCP/5670 OPSEC and LEA: TCP/18184; UDP/18184 SDEE: TCP/443 MySQL: TCP/3306 MS-SQL: TCP/1433
If Tripwire VIA Agent is installed on a Windows system, this Collector may be used to gather the system's Windows Event Logs. Listens for log messages from Check Point firewalls.
Cisco IDS Database
Gathers log messages from Cisco IDS sensors. Gathers log messages from an application that logs to an External Database. For a list of supported applications, see the Tripwire Customer Center: https://secure.tripwire.com/customers/ Gathers or receives log messages from Log Sources that store messages in an ASCII log file.
File
SMB: TCP/135139; TCP/445 SFTP: TCP/22 FTP: TCP/21
Network
Syslog : UDP/514; TCP/1468 SNMP: TCP/162; UDP/162
Listens for Syslog and SNMP-based messages from network devices.
Oracle Database
TCP/IP: 1521
Gathers log messages from Oracle database audit logs. For a list of supported Oracle versions, see the Tripwire Customer Center: https://secure.tripwire.com/customers/
WinLog
WMI: TCP/135, TCP/1024+
Gathers log messages from Windows Event Logs. Note: Synchronous Connectivity requires only TCP/135.
In the properties of your Primary Manager, the TLC Manager installer automatically assigns the appropriate Collector for each type of Log Source selected in the TLCManager Configuration Wizard. For this evaluation, you selected the check box for each type of Windows and Linux Log Source (see Installing Tripwire Log Center on page 17).
30
In this step, you will confirm that the Advanced Windows Collector and Network Collector have been assigned to your TLCManager. In addition, you will enable AutoDiscovery of Windows systems by the Advanced Windows Collector. To configure your Collectors: 1. In the side bar, select Resources > Configuration Manager . Resources > Managers.
2. In the side bar of the Configuration Manager, select 3. In the workspace, double-click your Primary Manager.
4. In the Manager's properties tab, select the Installed Modules tab. Since you selected Windows and Linux Log Sources in the TLC Manager Configuration Wizard, this tab includes the Advanced Windows Collector and the Network Collector (see Figure 8 below).
Figure 8. The Installed Modules tab in the Manager properties tab
5. In the Advanced Windows Collector tab, select the Enable AutoDiscovery check box. With this setting enabled, TLC will AutoDiscover the Windows system on which you installed Tripwire VIA Agent software (see Step 1. Configure your Log Sources on page 18). TLC will then create a new Asset and assign the Advanced Windows Collector to the Asset. 6. Click OK to close the Manager properties tab.
31
Step 6. Push Updates to your Manager

In the following Steps, you added and modified objects in the Configuration Manager: Step 4. Configure your Asset Groups on page 25 Step 5. Configure your Collectors on page 30 Whenever you make changes in the Configuration Manager, you must 'push updates' to the Managers in your TLC environment. To push updates to your Primary Manager: 1. In the side bar, select Resources > Configuration Manager . Resources > Managers.
3. In the main pane, select the Manager's table row by clicking the arrow to the left of the row. 4. Click Push Updates to Manager .
Step 7. Create and Configure your Assets

In Step 4. Configure your Asset Groups on page 25, you reviewed the Asset Groups created by the TLCManager installer, which included a group named Windows. You also created two new Asset Groups; one named Linux and another named Critical Systems. In Step 5. Configure your Collectors on page 30, you configured the Advanced Windows Collector to AutoDiscover your Windows Log Source, and then you pushed these changes to your Primary Manager in Step 6. Push Updates to your Manager above. You are now ready to 1) configure the Asset created by TLCfor your AutoDiscovered Windows Log Source, and 2) create and configure a new Asset for your Linux Log Source. Tip To ensure the accuracy of timestamps in collected log messages, Tripwire recommends the use of the Network Time Protocol (NTP) on each Log Source host system.
32
Configuring your Windows Asset

To configure the Asset for your Windows Log Source, complete the following steps: 1. In the side bar, select Resources > Configuration Manager . Resources > Assets.
The workspace displays the AutoDiscovered Asset for your Windows Log Source (see Figure 9 below). Tip If your Windows Asset does not appear in the workspace, and an operatingsystem firewall or network firewall is positioned between the Windows system and your TLC Manager, confirm that the required ports are open. For further assistance, contact Tripwire Technical Support.
Figure 9. The AutoDiscovered Windows Asset in the workspace
3. Double-click the Asset to open the Asset properties dialog. 4. In the Name field, replace the existing name with My_Windows_Asset. Note In the Collector field of the Settings tab, TLCautomatically assigned the Advanced Windows Collector to the Asset.
5. In the Asset Groups tab, associate the Asset with the Windows Asset Group and the Critical Systems Asset Group. To associate the Asset with a group: a. Click Add.
b. From the Host Group drop-down, select the group and click Add. Figure 10 on the next page shows the Asset Groups tab with the two groups assigned to the Windows Asset.
33
Figure 10. The Asset Groups tab in the Asset properties dialog
6. In the Output Destinations tab, the Correlation Engine is automatically assigned by default. To assign the Audit Logger as an Output Destination: a. Click Add.
b. From the Output Destination drop-down, select the Audit Logger and click Add. 7. To save the Asset, click OK in the Asset Properties dialog.
Creating and Configuring your Linux Asset

To create and configure an Asset for your Linux Log Source, complete the following steps: 1. In the side bar, select Resources > Configuration Manager . Resources > Assets.
2. In the side bar of the Configuration Manager, select 3. Click Add Asset.
34
4. Complete the top of the Asset properties dialog. a. In the Name field, enter My_Linux_Asset. b. (optional) Enter a description. c. Confirm that the Enabled check box is selected. 5. In the Settings tab (see on page 32): a. Enter the IPAddress of the Linux system. b. From the Type drop-down, select Linux System. c. From the Collector drop-down, select TLCNetwork Collector . d. Click Apply. 6. In the Asset Groups tab, associate the Asset with the Linux Asset Group and the Critical Systems Asset Group. To associate the Asset with a group: a. Click Add.
b. From the Host Group drop-down, select the group and click Add. 7. In the Output Destinations tab, assign the Correlation Engine and Audit Logger as Output Destinations for the Asset. To assign an Output Destination: a. Click Add.
b. From the Input Type drop-down, select Syslog. c. From the Output Destination drop-down, select the destination and click Add. 8. To save the Asset, click OK in the Asset Properties dialog. The Configuration Manager now contains each of your new Assets (see Figure 11 below).
Figure 11. The Configuration Manager with your Windows Asset and Linux Asset
35
9. To push updates to your Manager: a. In the side bar of the Configuration Manager, select Managers. Resources >
b. In the main pane, select the Manager's table row by clicking the arrow to the left of the row. c. Click Push Updates to Manager .
Step 8. Confirm Log-Message Collection

At this point in the configuration process, TLC should be collecting log messages from your Windows Asset and Linux Asset. To confirm that TLCis successfully collecting log messages, complete the following steps for each Asset: 1. In the side bar, select Events > Real-Time Event Viewer .
2. In the IP Address field, enter the IP address of the Asset's Log Source. 3. From the Collector drop-down, select the appropriate Collector for the Asset. 4. Click Start. If TLC displays log messages in the Real-Time Event Viewer (see Figure 12 on the next page), then the Asset has been properly configured. 5. Click Stop and close the Real-Time Event Viewer. Tip If the Real-Time Event Viewer does not display log messages, complete the following steps to troubleshoot the issue: 1. If the system is inactive, try logging in and out of the system to generate log messages. 2. If you have an operating-system firewall or network firewall in your TLC environment, verify that the required ports are open. 3. Review and verify the properties of the Asset (see Step 7. Create and Configure your Assets on page 32). Most importantly, confirm that the IPAddress is correct. If these steps fail to resolve the issue, contact Tripwire Technical Support:
36
Figure 12. Log messages in the Real-Time Event Viewer
Step 9. Assign Correlation Rules to the Correlation Engine

In Step 7. Create and Configure your Assets on page 32, you assigned the Correlation Engine as an Output Destination for both your Windows Asset and Linux Asset. Consequently, if TLC normalizes a log message for one of these Assets, TLC will forward the Normalized Message to your Manager's Correlation Engine. To identify events of interest, the Correlation Engine applies Correlation Rules to these Normalized Messages. In this Step, you will add pre-defined Correlation-Rule Groups to your Manager's Correlation Engine. Note In Scenario 4. Correlating SSH Logon Events on page 83, you will learn how to create a Correlation Rule of your own.
To add the Correlation-Rule Groups to your Manager's Correlation Engine: 1. In the side bar, select Resources > Configuration Manager . Correlation > Engines.
2. In the side bar of the Configuration Manager, select 3. In the workspace, double-click the Correlation Engine. 4. In the Correlation Engine tab, click Add.
37
5. To add the Correlation-Rule Groups: a. In the Modify Rules for Correlation Engine dialog, press CTRL and select the following groups:
Authentication Internal Rules Network Audit System Audit User Audit
Tip
For optimal performance, Tripwire recommends that you only add Correlation-Rule Groups that apply to your environment.
b. Click Check Selected Rows to select all rules in the groups (see Figure 13 below), and click OK.
Figure 13. Modify Rules for Correlation Engine dialog with Correlation Rules selected
6. TLC adds the selected Correlation Rules to the Correlation Engine. Click OK to close the Correlation Engine tab. Tip When TLC correlates a Normalized Message, the Correlation Engine will run the rules in the order in which they appear in the Correlation Engine tab. To modify the order, use the buttons on the right side of the tab.
38
Step 10. Create an Email Action

