I wanted to update this in case someone comes along and is having issues with this install. Here are the details of how I did the install to get it working, and potential pitfalls. Again, this is for a distributed installation with a single instance of Tripwire Enterprise, but should be similar for others. I will not go into much detail where the Tripwire document does a pretty good job of detailing it. The document can be found in the zip file that you download from Tripwire with the addon and is a pdf file.
First, you will need to make a Tripwire Enterprise user as indicated, but what it doesn't give is detail on creating a specific role for that user and changing the TE server properties to allow that user to login via the SOAP API to TE. So, what you'll want to do first is in TE, go to Settings and Roles and create a new role (name it whatever you want) and give it the privileges defined in the pdf to that role. Then, create your user and assign it the role you just created. Make sure to add your user into your AD if you are using AD as your login method, or the new user won't be able to login at all. Additionally, you will need to login to your TE console server(s) and locate the server.properties file located in the /$TEinstalldir$/TE/Server/data/config and change the following entry from true to false: tw.securityAuditLog.enabled. This is true by default and only allows the built-in admin account for TE to access to the SOAP API, so this MUST be changed to use a different account. Of course, restart your TE server service after making this change.
Once this is all done, you can install the addon on the search head (has to be on the search head, not deployment server), and input the configs for your TE console. One hang up I had was in step 3 of the document for distributed install, it says "Fill in the Setup screen config parameters as if you were configuring the settings from your heavy forwarder". Not sure what they mean by that, but the only thing you configure related to the heavy forwarder is to check the box for "Monitor data on forwarders". The rest of the settings like IP etc. still need to be your TE console server.
The next steps are pretty good in the document accept one hiccup I had possibly came from not getting all the permissions transferred right from the search head to my other boxes. The best way I found to do this was to tar the entire directory, i.e.
tar -czvf filename.tar.gz /TA-tripwire_enterprise_FWD, which creates a tar file that you can then move to the other server and then untar it using tar -xpzvf (the p switch tells it to keep all permissions) filename.tar.gz. Of course make sure you have the file in the right place to untar it etc. This kept the permissions in tact. There are probably other methods as well, but this is what I found worked well and easy. The TA dir. goes to the heavy forwarder and any other search heads. THe SA only goes to indexers.
Once you get all the rest of the steps (pretty straightforward) complete, you should be able to go to the /opt/teexports dir (for Splunk on LInux - Windows is diff) and see new folders being created for FIM, SCM etc. There will also be csv files that get created, but make sure to watch them for size. If they are just created but the size stays at 0, something's wrong.
To check for any issues, you can check the log file at $SPLUNKHOME/var/log/splunk/tripwire.log. The standard place for LInux would be /opt/splunk/var/log/splunk/tripwire.log, unless your splunkhome was intentionally placed somewhere else. A couple errors I got in this log were: ERROR: Exception in tripwire.py along with "The username or password is incorrect'. This occurred because I hadn't created my user in AD yet, so it couldn't log in to TE at all. Another error was ERROR: Exception in tripwire.py along with 'ONly the built-in administrator can access the SOAP API while in Common Criteria mode' This was due to not switching the server.properties setting to false instead of true, which was blocking my new user from accessing the TE API.
I hope this helps anyone looking at this.
... View more