15 Replies Latest reply on Jul 17, 2013 3:43 PM by evanr

    TripWire Connector: How to use?

    byrona

      We have setup a TripWire Enterprise server on a Windows system and I would like to see how the TripWire connector in LEM works.  It's not immediately clear to me which logs I should be pointing this at and if I should be pointing it to systems running the TripWire agent or the TripWire Enterprise server?

       

      I would love if somebody could provide me with this details; also having that level of information on the connector itself would be really helpful.

       

      Thanks in advance for any help on this!

        • Re: TripWire Connector: How to use?
          nicole pauls

          Hey Byron,

           

          The tripwire enterprise connector assumes that you're syslogging the results to a LEM appliance (or syslog server). I believe the way it works is that you set up your Tripwire alerts to fire to syslog as they trigger.

           

          I have a pretty old reference doc (from TW Enterprise v5.1) that says on the Tripwire side to first create a new action to send to syslog (to the LEM appliance/syslog server), then in Rules enable the rules/rule groups you want to fire that action. You can also add actions to tasks similarly.

           

          We can get a KB added once we confirm the process. If it matches the old doc, we can at least document what I've got.

            • Re: TripWire Connector: How to use?
              byrona

              We have setup TripWire Enterprise in a lab environment as a demo and have done the same with LEM for the sake of testing integration.

               

              As you have suggested, I have gone ahead and configured the TripWire Enterprise connector on my LEM Appliance and I also found a place in TripWire Enterprise where I was able to configure it to send Syslogs, I assume it sends stuff regarding alerts that it detects but I haven't got that far into learning the product to know for sure.

               

              I would love to see any reference doc you have or any write-up you would be willing to do.  Also, if you want me to call TW support and ask them questions about it I would be happy to do that as well.

                • Re: TripWire Connector: How to use?
                  nicole pauls

                  From the original documentation, it looked like a two step process:

                  1. Set up the syslog action placeholder in "Actions" (sort of like a connector for LEM) - this is where you specify the LEM side, like the port and hostname/IP to send to
                  2. Tell the different rules or rule groups to use that action (in "Rules") when they trigger (the same place you'd do stuff like "revert the change" or "send me an e-mail").
                    1. Apparently there's also a "Tasks" where your scheduled stuff happens where you can have an action triggered as well, and you could glue the syslog there, too.

                   

                  I attached the ancient doc in case it's useful

                   

                  This should be documented in their TW Enterprise Admin Guide but it's gated behind their support login so I can't check for accuracy.

                • Re: TripWire Connector: How to use?
                  byrona

                  Also, as a side note I thought you might find it interesting that in talking with TripWire, they seem much more interested in selling their TW Enterprise product than their Log Management product.  This seems like a great opportunity for SolarWinds and LEM assuming the integration with the connector works well.

                • Re: TripWire Connector: How to use?
                  evanr

                  I used the guide to set up the actions/rules.  Thank you for that.  Do I then have to set up a rule in LEM to see the logs in the GUI?  I can see the logs from our Tripwire box logging to /var/log/local4 on our LEM box but for some reason I don't see them in the LEM web console. 

                    • Re: TripWire Connector: How to use?
                      byrona

                      You will need to configure a connector in LEM for TripWire.

                      • Re: TripWire Connector: How to use?
                        evanr

                        Blah nevermind.  We had a WAF logging to the same local log.  I tweaked Tripwire to log to local5 on LEM and I'm seeing it correctly now. 

                          • Re: TripWire Connector: How to use?
                            byrona

                            Awesome, glad you have it working!

                              • Re: TripWire Connector: How to use?
                                evanr

                                So the Tripwire connector works fine for our monitored node.  This connector is set up to log to local4.  Its firing off a log to LEM action when one of our rules is changed/edited etc.  This side works.  We also would like to audit the changes on the Tripwire box itself, ie log-ins, rule and policy changes..etc.  I can see these in the Tripwire log on the device itself, but when I set up fwd TE log messages to LEM and set up the connector on the LEM appliance to log to local5 nothing comes through.  Upon further investigation into LEM's syslog it seems to be making the connection then dropping.