An Action (or Correlation Action) initiates a response to events of interest (i.e. Correlated Events) identified by your Manager's Correlation Engine. Table 6 below defines each type of Action in TLC.
Table 6. Types of Actions Type Email Notification Script Syslog Description Sends an email alert to specified recipients. Creates a Notification in the Notifications dialog of the TLC Console. For further details, see Working with Notifications in the Tripwire Log Center User Guide. Runs a Windows command. Sends a Syslog message to a specified Syslog server.
By default, the TLC Manager installer creates a Notification Action with no defined Notifications. In this step, you will create an Email Action to send email alerts to yourself. In Scenario 4. Correlating SSH Logon Events on page 83, you will assign this Action as an Output in a Correlation Rule. To create the new Email Action: 1. In the side bar, select Resources > Configuration Manager . Resources > Managers.
2. In the side bar of the Configuration Manager, select 3. In the workspace, double-click your TLC Manager.
4. In the Email tab of the Manager's properties tab (see Figure 14 on the next page): a. In the SMTPServer field, enter the IPaddress of your email server. b. Complete any remaining fields required for authentication by your email server. c. Click OK to close the Manager's properties tab.
39
Figure 14. Email tab in the Manager's properties tab
Correlation >
Actions
In the workspace, TLC presents the two Actions created by the installer. 6. Click Add Action.
7. In the Action properties dialog (see Figure 15 on the next page): a. Enter Email to me in the Name field. b. In the Type Settings tab, click Add Email Address.
TLC adds a row to the Type Settings tab. c. In the Email Address field, enter the email address for the Action and click OK.
40
Figure 15. The Action properties dialog
41
Working with the TLCConsole

Step 1. Verify Collector Installation and Review the Audit Logger Directory
Now that your Tripwire Log Center (TLC)environment has been configured, let's take a moment to review a few product features before proceeding with the evaluation Scenarios. The Audit Logger is TLC's log-archive tool, and TLC stores collected log messages in the Audit Logger File Store , a series of compressed flat files. When TLC receives a log message from a Collector, TLC first places the message in an internal cache known as the Audit Logger Cache (or Audit Logger Buffer). When the log messages in the cache exceed specified time or size thresholds, or when you flush the cache, TLC: 1. calculates 256-SHA checksums to verify the integrity of each file created when the cache is flushed to disk, 2. saves each message (in its original format) in the Audit Logger File Store, and 3. indexes the key terms in each message (to support standard search-engine queries). Note With a production license of Tripwire Log Center, you would also have the option of encrypting log messages with the AES-256 algorithm.
Due to this unique design, TLC provides high-speed performance capable of archiving all log messages generated by the Log Sources on your network. To learn more about the Audit Logger File Store, complete the following steps: 1. In the side bar, select Resources > Configuration Manager . Resources > Managers.
2. In the side bar of the Configuration Manager, select 3. In the workspace, double-click your Manager.
42
4. Complete the following steps in the Manager properties tab: a. In the Installed Modules tab (see Figure 16 below), verify that the following modules are installed and enabled -- Network Collector, Advanced Windows Collector, Schedule Engine, License Service, Correlation Engine, and Audit Logger. Note In the Installed Modules tab, TLC automatically adds the Collectors required for each 'Product Type' (i.e. Log Source) specified in the TLC Manager Configuration Wizard (see Installing Tripwire Log Center on page 17). If you add other types of Log Sources to TLC, you can install the required Collectors in this tab. For more information, see Configuring a Collector in the Tripwire Log Center User Guide and Step 5. Configure your Collectors on page 30.
b. In the Audit Logger tab, copy the path of the Audit Logger File Store directory. By default, this directory is:
C:\Program Files\Tripwire\Tripwire Log Center Manager\Audit Logger\
Figure 16. The Installed Modules tab in the Manager's properties
5. In Windows Explorer, navigate to the Base Log Directory and review its contents (see Figure 17 on the next page).
l
In the Audit Logger\0\ sub-directory, TLC creates a sub-folder for each day since you installed TLC Manager. TLC uses the current date to name each sub-folder, and each sub-folder contains one or more zip files with the data in the Audit Logger. The Audit Logger\Index\ sub-directory consists of sub-folders with zip files containing key terms in the Audit Logger File Store.
43
Figure 17. The Base Log Directory in Windows Explorer
Step 2. View the Regular Expression defined by a Normalization Rule

TLCnormalizes log messages with regular expressions defined by Normalization Rules. You will now review a regular expression defined by one of the Normalization Rules downloaded from the Tripwire Web site during configuration (in Step 3. Import the Latest Normalization Rules on page 24). To open the properties of a Normalization Rule: 1. In the side bar, select Resources > Configuration. Normalization > Rules.
2. In the side bar of the Configuration Manager, select 3. Expand and select a rule group under Rules. 4. In the workspace, double-click a rule.
5. In the Normalization Rule properties dialog, select the Rule Details tab (see Figure 18 on the next page). The Quick Match field specifies a string. If a log message contains the string, TLC runs the regular expression defined in the Rule field. The Description tab contains a value saved in the properties of Events created by the rule. The description may consist of literal strings and variables for Event-field values (e.g. <Dst IP>).
44
Figure 18. The Rule Details tab in the Normalization Rule properties dialog
6. Tripwire recommends that you do not modify the regular expression defined by a Normalization Rule downloaded from the Tripwire Web site. However, you can create Normalization Rules of your own, or create a copy of a downloaded rule. In such cases, you may edit the rule's regular expression with the Rule Editor. To open the Rule Creator (see Figure 19 on the next page), click Rule Editor . Each rule's regular expression: a. parses specified name/value pairs in the content of log messages, and b. specifies the columns in which the parsed values will be saved in EventManagement Databases.
45
When defining a regular expression in the Rule Editor, you can:

l
include one or more Aliases in the expression. Each Alias is a custom variable that represents a partial or complete regular expression. At this point in the evaluation, your TLC environment may not contain any Aliases. define find-and-replace values in the Replace tab for columns in the content of log messages. test the expression by entering the content of a log message in the Input Data tab and clicking Test. TLC then displays the result in the Output field.
Figure 19. The Rule Editor
46
Step 3. Create a Layout in the Dashboard

A component of the TLC Console, the Dashboard presents information about a Manager or Event-Management Database in a Layout, a customizable configuration of panels containing fields, tables, and/or graphs.
l
A Manager Layout shows information about 1) a selected Managers system resources and configuration, and 2) the log messages collected by the Manager's Collectors. A Database Layout presents data for the Events in a selected Event-Management Database.
The panels in a Layout are known as Layout Panels, and Table 7 below describes each type of Layout Panel.
Table 7. Types of Layout Panels Type Configuration Diagram Map Text Time Graph Top Graph Description (Manager Layouts only) Displays a diagram of the Log Sources, Collectors, Managers, Audit Loggers, Correlation Engines, and Event-Management Databases in your TLC environment. (Database Layouts only) Displays the geographic locations of IP addresses involved in Events on a map. Presents data in a table. Presents a timeline of log messages or Events in a graph. (Database Layouts only) Displays the Top N items in a graph or chart.
To add a panel to a Layout, you must first create a Layout-Panel Task in the Task Manager. Table 8 on the next page describes each type of Task in TLC. Note In the Task Scheduler , you can define schedules for Copy, Delete, Archive, and Report Tasks.
47
Table 8. Types of Tasks in the Task Manager Type Layout-Panel Description Creates a Layout Panel that may be added to a Layout in the Dashboard.
Administrative Performs an administrative operation on specified data in an Event-Management Database. An Archive Task moves the data from one database to another. A Copy Task copies the data from one database to another. A Delete Task removes the data from the database. Search Performs a query of data in an Event-Management Database. A List Task presents the query results in a table. A Graph Task presents the query results in the form of a graph or chart. A Report Task compiles and formats the query results in a Report. In Scenario 2. Monitoring and Reporting System Activity on page 61, you will create and run a Report Task.
In Scenario 2. Monitoring and Reporting System Activity on page 61, you will: 1. create and run a Report Task, and 2. work with a custom Layout in the Dashboard. To prepare TLC for your work in the Dashboard, you will now create a Layout-Panel Task, and then add the panel to the new Layout. To complete this Step: 1. In the side bar, select Events > 2. To create the Layout-Panel Task: a. In the workspace, enter Medium and High Priority Events in the Name field. b. From the 'Task type' drop-down, select Layout Panel. c. From the Output drop-down, select Text Panel, and then select Top Priorities from the adjacent Type drop-down. d. Click Save . TLC adds the new Layout-Panel Task to the Task Manager's side bar under Layout-Panel Tasks group in the Task Manager's side bar. Task Manager .
48
Figure 20. The new Layout-Panel Task in the Task Manager
3. To create the new Database Layout: a. In the side bar, select Events > Dashboard.
b. From the 'Display data for' drop-down, select Events. c. From the Layout drop-down, select New Layout. d. Click Add and select Text Panels > Medium and High Priority Events (see Figure 21 on the next page). e. Click Save .
f. In the Save As dialog, enter Priority_Events as the name of the new Layout file and click Save . The new Layout should now be available in the Dashboard's Layout drop-down.
49
Figure 21. The Layout drop-down with the new Database Layout
4. Close the Dashboard and Task Manager.
50
Scenario 1. Detecting User Activity

