InTrust 11.6 - Release Notes

You may face a known issue while performing an installation/upgrade over an existing version of Intrust, as below: 

Error: System.Web.Services.Protocols.SoapException:The value of parameter 'Data Sources' is not valid.

Workaround:

Proceed by clicking ‘Ok’ on the system prompt during the upgrade.

During Upgrade, the IT monitoring console throws fatal error

Workaround:

1. Open IIS (Internet Information services)
2. Expand Server > Sites > Default website > IT Monitoring
3. Left Click on IT Monitoring and click on remove

OR

While Installing InTrust, assign new Virtual directory to InTrust Monitoring Console.

Prerequisites are not checked correctly by the installers of InTrust Knowledge Packs for the following systems:

• VMware
• Recovery Manager for Active Directory
• Active Roles

If you try to install one of these Knowledge Packs on a computer that is not an InTrust server, setup does not prevent this as it should. When the installation fails, you get the following cryptic error message:

"Data source name not found and no default driver specified"

Some administrative PowerShell activity such as Remote Desktop Web Services installation could be considered as suspicious and, as a result, can trigger some actions defined by suspicious activity rules.

Workaround: Quest recommends adding the accounts that will run such installations as trusted users (in the Whitelist parameter of the suspicious activity rule). To add a user account to the whitelist, navigate to InTrust Manager | Real-Time Monitoring | Rules | Advanced Threat Protection | Windows/AD Suspicious Activity | PowerShell | Suspicious PowerShell activity, open rule properties and change the user whitelist parameter on the Matching tab. Provide the account data in the following format: <domain name>\<user name>.

If you are installing InTrust on a SQL server and updating SQL Server Native Client through the InTrust setup suite in the process, this causes the locally installed SQL Server service to restart automatically.

To avoid this, update the client to the required version before you set up InTrust.

You may get the following error while trying to install InTrust:

Cannot grant the following privileges: Back up files and directories Log on as a service to <account_name> Your Group Policy settings may be preventing setup from granting the privileges specified.

There must exist a Group Policy that controls the assignment of the specified privilege(s) in your environment. InTrust setup can neither override it nor check if the account inherits the required privilege(s) from a security group the policy applies to. Make sure the policy grants the specified privilege(s) to InTrust service account, either directly or through its membership in a security group, and click the Ignore button in the error dialog to proceed with the installation.

Support for ITMonitoring Console in Microsoft Edge

WorkAround

1. Open Edge, click on three dot icons on the top right corner.
2. Click on Settings tab.
3. Select the Default Browser present in left panel.
4. Click on the dropdown in "Allow sites to be reloaded in Internet Explorer mode (IE mode" and select "Allow".
5. Click on the Add button which is appeared after completing 4th step.
6. Copy the URL you want to run and paste it into the box present below "Enter a URL:" and click ADD.
7. Click on Restart.

InTrust Monitoring Console and Quest Knowledge Portal cannot be installed into a Virtual Directory with special characters (like !#$%^&()_+|][}{;,-=`~) in the name.

If you receive the following error while upgrading an InTrust Server:

Error Code: 1603 Fatal error during installation.

Error 0x000006BE occurred. Exiting.

First of all, check if all of the InTrust Server services have been stopped. Most often, it is Quest InTrust Real-Time Monitoring Server service that takes long to stop and causes the setup to fail with this error. If this is the case, quit the setup, make sure all of the Quest InTrust services have stopped and run the setup again.

If you receive the following error at InTrust setup:

Cannot configure default Audit Database. Error code: 0x80004005. Property value is invalid. Make sure the value is typed correctly. Unspecified error Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. Property value is invalid. Make sure the value is typed correctly.

Check if you have specified a database with a name that starts with a numeric character (0-9) as either Audit or Alert database. The names of all InTrust Audit and Alert databases must start with an alphabetic character (a-z, A-Z).

When you are running the configdb.sql SQL script on a pre-created InTrust configuration database to provide for not giving InTrust service account the database owner right for it, you may receive warnings like the following:

Cannot add rows to sysdepends for the current stored procedure because it depends on the missing object 'dbo.ITRTProcessingRule_change'.

These warnings may be ignored since they do not indicate of any problems that may affect the future InTrust operation.

When you install InTrust or upgrade it from an earlier version, you may receive the following error message:

Error 1335. The cabinet file <cab_file_name> required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

If this happens, try making a local copy of your InTrust distribution on the computer where you are performing the installation and starting setup from there.

