API - IP360 Vulnerability Scanner
Tripwire IP360 is a popular risk management system used by numerous organizations to scan their networks for security problems. The System Monitor Agent can import Tripwire IP360 to scan reports and convert them into LogRhythm logs. This document explains how to configure the collection of IP360 vulnerability data via the LogRhythm System Monitor Agent.
Prerequisites
The HTTPS collection mechanism used by the Agent will reference an IP360 Tripwire configuration file (typically ip360.ini) and retain the last report read from IP360 with state tracking. The following information is required for this process to function properly and should be gathered prior to configuring collection:
- The LogRhythm System Monitor Agent used to collect IP360 scan report data.
- The name of the Tripwire log source configuration file (default: ip360.ini).
Configure the ip360.ini File
The IP360 interface is configured using an .ini file in the config folder of the Agent (typically C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ip360.ini). The following settings are available in that file:
| Setting | Default Value | Description |
|---|---|---|
| IP360Hosts | CHANGE_THIS | Host name or IP address of the IP360 scanner. |
| IP360XMLRPCPort | 0 | Alternate port if IP360 is configured to run on a non-standard port. |
| UserName | CHANGE_THIS | User name for IP360 server. |
| Password | CHANGE_THIS | The IP360 password. The password must be encrypted using the lrcrypt command line utility. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. |
| Monday...Sunday | Monday=true | Flags for each day of the week control the download schedule. |
| Time | 01:00 | The local time of the day to query the API. Both 12-hour and 24-hour time formats are recognized (for example, 01:00 or 11:00 PM). The reports can only be pulled once per day. |
| StartupDelayInSeconds | 30 | If the API needs to be queried when the System Monitor is started, it will wait this long (in seconds) before running. |
| Timeout | 300 | The timeout (in seconds) to use when requesting data from the IP360 server. The valid range for this value is 0-300 (0=infinite). |
| ErrorReportRetryTimeSpan | 60 | The amount of time (in minutes) after which the Agent will retry to fetch data. |
| ErrorReportRetryCount | 3 | The number of collection retries during log collection. |
| Version | V7 | The version of IP360 scanner (for example, V7 for 7.x versions). |
After the IP360 instance is configured, the Agent can pull the oldest IP360 reports that are available to the user specified in the configuration file. Based on the Agent state information, the Agent pulls all reports available to that user. The settings in the configuration file determine how often the reports are pulled (up to once per day).
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. The IP360 configuration file must be located on the host with the Agent that will be performing the collection. A configuration file is located in the LogRhythm System Monitor's config directory.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - IP360 Vulnerability Scanner. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
File Path. <path to log file, including the file name and extension>
For multiple users, you can create multiple configuration files and multiple IP360 log sources.