To begin the evaluation, this Scenario demonstrates how Tripwire Log Center (TLC) can detect and respond to unauthorized user activity in your TLCenvironment. In Step 1.1 - Detect and Evaluate Unauthorized User Activity below, you will create new user accounts on your Windows Log Source and then employ the Real-Time Event Viewer and Audit Logger to evaluate this activity. In Step 1.2 - Investigate a 'Brute Force Attack' on page 57, you will analyze the log messages generated in response to a simulated 'Brute Force Attack.'
Step 1.1 - Detect and Evaluate Unauthorized User Activity

In this Step, you will:
l
create two (2) new user accounts on your Windows Log Source monitor the Real-Time Event Viewer for log messages documenting the creation of the user accounts create a Custom Command to look up IP addresses on the Network Solutions WHOIS Web site Note A Custom Command is a command that users can run when they select certain fields in a table in the TLC Console.
simulate a logon failure by attempting to log in to the Windows system with incorrect authentication credentials search TLC for the log message generated by the logon failure run the Custom Command to display the WHOISdetails for an IPaddress in the log message email the log message to your Security Administrator for further analysis
To complete this Step: 1. In the side bar, select Events > Real-Time Event Viewer .
2. In the Real-Time Event Viewer, complete the following steps. a. In the Message-content filter field, enter:
TLC_*
b. In the IP Address field, enter the IPaddress of your Windows Log Source. c. From the Collector drop-down, select Advanced Windows Collector . d. Select the Wrap Text check box and click Start. TLCbegins displaying log messages from the Windows system in real time.
52
3. On the Windows system: a. Create a Windows user account named "TLC_GOOD_USER," and add this account to the Administrators group. b. Create a Windows user account named "TLC_BAD_USER." Tips Make a note of the password for each account. For further directions, refer to your Microsoft Windows documentation. 4. Monitor the Real-Time Event Viewer in TLC. You should see the log messages related to the creation of each new user account (see Figure 22 below). Note As needed, you can use the Real-Time Event Viewer to verify collection of log messages from any Log Source in your TLCenvironment.
Figure 22. Real-Time Event Viewer with log messages for new Windows user accounts
5. Click Stop and close the Real-Time Event Viewer. 6. From the menu bar in the TLCConsole, select Options > Settings.
7. In the side bar of the Settings dialog, select User Settings > Custom Commands and click Add.
53
8. Complete the Custom Command dialog (see Figure 23 below). a. In the Name field, enter Network Solutions WHOIS Lookup. b. Select the Enabled check box. c. From the Data Type drop-down, select IPAddress. d. For the Output drop-down, accept the default value of DOSCommand. e. In the Command field, enter:
http://www.networksolutions.com/whois/results.jsp?ip=<ip>
f. To test the command, click Test. g. In the Test dialog, enter 192.168.1.100 and click Test. If the test is successful, TLC will present a Web page with the WHOIS results for the IPaddress. h. Click OK to save your work and close the Custom Command dialog. i. In the Settings dialog, click OK. Note Network Solutions is unaffiliated with Tripwire, Inc.
Figure 23. Custom Command dialog
9. Attempt to log in to the Windows system with incorrect authentication credentials.
54
10. To search for log messages related to the failed logon attempt: a. In the side bar, select Events > Audit Logger .
b. Select the Query tab (see Figure 24 below). c. From the Output drop-down, select List Events - Processed. d. In the Classification Tags field, enter User Logon Failure . e. From the two Assets drop-downs, select IPAddress and your Windows Asset. f. To run the search, click Start. TLC queries the Audit Logger File Store for log messages collected fromthe Windows system with which the Classification Tags User , Logon, and Failure are associated. TLC then normalizes the log messages with the Normalization Rules assigned to the Windows and Critical Systems Asset Groups, and presents the results in the Query Results - Normalized Messages tab (see Figure 25 on the next page).
Figure 24. The Query tab in the Audit Logger
55
Figure 25. The Query Results - Normalized Messages tab
11. To run the Custom Command: a. In the Processed Logs tab, select and right-click an IPaddress in a log message for a failed logon attempt (see Figure 26 on the next page). b. From the right-click menu, select Run Custom Command on selected IPaddress > Network Solutions WHOIS Lookup. TLCruns the Custom Command and opens a Web Browser tab containing a page from the Network Solutions Web site. The page presents information about the selected IPaddress. Note Network Solutions is unaffiliated with Tripwire, Inc.
c. Close the Web Browser tab.
56
12. Close the Audit Logger.
Figure 26. The right-click menu in the Query Results - Normalized Messages tab
Step 1.2 - Investigate a 'Brute Force Attack'

In this Step, you will simulate a Brute Force Attack by attempting to log in to the Windows system with an incorrect password for the TLC_GOOD_USER account (created in Step 1.1 Detect and Evaluate Unauthorized User Activity on page 52, and then changing the account's password. You will then query and review the log messages generated by the Windows system in response to the Brute Force Attack. Caution To complete this Step, your Windows system should not have an enabled policy that locks a Windows user account after five (5) or fewer failed login attempts.
57
To complete this Step: 1. To simulate a "Brute Force Attack"on your Windows system: a. Using an incorrect password for the TLC_GOOD_USERaccount, attempt to log in to the Windows system five (5) times. b. Using the correct password, log in to the system with the TLC_GOOD_USER account. c. Change the password for the TLC_GOOD_USER account, and make a note of the new password. For further directions, refer to your Microsoft Windows documentation. 2. To search for log messages generated by the failed logon attempts: a. In the side bar, select Events > Audit Logger .
b. In the Audit Logger, select the Query tab. c. From the Output drop-down, accept the default option of List Events - Raw. With this option, TLCwill query the Audit Logger File Store for log messages in their original, un-normalized state. d. In the Classification Tags field, enter User Logon Failure . e. From the two Assets drop-downs, select IPAddress and your Windows Asset. f. From the Date and Time drop-down, select Newer/older than. g. In the Time Span drop-downs, enter Newer than 10 Minutes. Note If more than 10 minutes have passed since you simulated the Brute Force Attack, you will need to adjust the Time Filter accordingly.
h. To run the search, click Start. TLCpresents the query results in the Raw Logs tab (see Figure 27 on the next page).
58
Figure 27. The logon failure messages in the Raw Logs tab
3. To search for the log message generated by the Windows system when you changed the password of the TLC_GOOD_USER account: a. In the Audit Logger, select the Query tab. b. From the Output drop-down, accept the default option of List Events - Raw. c. In the Classification Tags field, enter Password. d. From the two Assets drop-downs, select IPAddress and your Windows Asset. e. In the Time Span drop-downs, enter Newer than 10 Minutes. f. To run the search, click Start. TLC presents the query results in the Raw Logs tab (see Figure 28 on the next page). Locate the log message and review the content. 4. Close the Audit Logger.
59
Figure 28. The Password Change log message in the Raw Logs tab
60
Scenario 2. Monitoring and Reporting System Activity

In addition to the storage of log messages in the Audit Logger, Tripwire Log Center (TLC) also saves data in the following databases.
l
The System Database retains a record of all user logons and logouts, as well as TLC content, such as Assets and Normalization Rules. An Event-Management Database stores Events. Each Event is either: a. A Normalized Message (see How does TLCcollect, normalize, and correlate log messages? on page 14), or b. An event imported from a supported scanner, such as Tripwire IP360 or Tenable Nessus.
Table 9 below describes each type of Event-Management Database. By default, the TLC Manager installer creates a single Event Database called 'Events.' With the Database Viewers in the TLC Console, you can access information about the Events in your Event-Management Databases.
Table 9. Types of Event-Management Databases and Database Viewers Database Viewer EventDatabase Viewer
Type
Stores Events from ...
Event ... any Log Source and/or any supported scanner Database Notes: An Event Database can also store firewall Events, as well as Events from an IDS or IPS. For IDS and IPS Events, an Event Database excludes the packet payloads. To store the packet payloads, you should store Events in an IDS Database. Firewall ... firewalls Database IDS ... IDS and IPS devices Database
FirewallDatabase Viewer IDSDatabase Viewer
In this Scenario, you will work with the Dashboard to review Events with a high Priority. Priorities indicate the relative importance of Events. For an introduction to the Dashboard, see Step 3. Create a Layout in the Dashboard on page 47.
61
Step 2.1 - Analyze Event Data with the Dashboard