                                 

                                1372352224000 SLEM syslog-ng[1088]: Syslog connection accepted; fd='23', client='AF_INET(192.168.1.14:59070)', local='AF_INET(0.0.0.0:514)'

                                1372352254000 SLEM syslog-ng[1088]: Syslog connection closed; fd='22', client='AF_INET(192.168.1.14:59059)', local='AF_INET(0.0.0.0:514)'

                                1372352254000 SLEM syslog-ng[1088]: Syslog connection closed; fd='23', client='AF_INET(192.168.1.14:59070)', local='AF_INET(0.0.0.0:514)'

                                 

                                Any insight? Does it have to be one or the other?

                                  • Re: TripWire Connector: How to use?
                                    evanr

                                    Well it would seem Tripwire uses TCP 514 instead of UDP.  According to the LEM port guide it listens on both TCP/UDP for syslog connections.  Which explains why I can telnet to TCP port 514.   In our case a scan reveals it appears 514 is being used by the default rlogin/shell service.  Blah.  Hopefully I can get the root password and change that. 

                                      • Re: TripWire Connector: How to use?
                                        nicole pauls

                                        TCP/514 on LEM is for syslog, not for rlogin/rsh. That port is commonly used for rlogin/rsh and chances are your scan is only looking up a 'registered ports' list, not detecting what actual service is listening.

                                         

                                        I'll check on whether we've had any issues with TCP syslog, though, and let you know.

                                          • Re: TripWire Connector: How to use?
                                            nicole pauls

                                            Update - we just quickly confirmed on our end that the LEM appliance can receive TCP/syslog on 514.

                                             

                                            If those log lines are from LEM's logs, it is indicating that syslog-ng on our end is receiving the 514 connection, then it's getting closed - perhaps we're not getting any data over it and there's nothing to log? You might try a packet capture - are you seeing data come from TW to LEM on TCP/514 after the established connection?

                                              • Re: TripWire Connector: How to use?
                                                evanr

                                                Right you were about the registered port.  There was a properties file with the info in it.

                                                 

                                                It definitely looks to be talking fine.

                                                 

                                                393.325556000192.168.1.167192.168.1.14TCP66shell > 55389 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=128

                                                Transmission Control Protocol, Src Port: shell (514), Dst Port: 55389 (55389), Seq: 0, Ack: 1, Len: 0

                                                403.325629000192.168.1.14192.168.1.167TCP5455389 > shell [ACK] Seq=1 Ack=1 Win=65536 Len=0

                                                Transmission Control Protocol, Src Port: 55389 (55389), Dst Port: shell (514), Seq: 1, Ack: 1, Len: 0

                                                413.325910000192.168.1.14192.168.1.167RSH107Client -> Server data

                                                Transmission Control Protocol, Src Port: 55389 (55389), Dst Port: shell (514), Seq: 1, Ack: 1, Len: 53

                                                 

                                                 

                                                0000   3c 31 33 34 3e 4a 75 6e 20 32 37 20 31 37 3a 33  <134>Jun 27 17:3

                                                0010   36 3a 32 34 20 31 37 32 2e 32 30 2e 30 2e 31 34  6:24 192.168.1.14

                                                0020   20 54 45 3a 20 54 65 73 74 20 43 6f 6e 6e 65 63   TE: Test Connec

                                                0030   74 69 6f 6e 0a                                   tion.

                                                 

                                                 

                                                423.528329000192.168.1.167192.168.1.14TCP60shell > 55389 [ACK] Seq=1 Ack=54 Win=14720 Len=0

                                                Transmission Control Protocol, Src Port: shell (514), Dst Port: 55389 (55389), Seq: 1, Ack: 54, Len: 0

                                                464.960854000192.168.1.14192.168.1.167TCP5455389 > shell [FIN, ACK] Seq=54 Ack=1 Win=65536 Len=0

                                                 

                                                I guess I'll have to dig through the TW manual to see about a debugging option for the default syslog.

                                                 

                                                Thanks for the help.

                                                  • Re: TripWire Connector: How to use?
                                                    evanr

                                                    In case anyone runs into a similar issue with this.  Tripwires documentation shows that instead of using syslog their default facility is user.log.  However even after adjusting our connector still no go.  I finally went through the list of facilities, testing, viewing,  capturing.  Finally hit the sweet spot.  The Tripwire box, in our case, is using local0 for login/logout, change events...etc.  So after adjusting our LEM connector to local0 all is well now.  No mention of this in our .conf file that I could see.  Even their support had no answers.  Oh well lesson learned I suppose.  Long live LEM!