When you install a report pack and the SQL Server hosting its target database does not have SQL Server Agent running, you may receive the following warning, sometimes followed by an error dialog with the same text:

Cannot upload report pack: For Temporary Tables Clean-Up job schedule to be applied, make sure that: 1. Authentication method for database access uses the explicitly specified credentials which are stored in the data source (either SQL Server authentication, or Windows authentication). If Integrated Windows authentication i...

When you click OK in this dialog, another error message may be displayed asking you if you want to continue with the setup. Click No and wait for the setup application to prompt you with the options to Retry, Ignore or Abort the installation. When prompted, select Retry. From this point on, the installation of the report pack is expected to run smoothly.

You may receive one of the following error messages when you install the Knowledge Pack for Microsoft Audit Collection Services (ACS KP) from the command line:

• Error: 0x80040154. Cannot install ACI packages. Reason: Class not registered.
• Error: 0x80070005. Cannot install ADC predefined objects. Reason: Error while performing the following action: Enumerating collection. Reason: Access is denied.

This is not expected to happen again if you click OK in each error dialog window, let the installation process exit and run the knowledge pack installation command one more time.

[Trend view] Ensure "Exclude" works in trend view.

You may receive the following misleading error message when installing an additional Knowledge Pack into an existing InTrust organization:

Error: 0x80004005. Cannot configure default Audit Database. Reason: Data source name not found and no default driver specified.

This error is not expected to cause any real problem with a Knowledge Pack installation. If you see it, click OK in the error message and let the installation finish. No troubleshooting is required unless you see more errors during the installation or find the Knowledge Pack not working properly when installation is finished.

When you use the default InTrust setup, the installation program does not prompt you for the Communication Port number. If you use the extended InTrust setup to complement a default deployment, you are prompted for the Communication Port value but the setting you make is not applied to the InTrust installation. In this installation scenario, edit this registry value to change the Communication port number after InTrust is installed, if needed:

[HKEY_LOCAL_MACHINE]\SOFTWARE\Aelita\ADC\RpcServer\Endpoints\1

or

[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Aelita\ADC\RpcServer\Endpoints\1 STRING: Endpoint="8340"

It is not recommended to create InTrust configuration database with "." symbol in its name (for example: InTrust_10.6_ConfigDB), though it will be created, such database is unusable and you will receive the error like:

Invalid database name supplied.

Sometimes uninstalling an InTrust component can cause miscellaneous problems for another InTrust component on the same computer. If this happens, open the Programs and Features facility in the Control Panel and perform a Repair operation for the component that is not working properly.

If you have customized the default alerting profile in Monitoring Console, then upgrading InTrust deletes the profile.

In some rare situations, if InTrust fails to apply a real-time monitoring policy, this creates an invalid configuration, and other real-time monitoring policies cannot be applied anymore. As a result, real-time monitoring and real-time collection stop working, but there are no error messages to indicate it.

This can occur in InTrust organizations where some servers have been upgraded and some haven't, and an upgraded server makes configuration changes that are not recognized by the older servers. If it happens, try the following steps:

1. Note down the settings of all real-time monitoring policies, then delete the policies and commit the change.
2. Note down the settings of all real-time collections in InTrust Deployment Manager and delete the collections.
3. Recreate the real-time monitoring policies with the settings from before.
4. Recreate the collections in InTrust Deployment Manager with the settings from before.

If you have performed an upgrade from version 11.3.1 or earlier without deleting the "Redhat Linux Syslog" data source (as recommended in the Upgrade Guide), then you will still have the old version of this data source after the upgrade. To update the data source in this situation, take the following steps:

1. In InTrust Manager, make a backup copy of the "Redhat Linux Syslog" data source.
2. Delete the original data source.
3. Apply your changes by clicking the Commit button.
4. Close InTrust Manager.
5. Locate the Linux Knowledge Pack setup package LINUX_KP.*.*.*.*.msi in the InTrust\Server folder in your InTrust distribution and launch it and select Repair mode.

After the installation, the up-to-date version of the data source will be available.

If any job in an InTrust task completes with a status other than success, then notification task jobs in the same task may send messages where the job list contains items with invalid job type designations. These are broken duplicates of valid items in the same list, and you can safely ignore them.

This problem was fixed in InTrust 11.4 and doesn't occur in fresh installs of version 11.4 and later. However, upgrades from prior versions don't correct this, because the InTrust upgrade policy is not to overwrite any existing configuration objects.

In the course of an upgrade, you may get the following error messages during repository indexing and searching:

Unknown field <field_name> referenced in log knowledge base as source of value.