l
review the default Events Overview Layout in the Dashboard Note The Events Overview Layout is automatically created by the TLC Manager installer.
open and review the custom Layout (Priority_Events) created in Step 3. Create a Layout in the Dashboard on page 47 add another Layout Panel to the custom Layout search for Events with a high Priority create a Decision for a Correlation Rule Note In Scenario 4. Correlating SSH Logon Events on page 83, you will create a Correlation Rule involving this Decision.
To complete this Step: 1. In the side bar, select Events > Dashboard.
2. To open the Events Overview Layout (see Figure 29 on the next page): a. From the 'Display data for' drop-down, select Events. b. From the Layout drop-down, select Overview. The Layout Panels in this Database Layout present information about the Events in the default Events Database.
l
The top panel presents the total number of Events in the database, along with the number of Normalization Rules used to normalize those Events. The middle panel presents a collection of 'Top 10' panels. Each of these panels displays the most common values for a specific field in the database's Events. For example, the Top 10 Priorities panel shows the total number of Events for each Priority. The bottom panel is a Time Graph Panel. For each of the past 24 hours, this panel shows the total number of Events saved to the database. For each one-hour period, the graph also shows how many Events were saved for each Priority (High, Medium, Low, and Info).
62
Figure 29. The Events Overview Layout in the Dashboard
3. To access your custom Layout: a. From the Layout drop-down, select Priority_Events. b. Click Refresh to populate the Layout Panel with data (see Figure 30 below).
Figure 30. The custom Layout in the Dashboard
4. To add another Layout Panel to the Priority_Events Layout (see Figure 31 on the next page): a. Click b. Click Add and select Time Graph Panels > Last 24 Hours. Refresh.
63
Figure 31. The custom Layout with the new Layout Panel
5. To search the Events Database for Events with a High Priority: a. In one of the Layout's panels, select a HighPriority table row or graph segment. b. Right-click the High Priority row or segment, and select Search for Events (see Figure 32 on the next page). The Task Manager opens (see Figure 33 on the next page). In the Filter Wizard tab, TLC automatically adds a single search filter for High Priority Events. c. Select the filter's Enable check box and click Start. TLCqueries the database and presents the High Priority Events in a new tab. d. Review the search results and then close the tab.
64
Figure 32. The Correlation Search right-click option
Figure 33. The Filter Wizard tab in the Task Manager
6. To create a Correlation Rule Decision based on the search filter: a. Click Create Correlation Rule Decision in the Filter Wizard tab of the Task Manager (see Figure 33 above). b. In the Enter Decision Information dialog, enter High Priority Events in the Name field. c. From the Group drop-down, select System Security and click Add. d. In the Confirmation dialog, click No. TLCcreates and saves the Decision. In Scenario 4. Correlating SSH Logon Events on page 83, you will add the Decision to a new Correlation Rule. 7. Close the Task Manager and the Dashboard.
65
Step 2.2 - Generate a Report on Event Data

In this Step, you will: 1. create a Report Task to define a Report about the Events in the defaultEvents Database 2. run the Report Task and view the results in the Report Center In the Report's output, you will locate the Events related to the simulated 'Brute Force Attack' conducted in Scenario 1. Detecting User Activity on page 52), and then save the output as a PDF file to share with your co-workers. To complete this Step: 1. In the side bar, select Events > Task Manager .
2. In the Task Manager, the side bar groups the default and custom Tasks in your TLC environment. Note The Search group contains List Tasks, and the Dashboard Panels group contains Layout-Panel Tasks.
To create your Report Task, complete the following steps in the workspace. a. In the Name field, enter System Activity by Classification. b. From the Database drop-down, accept the default value of Events. c. From the Output drop-down, select Report. d. From the Type drop-down, select Events by Legacy Classification - Detailed. e. Click Save .
In the Task Manager side bar, TLCadds the new Report Task under Report Tasks > Events group (see Figure 34 on the next page).
66
Figure 34. New Report in the Task Manager
3. In the Task Manager, you can run a Report Task by opening the Task and clicking Start. However, you can also access and run Report Tasks in the Report Center, as well as a wide variety of pre-defined Reports. To run the new Report Task in the Report Center: a. In the side bar, select Events > Report Center .
b. From the Database drop-down, select Events. c. Expand the Standard Reports group and select the System Activity by Classification Report. d. From the Time Filter drop-down, select 24 Hours. e. Click Run Report.
TLC presents the report output in the workspace (see Figure 35 on the next page).
67
Figure 35. The output of the System Activity by Classification Report
4. The report output includes:

l
A collection of graphs illustrating the frequency of Event types and the systems involved in those Events, and A detailed list of the Events.
In the output, scroll down the list to locate the Events for the simulated 'Brute Force Attack' completed in Scenario 1. Detecting User Activity on page 52 (see Figure 36 on the next page). To generate these Events, TLCused the Correlation Rules assigned to the Correlation Engine in Step 9. Assign Correlation Rules to the Correlation Engine on page 37.
68
Figure 36. The Events for the simulated 'Brute Force Attack'
5. To add a watermark to the Report output: a. Click Watermark.
b. In the Watermark dialog (see Figure 37 on the next page), enter 'Classified' in the Text field. c. From the Size drop-down, select 54. d. Adjust the Transparency slider bar to a value of 160, and click OK. TLC adds the watermark to the Report output.
69
Figure 37. Watermark dialog
6. To save the Report output as a PDF file: a. Click Export to and select PDF File .
b. In the PDF Export Options dialog, click OK. c. In the Save As dialog, select your Desktop from the Save in drop-down, and then click Save . d. In the Export confirmation dialog, click Yes. TLC opens the PDF file with the Report output. 7. When you finish reviewing the output in the PDF file, close the file and the Report Center.
70
Scenario 3. Analyzing System Activity

The Audit Logger and Event-Database Viewer provide a number of tools with which you can analyze your TLC data, including:
l
a wide variety of graphs - pie charts, line graphs, and bar graphs Event-Relationship Diagrams that depict and replay communications between systems involved in queried Events a robust set of customizable Reports
This Scenario guides you through the process of detecting and analyzing SSH-related activity on your Linux Log Source. Along the way, you will use these tools to illustrate this activity and identify events of interest. In addition, you will create an Event Ticket to track related work.
Step 3.1 - Query the Audit Logger for Evidence of System Activity
l
start (or restart) the SSH Daemon, log in via SSH, and clear the system log file on your Linux Log Source search for log messages generated by the Linux system for the SSH Daemon
To complete this Step: 1. On your Linux system: a. Restart the SSH Daemon. b. Log in to the Linux system via SSH with the twadmin user account (created in Linux Configuration on page 18). c. Create a new Linux user account named twuser. For further details, refer to your Linux documentation. 2. To search for the log messages: a. In the side bar, select Events > Audit Logger .
b. In the Audit Logger, select the Query tab. c. From the Output drop-down, select List Events - Processed. d. In the Terms field, enter SSH*.
71
Tips
For query-syntax characters that may be entered in the Query field, see Table 10 on the next page. To search for a special character in log messages, enter a regular expression with the character in the Query field and insert a forward slash (/) before the character (i.e. escape the special character with /). To optimize performance, enter the most unique terms first. For example, "jhammond user failed" would be faster than "user failed jhammond."
e. From the two Assets drop-downs, select Asset Group and the Linux Asset Group. f. To run the search, click Start. TLCqueries the Audit Logger File Store for log messages containing SSH*, and then normalizes the messages with the Normalization Rules assigned to the Linux Asset Group. The Query Results - Normalized Messages tab (see Figure 38 below) presents the results.
72
Table 10. Query-syntax characters Character Description space | ? * || An AND operator An OR operator Wildcard for a single character Wildcard for zero or more characters at the end of a term Separates multiple queries Example Write Data Write | Data Wr?te Wri*
Permit 192.168.0.1 || Deny 192.168.0.2

An example of a nested query:
(Permit | Allow) 192.168.0.1 || (Permit | Allow) 192.168.0.2

"" \ A literal value Separates a Location name from an IPaddress "Failed Login"
Miami\192.168.129.1
Step 3.2 - Graph and Diagram Event Data

In this Step, you will complete the following steps in the Event-Database Viewer.
l
Generate a Graph to show all Events added to the default Events Database over the past 24 hours Generate an Event-Relationship Diagram to illustrate the communications between the host systems involved in these Events Create an Event Ticket with which your organization can track related work
To complete this Step: 1. In the side bar, select Events > 2. To generate the Graph: a. In the side bar of the Event-Database Viewer, expand Events > Graphs. b. Under Graphs, select Last 24 Hours. TLC generates and presents the graph in the main pane (see Figure 39 on the next page). Event-Database Viewer .
73
Figure 39. Last 24 Hours Graph in the Event-Database Viewer
3. To generate the Event-Relationship Diagram: a. In the Graph, right-click a High Priority section of a bar (in red) and select View related items from the right-click menu. b. In the list of queried Events, select at least two (2) Events while holding the CTRL key. c. Click Diagram Events.
TLC presents the Event-Relationship Diagram in the main pane (see Figure 40 on the next page). The diagram shows the communications between the host systems with IP addresses in the Source IP address (Src IP) and Destination IP address (Dst IP) fields of the selected Events. In a production environment, an EventRelationship Diagram may depict an unlimited number of hosts and communications. d. To run a replay of the sequence of communications depicted in the diagram, move your pointer over the Replay Events tab at the bottom of the workspace and click Start. TLC highlights the diagram's arrows in the order in which the communications occurred. e. Close the Event Relationship tab.
74
Figure 40. An Event-Relationship Diagram
4. To create the Event Ticket: a. In the side bar of the Event-Database Viewer, expand Events > Events > Destination IPs. b. In the Destination IPs group, select the IPaddress of your Linux Log Source. c. Locate and select the Event for the creation of the twuser Linux user account (completed in Step 3.1 - Query the Audit Logger for Evidence of System Activity on page 71). To determine the user account associated with each Event, select the Details tab at the bottom of the workspace (see Figure 41 on the next page). d. In the button bar, click Assign selected items to Event Ticket > Create Ticket to open the Ticket tab (see Figure 42 on page 77).
75
Figure 41. The Details tab
5. To complete and save the Event Ticket: a. In the Name field, enter Unauthorized User Account. b. From the Priority drop-down, select High. c. From the Status drop-down, select New. d. From the Assigned Group drop-down, select User Admin. e. From the Ticket Group drop-down, select DMZ. f. From the Category drop-down, select Suspicious Activity. g. In the Description tab, enter:
Suspect user account created. Requires further investigation.
h. Click Save & Close . Tip In the TLC Ticket Center, you can create, review, and update Event Tickets. As needed, you can also modify the list of available values for any drop-down.
76
Figure 42. The completed Ticket tab
Step 3.3 - Identify Recurrent Issues

