Monitor TripWire
Overview
Tripwire Metric Plugin parses reports generated by Tripwire Intrusion Detection System.
Prerequisites
Tripwire plugin supported only for ubuntu and centos distributions. For other platforms, reach out to support@snappyflow.io
Tripwire plugin requires Tripwire package to be installed
For installation of Tripwire package
Configuration Settings
Refer to sfAgent section for steps to install and configure sfagent. Tripwire plugin configurations can be automatically generated by sfagent or added manually. To manually add the configuration, update config.yaml under /opt/sfagent directory
metrics:
metrics:
plugins:
- name: tripwire
enabled: true
interval: 300
config:
report_path: /var/lib/tripwire/report
If Tripwire reports need to be triggered automatically once in the day, you can add a cron job for it. To add a Cronjob,
crontab -e
add,
0 0 * * * tripwire --check
Once you save the file, a cron job gets scheduled automatically.
if you want to run the Cronjob at a specific time everyday at say 11:30 AM, use following command
30 11 * * * tripwire --check
To trigger a Tripwire report at any point in time, use the following command
tripwire --check
Documents
It consists of three document types
tripwireReportSummary: contains information about report creation date, user who created, policy used , command used for triggering reporttripwireRuleSummary: contains information related to list of rules added for monitoring and its severity, count of added, removed and modified filestripwireObjectSummary: contains detailed information about list of added, removed and modified files per rules
Use the built-in TripWire dashboard for data visualization.
Tripwire summary pane
Tripwire object details pane
Viewing data and dashboards
Data collected by plugins can be viewed in SnappyFlow’s browse data section under metrics section
plugin: TripWire
documentType: tripwireReportSummary, tripwireRuleSummary, tripwireObjectSummary
Dashboard template: TripWire
For help with plugins, please reach out to support@snappyflow.io.