l
search for log messages saved in the Audit Logger over the past 30 days sort and group the log messages in the search results generate a pie chart to illustrate the five (5) most frequent names of log messages collected by TLC
To complete this Step: 1. In the side bar, select Events > Audit Logger .
2. In the Audit Logger, select the Query tab.
77
3. To query the Audit Logger for log messages generated within the last 24 hours, complete the following steps in the Search tab (see Figure 24 on page 55): a. Select List Events - Processed from the Output drop-down. b. From the two Assets drop-downs, accept the default values of IP Address and any. c. From the Date and Time drop-down, select Newer/Older than. d. From the Time Span drop-downs, select Newer than 30 Days. e. Click Start. TLCqueries the Audit Logger File Store and normalizes the log messages generated by the Windows and Linux systems within the past 30 days. TLC then presents the Normalized Messages in the Query Results - Normalized Messages tab (see Figure 43 below).
78
4. To sort and group the messages in the Query Results - Normalized Messages tab: a. Scroll to the right to locate the User column, and then click the User column header (see Figure 44 below). TLC sorts the Normalized Messages by the user account that performed the action. Click the User column header again to reverse the order. b. To group the messages by the TLCNormalization Rules that normalized the messages, click-and-drag the Rule ID column header to the grouping region (see Figure 44 below). TLC groups the Normalized Messages by rule numbers (see Figure 45 on the next page). Tip To view the grouped messages, you may need to scroll to the left.
Figure 44. Grouping region above the Rule ID and User columns
79
Figure 45. Normalized Messages grouped by Rule ID
5. To generate the graph, complete the Query tab (see Figure 24 on page 55): a. From the Output drop-down, select Graph Events - Processed. b. From the Template drop-down, select Pie Chart. c. From the Events per Query drop-down, select ALL. In the Group tab at the bottom of the Query tab: a. Click Add.
b. From the Column drop-down, select category. In the Column tab: a. Click Add.
b. From the Column Name drop-down, select category. c. Click Add.
d. From the Column Name drop-down, select Count. e. From the Sort Column drop-down, select Count. Tip In the Column tab, you must add at least one column with a text format, and another column with a numeric format. In this case, the category column has a text value, while the Count column contains whole numbers.
80
6. Click Start. TLC queries the Audit Logger File Store and generates the Graph with the query results (see Figure 46 below). Tip With the buttons along the top of the Query Results - Graph tab, you can modify and work with the graph. You can also customize the graph by rightclicking a pie piece and selecting an option from the right-click menu.
Figure 46. The Query Results - Graph tab
7. To clear the fields in the Query tab, click the Clear Form button.
Step 3.4 - Generate a Report on Log-Message Data

In this Step, you will run an Audit Logger Report to show:
l
the number of log messages collected on each day of the prior month the most common properties of those log messages further details about the log messages generated by each Log Source
To complete this Step: 1. In the side bar, select Events > Audit Logger .
2. In the Audit Logger, select the Query tab.

Tripwire Log Center 7.0 Evaluation Guide 81 Chapter 3. Scenarios
3. In the Query tab: a. From the Output drop-down, select Report. b. From the Report drop-down, select Events by Name - Detailed. c. Click Start.
TLC presents the report output in the workspace (see Figure 47 below). With the buttons along the top of the Report tab, you can review, print, re-format, save, and email the Report.
Figure 47. The outputof the Audit Logger Report
82
Scenario 4. Correlating SSH Logon Events

When you configured Tripwire Log Center (TLC), you assigned the Correlation Engine as an Output Destination for your Windows Asset and Linux Asset (Step 7. Create and Configure your Assets on page 32). Consequently, if TLC normalizes a log message from these Log Sources, the Normalization Engine forwards the Normalized Message to the Correlation Engine. To identify events of interest, the Correlation Engine applies Correlation Rules to the Normalized Messages. Each Correlation Rule in TLC is constructed with a flowchart containing the following components:
l
An Input specifying the source of Normalized Messages to be correlated by the rule (for example, the Collector that collected the original log message). If the message originated with the specified Input, the Correlation Engine applies the rule's Decisions to the message. One or more Decisions. Each Decision defines criteria to evaluate each Normalized Message processed by the rule. One or more Outputs. An Output is a response to any Normalized Message that satisfies the criteria specified by the rule's Decisions.
A Correlated Event is an event of interest identified by the Correlation Engine. If a Normalized Message satisfies the Decisions in a Correlation Rule, the Correlation Engine creates a Correlated Event and initiates the response(s) defined by the rule's Output(s). An Output can be any of the following actions:
l
Saving the Correlated Event in an Event-Management Database Creating an Event Ticket in the Ticket Center Running an Action
TLC includes an extensive set of pre-defined Inputs, Decisions, and Outputs. You can also create custom Decisions to suit your organization's needs, as you did in Scenario 2. Monitoring and Reporting System Activity on page 61. In this Scenario, you will create a Correlation Rule and then query the Events Database for Correlated Events created by the new rule.
83
Step 4.1 - Create a Correlation List

In this Step, you will create a Correlation List to be used in a Decision in the Correlation Rule you will create in Step 4.2 - Create a Correlation Rule on the next page. The list will consist of the following user accounts on your Linux Log Source:root, twadmin, sysadmin, and superuser. To complete this Step: 1. In the side bar, select Resources > Configuration Manager . Correlation > Lists.
2. In the side bar of the Configuration Manager, select 3. Click Add.
TLCopens the List tab. 4. In the List tab: a. Enter Linux User Accounts in the Name field. b. From the 'Field type' drop-down, select User . 5. Add the root, twadmin, sysadmin, and superuser accounts to the Correlation List. To add each account: a. Click Add to add a row to the list.
b. In the row's Value field, enter the user account. Figure 48 below shows the Correlation List with all four user accounts.
Figure 48. The Correlation List with the Linux user accounts
84
6. Click Save to close the List tab. 7. To push updates to your Manager: a. In the side bar of the Configuration Manager, select Managers. Resources >
Step 4.2 - Create a Correlation Rule

In this Step, you will create a Correlation Rule consisting of:
l
an Input for Events collected by the Managers Network Collector the Decision for High Priority Events created in Scenario 2. Monitoring and Reporting System Activity on page 61 two (2) Outputs; one for the default Event Database, and another for the Email Action created when you configured TLC(see Step 10. Create an Email Action on page 39)
With this rule, TLCwill save an Event in the default Event Database and run the Email Action if the Event has 1) a High Priority, and 2) a field with one of the user accounts specified by the Correlation List created in Step 4.1 - Create a Correlation List on the previous page. To create the Correlation Rule: 1. In the side bar, select Resources > Configuration Manager . Correlation > Rules.
In the workspace, TLC presents a list of all Correlation Rules in your TLC environment. 3. In the side bar of the Configuration Manager, expand the Rules group to see the existing Correlation-Rule Groups in your TLC environment. 4. Click Add.
TLC opens the Correlation Rule tab.
85
5. In the Rule Settings tab (see Figure 49 below) at the bottom of the Correlation Rule tab: a. Enter SSH Login Detection in the Name field. b. From the Group drop-down, select Authentication. Note The Correlation Rule will create a Correlated Event for any failed login attempt. However, if you 1) select one or more fields in the Track Event By region, and 2)enter a value in the Suppress field of the Decision Settings tab (see below), the rule would only create a Correlated Event when the number of failed logins exceeds the value entered in the Suppress field.
Figure 49. The Rule Settings tab
6. Select the Correlation Engine tab and select the Enabled check box for your Manager's Correlation Engine. 7. To add the Network Collector as the rule's Input: a. Expand Inputs >Collectors > TLCNetwork Collector in the side bar. b. Drag-and-drop the TLCNetwork Collector from the TLCNetwork Collector group to the workspace. Tips The button bar at the top of the workspace contains a number of helpful buttons. For example, the Zoom buttons adjust the magnification of the workspace, and the Save button will save your work.
86 Chapter 3. Scenarios
8. To add the High Priority Events Decision: a. Expand Decisions >System Security in the side bar. b. Drag-and-drop the High Priority Events Decision from the System Security group to the workspace, and position it directly below the Network Collector Input (see Figure 50 below).
Figure 50. The new rule with an Input and Decision
9. To add a criterion to the Decision, complete the following steps in the Decision Settings tab (see Figure 51 on the next page): a. With the Decision selected in the workspace, click to the tab. b. From the Type drop-down in the new row, select User . c. From the Condition drop-down, select =. d. From the Value drop-down, select LIST:Linux User Accounts. Note Figure 54 on page 90 shows the Correlation Rule in its final form. Add to add a new table row
87
Figure 51. The Decision Settings tab with the new criterion
10. To connect the Input with the Decision, draw a connector between these two building blocks (see Figure 52 below). a. In the workspace, select the Input. b. Click the mid-point on the bottom border of the Input and drag to the top point of the Decision diamond.
Figure 52. The Input and Decisionwith a connector
11. To add the default Event Database as an Output: a. Expand Outputs >Databases in the side bar. b. Drag-and-drop the Events database from the Databases group to the workspace, and position the Output to the lower-left of the High Priority Events Decision. c. Draw a connector between the Decision and the Output. 12. To add the Email Action created in Step 10. Create an Email Action on page 39as an Output: a. Expand Outputs >Actions in the side bar. b. Drag-and-drop the Email to me Action from the Actions group to the workspace, and position the Output to the lower-right of the High Priority Events Decision. c. Draw a connector between the Decision and the Output.
88
13. To configure the Email Action Output, select the Output in the workspace and complete the following steps in the Action Settings tab: a. In the 'Message content' field, delete <evt_name>. b. From the 'Content values' drop-down, select User and click TLC adds <evt_user> to the 'Message content' field. c. In the 'Email subject' line, enter:
Privileged user account added
Insert.
d. In the 'Message content' field, enter the following sentence after <evt_user> (see Figure 53 below):
This privileged user account has been added to the Linux Log Source.
The 'Message content' will appear as the content of email messages sent by TLC when an Event contains a field with a user account specified by the Correlation List in the Decision.
Figure 53. The Action Settings tab
14. The rule's process flow should now match Figure 54 on the next page. When you are satisfied with your work, click Save and Exit to close the Correlation Rule tab.
89
Figure 54. The completed Correlation Rule
16. Close the Configuration Manager.
Step 4.3 - Analyze Correlated Events in the Event-Database Viewer

l
log in to your Linux Log Source via SSH to prompt the creation of a Correlated Event with the Correlation Rule added in Step 4.2 - Create a Correlation Rule on page 85 review the properties of the Correlated Event in the Event-Database Viewer adjust the Correlation Rule so it only creates Correlated Events when the twadmin user account logs in to the Linux Log Source log in to your Linux Log Source with the twadmin user account, and then log in with the twuser account open the Real-Time Event Viewer to verify that TLC collected a log message for the logon by the twadmin user account, but not the twuser account
90
To complete this Step: 1. Log in to your Linux Log Source via SSH with the twadmin user account to create the Correlated Event. 2. To query the Events Database for the Correlated Event: a. In the side bar, select Events > Database Viewer. Event-Database Viewer to open the Event-
b. In the side bar of the Event-Database Viewer, select Events > Events > Priorities. TLC presents a pie chart showing the number of Events in the database for each Priority. c. Right-click the pie piece for High Priorities, and select View related items (see Figure 55 below). TLCpresents a list of all Events with a High Priority in the database.
Figure 55. 'View related items' command for High Priorities
91
3. To adjust the Correlation Rule: a. In the side bar, select Resources > Configuration Manager . Correlation > Rules >
b. In the side bar of the Configuration Manager, select Authentication. c. In the workspace, double-click SSH Login Detection.
d. In the Correlation Rule tab, select the High Priority Events Decision. e. In the Decision Settings tab (see Figure 56 below), change the Value of the User line from the Correlation List to "twadmin." f. Click Save and Exit to close the Correlation Rule tab.
Figure 56. Decision Settings tab
b. In the main pane, select the Manager's table row by clicking the arrow to the left of the row. c. Click Push Updates to Manager . Real-Time Event Viewer .
5. In the side bar, select Events >
6. In the Real-Time Event Viewer, complete the following steps. a. In the IP-address filter field, enter the IPaddress of your Linux Log Source. b. From the Collector drop-down, select TLC Network Collector . c. Select the Wrap text check box and click Start. TLC begins displaying log messages from your Linux Log Source in real time.
92
7. On the Linux Log Source: a. Log in and out with the twadmin user account. b. Log in and out with the twuser account. 8. Monitor the Real-Time Event Viewer in TLC. You should see log messages for the logon events by the twadmin user account (see Figure 57 below). Note As needed, you can use the Real-Time Event Viewer to verify collection of log messages from any Log Source in your TLCenvironment.
Figure 57. Real-Time Event Viewer with log messages for twadmin logon event
9. Click Stop and close the Real-Time Event Viewer.
Step 4.4 - Generate a Report on User-Logon Activity

To complete this Scenario, you will open the Report Center and run a Report to analyze the logon events for each user account on your Linux Log Source. To complete this Step: 1. In the side bar, select Events > 2. In the side bar of the Report Center: a. From the Database drop-down, select Events. b. Select Standard Reports > Events by User . c. From the 'Time filter' drop-down, select 30 Days. d. Click Run Report. Report Center .
93
TLC presents the report output in the workspace (see Figure 58 below). The output includes:
l
A pie chart showing the most common hosts on which events occurred over the previous 30 days, A pie chart showing the user accounts most frequently involved in those events, and All logon events grouped by user account.
Figure 58. Output of the Events by User Report
94
Chapter 4. Summary
Evaluation Guide Summary

In this evaluation, you learned how Tripwire Log Center (TLC) handles:
l
Installation and configuration. To begin the evaluation, you successfully installed and configured TLC. In addition, you learned how to customize and work with your TLCConsole. Log management. In the Real-Time Event Viewer, you monitored the collection of log messages from your Log Sources in real time. With the Audit Logger, you queried log messages saved in your Audit Logger File Store, and generated informative graphs and reports. Event management. From the Tripwire Web site, you downloaded and imported predefined Normalization Rules with which TLCnormalizes log messages. In the Configuration Manager, you created an Email Action and Correlation List. With these 'building blocks,' you then designed a new Correlation Rule to define criteria that determine if Normalized Messages are saved as Events in the default Event Database. You also queried, graphed, and analyzed your Event data with the Event-Database Viewer. Data analysis. In addition to analyzing data in the Audit Logger and Event-Database Viewer, you created a Layout in the Dashboard and ran a Report in the Report Center.
This concludes the TLCevaluation. For more information about TLC, visit the Tripwire Customer Center:
96
Chapter 4. Summary
Professional Services
From initial planning through post-deployment operation of your Tripwire Log Center (TLC) implementation, Tripwire Professional Services can assist you every step of the way. Our team can help you devise the perfect plan to achieve your goals with TLC. We can then continue to assist you with extensive deployment and post-deployment services. The Professional Services team offers the following services:
l
Deployment Services enable you to swiftly put TLC to work. From pre-deployment planning to customization, we assure that TLC is up and running as quickly and effectively as possible. Post-Deployment Services have been designed with your specific needs in mind. With Post-Deployment Services, our team of experts can make our solutions work harder for you and deliver greater value in many different ways. Professional Services ensure that you benefit fully from your investment in TLC. Our team of experts will work directly with your organization to address challenges in any of the following areas: - Audit and compliance preparedness - Change and configuration management - Security enforcement - Best practices and process improvement
For more information, visit the Tripwire Professional Services Web site:
www.tripwire.com/services
97
Chapter 4. Summary
Contact Us
We look forward to showing you more ways in which Tripwire Log Center can assist you. For further information, please contact us at: E-mail: sales@tripwire.com Phone : 1-800-TRIPWIRE (1-800-874-7947)
98
Chapter 4. Summary
Tripwire Log Center Glossary

Action A TLC object that initiates a response to Correlated Events created by Correlation Rules. Administration Manager In this page, you can manage the user accounts, user groups, permissions, and Global Settings for your TLC environment. Administrative Task A type of Task that performs an administrative operation on specified data in an Event-Management Database. Types of Administrative Tasks include Archive, Copy, and Delete Tasks. Advanced File Collector A type of Collector that collects log messages from log-generating applications running on a VIA Agent host system via the Secure Sockets Layer (SSL) protocol. Advanced Windows Collector A type of Collector that collects log messages from Windows Event Logs on VIA Agent systems via the Secure Sockets Layer (SSL) protocol. Agent See Tripwire VIA Agent Alias A custom variable that represents a partial or complete regular expression. Archive Task A type of Administrative Task that moves specified data from one Event-Management Database to another. Asset An object in TLC that represents a Log Source from which TLC collects log messages directly.
99
Audit Logger The TLC Console component in which you can work with the log messages collected by TLC. Audit Logger File Store Consists of a series of compressed flat files containing the log messages collected by the Manager from Log Sources, and an index of terms contained in the log messages. Auto-Discovery An automated process by which TLC creates an Asset for an unknown Log Source that generated a log message collected by TLC. Check Point Collector A type of Collector that listens for log messages from a Check Point Manager. Cisco IDS Collector A type of Collector that gathers log messages from Cisco IDS sensors. Classification The process of categorizing log messages with Classification Tags. Classification Tag Defines a string to classify similar log messages archived in the Audit Logger File Store. Classification Tag Set A group of Tripwire-defined or user-defined Classification Tags. Clean-Up Utility A component of the Normalization Engine that standardizes the format of each name-value pair in log messages. Collection The gathering or receipt of log messages from Log Sources.
100
Collector A TLC module that gathers or receives log messages from Log Sources. Configuration Diagram Layout Panel A type of Layout Panel that displays a diagram of the Log Sources, Collectors, Managers, Audit Loggers, Correlation Engines, and Event-Management Databases in your TLC environment. Configuration Manager In the Configuration Manager, you can create and configure TLC Resources (Assets, Asset Groups, Managers, Locations, Event-Management Databases), normalization objects (Normalization Rules, Aliases, and Normalized-Message Filters), and correlation objects (Correlation Engines, Rules, Lists, and Actions). Copy Task A type of Administrative Task that copies specified data from one Event-Management Database to another. Correlated Event An event of interest identified by the Correlation Engine. Correlation The examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients. Correlation Engine The component of your Primary Manager responsible for identifying events of interest. To correlate events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine. Correlation List A list of values that may be used to define a condition in a Decision.
101
Correlation Rule Constructed with a flowchart consisting of an Input, Decision(s), and Output(s), a Correlation Rule correlates log messages to identify events of interest. Custom Command A command that users can run when they select a field or a row in a table in the TLC Console. Dashboard A TLCConsole component that presents information about a Manager or Event-Management Database in a Layout. Database Collector A type of Collector that gathers log messages from an application that logs to an External Database. Database Layout A type of Layout that presents information about the Events in a selected Event-Management Database. Database Viewer A TLC Console component in which you can review information about Events in Event-Management Databases. Types of Database Viewers include the Event-Database Viewer, IDS-Database Viewer, and Firewall-Database Viewer. Decision A component of a Correlation Rule, a Decision defines a condition that determines if the rule continues correlating a log message. Delete Task A type of Administrative Task that removes specified data from a Event-Management Database. Dynamic Correlation List A Correlation List consisting of items that are automatically updated by TLC when related data is changed on another system; for example, user logins on an Active Directory server.
102
Email Action A type of Action that sends an email notification to specified recipients. Event 1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected from a Log Source. Event Database A type of Event-Management Database that stores Events from any Log Source and/or scanner. Event Management To normalize and correlate log messages to identify events of interest, TLC uses the Normalization Rules and Correlation Rules in the Configuration Manager. As appropriate, you may configure your Correlation Rules to save log messages as Events in Event-Management Databases. In the TLC Console, you can then review and query these Events in the appropriate Database Viewer. Event Ticket A work ticket for an Event in an Event-Management Database. Event-Database Viewer A type of Database Viewer in which you can query and work with the data in your Event Databases. Event-Management Database An optional component of your TLC environment, an Event-Management Database stores Events. Types of Event-Management Databases include Event Databases, IDS Databases, and Firewall Databases. Event-Relationship Diagram A TLC-generated diagram depicting the series of communications between systems involved in two or more Events. File Collector A type of Collector that gathers log messages from Log Sources that store messages in an ASCII log file.
103
Firewall Database A type of Event-Management Database that stores Events from firewalls. Firewall-Database Viewer A type of Database Viewer in which you can query and work with the data in your Firewall Databases. Forwarding Destination A third-party, log-archive tool to which log messages are forwarded by the Log-Message Forwarding feature. Graph Task A type of Search Task that queries an Event-Management Database and presents the results in a graph. Host 1. A Log Source or a system involved in an Event. 2. A system on which TLC Manager, TLC Console, or Event-Management Database software is installed. IDS Database A type of Event-Management Database that stores Events from IDS and IPS devices. IDS-Database Viewer A type of Database Viewer in which you can query and work with the data in your IDS Databases. Internet Tools A TLCConsole component in which you can run queries with conventional utilities to gather information about Hosts (e.g. NSLookup, Ping, Traceroute, and Whois). IP Tag A TLC object that applies highlighting to specified IP addresses when the addresses are displayed in a list in the TLC Console.
104
Layout 1. A customizable configuration of panels containing fields, tables, and/or graphs. 2. The configuration and formatting of a table or Event-Relationship Diagram. Layout Panel A component of a Layout. Types of Layout Panels include Configuration Diagram, Map, Text, Time Graph, and Top Graph. Layout-Panel Task A type of Task that creates a Layout Panel that may be added to a Manager Layout or Database Layout. List Task A type of Search Task that queries an Event-Management Database and presents the results in a table. Location A custom category used to classify Assets by geography. Log Management TLC saves collected log messages in the Audit Logger File Store. In the TLC Console's Audit Logger, you can review and query the log messages in the file store. log message A data record generated by a Log Source and collected by TLC. Log Source Any log-generating application, operating-system service, database instance, or device from which TLC collects log messages. Log-Message Forwarding A TLC feature used to forward copies of log messages to one or more third-party, log-archive tools (known as Forwarding Destinations).
105
Manager Layout A type of Layout that presents information about 1) a selected Managers system resources and configuration, and 2) the log messages collected by the Manager's Collectors. Map Layout Panel A type of Layout Panel that displays the geographic locations of IP addresses on a map. Network Collector A type of Collector that listens for Syslog and SNMP-based log messages from network devices. Normalization The process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Normalization Engine The component of your Primary Manager responsible for normalizing log messages. Normalization Rule Defines a regular expression that can be used to normalize log messages generated by a specific type of Log Source. Normalized Message A log message that has been normalized by TLC. Normalized-Message Filter A TLC object that defines a condition(s) to prevent TLC from forwarding some log messages to a specified Event-Management Database(s) or Correlation Engine(s). Notification Action A type of Action that creates a Notification in the Notifications dialog of the TLC Console. Oracle Database Collector A type of Collector that gathers log messages from Oracle database audit logs.
106
Output Destination Assigned to an Asset, an Output Destination is either the Audit Logger, an Event-Management Database, or a Correlation Engine that correlates Normalized Messages. Parsing Utility A component of the Normalization Engine that parses each name-value pair in log messages. Primary Manager Each TLC environment has a single Primary Manager that controls: 1. The archiving of log messages in the Audit Logger File Store and Events in Event-Management Databases, 2. The configuration settings for your TLC environment, and 3. User access and license management for TLC. Real-Time Event Viewer A TLC Console component that displays log messages as they are collected by TLC. Report Task A type of Search Task that queries an Event-Management Database and compiles the results in a PDF report file. scanner A device that monitors systems in your TLC environment (for example, a vulnerability scanner). Scanner Event An Event created when you import data from a scanner to an Event Database. Scheduled Task Created in the Task Scheduler, a Scheduled Task defines a schedule for TLC to run: 1. A Copy Task, Delete Task, Archive Task, or Report Task. 2. A Saved Query that generates an Audit Logger Report. Script Action A type of Action that runs a Windows command.
107
Search Task A type of Task that performs a query of data in an Event-Management Database. Types of Search Tasks include List, Graph, and Report Tasks. Secondary Manager Your TLC environment may also include one or more Secondary Managers that may be configured to either: 1. Archive log messages (as with a Primary Manager), or 2. Forward log messages to another Manager. Syslog Action A type of Action that sends a Syslog message to a specified Syslog server. System Database Installed on your Primary Manager, the System Database stores a record of all user logins and logouts, as well as all TLC objects defined in the TLC Console; for example, Assets, Normalization Rules, and Event Tickets Task Created and configured in the Task Manager, a Task queries Events, Hosts, or Scanner Events in an Event-Management Database to perform an operation. Types of Tasks include Layout-Panel, Administrative, and Search Tasks. Text Layout Panel A type of Layout Panel that presents data in a table. Ticket Center The TLC Console component that is a complete ticketing and incident-handling system. Time Graph Layout Panel A type of Layout Panel that presents a timeline of log messages or Events in a graph.
108
TLC Console 1. Tripwire Log Center Console is the software for the TLC graphic user interface (GUI), or 2. The Tripwire Log Center GUI. Through the TLC Console, you can configure TLC, oversee your TLC environment, and manage log and event data. TLC Console host A system on which TLC Console software has been installed. TLC environment Consists of all TLC software, Managers, Log Sources, Assets, Collectors, and data in your TLC installation. TLC Manager Tripwire Log Center Manager is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices. TLC Manager Interface The graphic user interface (GUI) for TLC Manager. Top Graph Layout Panel A type of Layout Panel that displays the Top N items in a graph or chart. Tripwire VIA Agent A service that may be installed on a Windows or Linux system to collect log messages from any log-generating application running on the system. When installed on a Windows system, VIA Agent can also collect the system's Windows Event Logs via the Secure Socket Layer (SSL) protocol. Tripwire VIA Agent Bridge A component of TLC Manager through which VIA Agents deliver log messages to TLC. User Account A TLC object that provides a user with a collection of User Permissions to work with TLC.
109
User Group A collection of User Accounts. User Permission A system authorization that enables a user to view, create, or otherwise modify data in TLC. vulnerability A potential security weakness identified by a vulnerability scanner. In an Event Database, you can import or collect vulnerabilities detected by a scanner. Vulnerability Event An event imported from a vulnerability scanner. WinLog Collector A type of Collector that collects log messages from Windows Event Logs via the Windows Management Instrumentation (WMI) protocol.
110
Index
A
Actions creating an Email Action 39 types 39 Administration Manager in TLC Console 22 Administrative Tasks defined 48 Advanced File Collectors defined 30 Advanced Windows Collector configuring 30 Advanced Windows Collectors defined 30 analyzing event data with the Dashboard 62 system activity 71 system activity with Event-Database Viewer 73 Archive Tasks defined 48 Asset Groups assigning Normalization Rules to 25 configuring 25 Assets creating 32 defined 14 assigning Correlation Rules to the Correlation Engine 37 Normalization Rules to your Asset Groups 25
Audit Logger cache 42 defined 14 File Store 42 generating a Report 81 Graph 81 in TLC Console 22 output of Report 82 query-syntax characters 73 Query Results - Normalized Messages tab 56, 72, 78 Query tab 55 Raw Logs tab 59 reviewing the Audit Logger directory 42 search and graph data 77 searching for log messages 71 Audit Logger File Store defined 42
B
button bar buttons 22 buttons in button bar 22 in side bar 22
C
Check Point Collector defined 30 Cisco IDS Collector defined 30
111
Index
collection about 14 confirming log-message collection 36 diagram 15 Collectors configuring the Advanced Windows Collector 30 configuring the Network Collector 30 defined 14, 30 types 30 verifying installation 42 Configuration Diagram Layout Panels defined 47 Configuration Manager in TLC Console 22 configuring Asset Groups 25 Collectors 30 Log Sources 18 Tripwire Log Center 18 Windows Asset 33 your TLC Console 21 Copy Tasks defined 48 Correlated Events analyzing 90 defined 83 correlating SSH login events 83 correlation about 14 diagram 15 Correlation Engine assigning Correlation Rules to 37 defined 14, 37 Correlation Lists creating 84
Correlation Rules assigning to Correlation Engine 37 completed logic flow 90 creating 85 creating a Correlation List 84 a Correlation Rule 85 Actions 39 Assets 32 Layouts 47 Linux Asset 34 Custom Commands defined 52 dialog 54
D
Dashboard about 47 analyzing event data with 62 creating Layouts 47 defined 47 in TLC Console 22 with Events Overview Layout 63 Database Collector defined 30 Database Layouts defined 47 Database Viewers defined 61 databases see Event-Management Databases 61 Delete Tasks defined 48 detecting a 'Brute Force Attack' 57 unauthorized user activity 52 user activity 52
112 Index
E
Email Actions creating 39 defined 39 Evaluation Guide about 12 summary 96 Event-Database Viewer analyze system activity with 73 analyzing Correlated Events in 90 defined 61 Graph 74 in TLC Console 22 with Event-Relationship Diagram 75 Event-Management Databases defined 14, 61 installing database software 17 types 61 Event-Relationship Diagrams in Event-Database Viewer 75 Event Databases defined 61 Event Framework see Event-Database Viewer 61 Event Tickets Details tab 76 Ticket tab 77 Events analyzing Correlated Events in the Event-Database Viewer 90 defined 14, 61 for simulated 'Brute Force Attack' in Report output 69 generating a Report for 66
F
File Collector defined 30 Firewall-Database Viewer defined 61 Firewall Databases defined 61
G
generating a Report 66 a User Login Report 93 Graph Tasks defined 48 Graphs in Audit Logger 77, 81 in Event-Database Viewer 74
I
IDS-Database Viewer defined 61 IDS Databases defined 61 importing the latest Normalization Rules 24 installing Event-Management Database software 17 TLC 17 VIA Agent on a Windows system 18
L
Layout-Panel Tasks defined 48
113
Index
Layout Panels in a Layout 64 types 47 Layouts about 47 creating 47 Events Overview Layout in the Dashboard 63 types 47 with Layout Panels 64 Linux Asset creating and configuring 34 List Tasks defined 48 log messages confirming collection of 36 diagram of collection, normalization, and correlation 15 displayed in Real-Time Event Viewer 53 in Audit Logger Query Results - Normalized Messages tab 72 in Audit Logger Raw Logs tab 59 login event in Real-Time Event Viewer 93 searching in Audit Logger 71 Log Sources configuring 18 defined 14
N
Network Collector configuring 30 defined 30 normalization about 14 defined 14 diagram 15 Normalization Engine defined 14 Normalization Rules assigning to Asset Groups 25 defined 14 importing 24 Rule Editor 46 viewing regular expression defined by 44 Normalized-Message Filters defined 14 Normalized Messages in Audit Logger 'Query Results - Normalized Messages' tab 56 in Audit Logger Query Results - Normalized Messages tab 78 Notification Actions defined 39
M O
Manager Layouts defined 47 Managers about Primary and Secondary Managers 17 pushing updates 32 Map Layout Panels defined 47 monitoring system activity 61 Oracle Database Collectors defined 30
P
Priorities defined 61 push updates and Managers 32
114
Index
Q
queries syntax characters in Audit Logger 73
S
Scenarios analyzing system activity 71 correlating SSH login events 83 detecting user activity 52 monitoring and reporting system activity 61 Script Actions defined 39 Search Tasks defined 48 searching Audit Logger 77 for log messages in the Audit Logger 71 side bar buttons 22 SSH login events correlating 83 summary of Evaluation Guide 96 syntax characters for Audit Logger queries 73 Syslog Actions defined 39 system activity analyze with Event-Database Viewer 73 analyzing 71 monitoring and reporting 61 System Database about 61
R
Real-Time Event Viewer defined 14 in TLC Console 22 with displayed log messages 53 with log message for login event 93 regular expressions and Normalization Rules 44 Report Center in TLC Console 22 Report Tasks defined 48 reporting system activity 61 Reports generating a Report in the Audit Logger 81 generating a Report on Event data 66 generating a User Login Report 93 new Report in Task Manager 67 output of a Report in the Report Center 94 output of an Audit Logger Report 82 output of System Activity by Classification Report 68 output with Events for simulated 'Brute Force Attack' 69 Watermark dialog 70 responding to unauthorized user activity 52
T
Task Manager in TLC Console 22 with auto-created search filter 65 with new Report 67
115
Index
Tasks types 48 Text Layout Panels defined 47 Ticket Center in TLC Console 22 Time Graph Layout Panels defined 47 TLC about 13 about collection, normalization, and correlation 14 about the evaluation 12 components 22 configuring 18 defined 13 diagram of log-message collection, normalization, and correlation 15 installing 17 TLC Console configuring 21 defined 13 diagram of components 21 working with 42 TLC Manager defined 13 Top Graph Layout Panels defined 47 Tripwire Log Center see TLC 13 Tripwire Log Center Console see TLC Console 13 Tripwire Log Center Evaluation Guide chapters in 7 Tripwire Log Center Manager see TLC Manager 13
Tripwire VIA Agent see VIA Agent 13
U
user activity detecting 52
V
VIA Agent defined 13 installing on Windows system 18
W
Windows Asset configuring 33 WinLog Collector defined 30 working with the TLC Console 42
116
Index

TLC Evaluation Guide

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

TLC Evaluation Guide

Încărcat de

Drepturi de autor:

Formate disponibile

TRIPWIRE LOG CENTER 7.

Chapter 2. Installation and Configuration

Tripwire Log Center 7.0 Evaluation Guide

Tripwire Log Center Glossary Index

Tripwire Log Center 7.0 Evaluation Guide

About This Guide Overview

Tripwire Log Center 7.0 Evaluation Guide

About This Guide

Tripwire Log Center 7.0 Evaluation Guide

About This Guide

www.tripwire.com C:\Program Files\

Indicates placeholders for user-entered values. Example: <a_variable>

Tripwire Log Center 7.0 Evaluation Guide

About This Guide

Tripwire Technical Support

Tripwire Professional Services

Tripwire Educational Services

Tripwire Log Center 7.0 Evaluation Guide

About This Guide

About the TLC Evaluation

Tripwire Log Center 7.0 Evaluation Guide

What is Tripwire Log Center?

Tripwire Log Center:

Tripwire Log Center 7.0 Evaluation Guide

How does TLCcollect, normalize, and correlate log messages?

Tripwire Log Center 7.0 Evaluation Guide

Figure 1. Collection, normalization, and correlation of log messages

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Installing Tripwire Log Center

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Configuring Tripwire Log Center

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Step 2. Configure your TLCConsole

Figure 2. The TLC Console

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Configuration Manager Dashboard

EventDatabase Viewer Real-Time Event Viewer Report Center

... monitor the collection of log messages in real time.

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Figure 3. The Miscellaneous group in the Settings dialog

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Step 3. Import the Latest Normalization Rules

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Step 4. Configure your Asset Groups

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

2. In the side bar of the Configuration Manager, select

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Tripwire Log Center 7.0 Evaluation Guide

Chapter 2. Installation and Configuration

Tripwire Log Center 7.0 Evaluation Guide