This is caused by differences in log knowledge base definitions between the old and new InTrust versions. The problem should go away as soon as all InTrust components have been upgraded—not just InTrust Server, but also Repository Viewer and others.

When you upgrade an existing installation of InTrust under an account that doesn't have DBO access rights to the InTrust configuration database, you may receive the following error message:

Cannot uninstall CI packages. Error code: 0x80004005. Cannot parse ADCClassInventory query. Error of opening file.

Click OK and continue. This error does not affect the results of the upgrade.

At an upgrade of an InTrust Server in a multiserver InTrust organization, you may receive a misleading error message:

You are about to remove an InTrust server from an InTrust organization. Any jobs configured to run on this server must be manually transferred to another live server in the same organization.

It is safe to ignore this error. Click OK and continue upgrading.

In a 2022 server machine, creating real time policy crashes the IM

Workaround

Step 1: Run System File Checker (sfc) scan

1. Type cmd in the search box, and then right click Command prompt select Run as Administrator.
   C:\Windows\System32> sfc /scannow

1. Check the link to check for system file corruption.
   C:\Windows\System32>dism /online /cleanup-image /checkhealth
   
   C:\Windows\System32>dism /online /cleanup-image /scanhealth
   
   C:\Windows\System32>dism /online /cleanup-image /restorehealth

Step 2: Reinstall the DLL

1. Type cmd in the search box, and then right click Command prompt select Run as Administrator.
2. Type this in command prompt:
   regsvr32.exe /u ntdll.dll and press Enter key (this will uninstall the file)
   regsvr32.exe ntdll.dll and press Enter key (this will reinstall the file).
   
3. Cleanup temp directory
4. Restart the Machine Again run the below command and see any corrupted files
   C:\Windows\System32> sfc /scannow
   
   C:\Windows\System32>gpupdate
5. Restart Quest services.

Note: Wait for 10-15 minutes, select InTrust Manager Run as Administrator.

Workaround 2

1. Create a Real time Monitoring policy without selecting operators event log message recipients in the Notification window.
2. Click on the Policy created in step 1 and click on Properties.
3. Click on Event Log.
4. Select ‘Notifying the following operators’.
5. Click on Add. InTrust Manager crashes.
6. Now try creating Real time Policy and select event log message recipients and add the operator.

If you get a lot of events with event ID 13650 in the InTrust Server log, this may mean that an attacker is trying to scan the open ports on the InTrust server. Consider blacklisting the IP addresses that occur in such series of events.

The event description contains the phrase "The system cannot find the file specified", which in this case is misleading and should be interpreted as the system being unable to connect to a socket.

In some data sources, particularly in the newer ones, named event fields are not associated with the original event fields as you might expect. Improvement of event definitions is an ongoing process, and relevant mapping may be added for the events you need in future InTrust versions. To stay abreast of the event field mapping changes, check the Changes to Event Fields topic.

When you open SQL scripts from the InTrust distribution (for example, configdb.sql) in SQL Server Management Studio, you get an "Inconsistent Line Endings" message. This message can be safely ignored.

You may get the following warning during gathering from VMware ESXi and vCenter servers:

Cannot find the specified position in the event log.

If this happens, consider gathering more frequently. This warning means events that came after the last gathered event were lost.

Some Windows Security log events with identical event IDs have variants with different layouts, where specific fields are added or reordered. The differences exist both among Windows versions and within the same Windows version.

InTrust provides event field aliases for indexing and convenient searching, and this functionality relies on field ordering. InTrust has not always accommodated the event layout differences, and searching by affected fields may give you incorrect results.

At this time, InTrust potentially has this issue with the following event IDs:

• In Windows Server 2016:
  4616, 4624, 4654, 4656, 4661, 4663, 4688, 4728, 4732, 4746, 4751, 4756, 4761, 4785, 5125, 5140, 5451, 5452, 5632, 6272, 6273, 6274, 6275, 6416
• In Windows Server 2019 and Windows 10:
  4616, 4624, 4654, 4656, 4661, 4663, 4688, 4728, 4732, 4746, 4751, 4756, 4761, 4785, 5125, 5140, 5451, 5452, 5632, 6272, 6273, 6274, 6275, 6416, 5058, 5059, 5376, 5377

The InTrust agent does not require Microsoft .NET Framework for most of its functionality and can be installed on a computer without .NET. However, some agent features, such as PowerShell script-based response actions, will not work on those computers.

Event forwarding configuration and repository indexing configuration are mistakenly coupled during failover activity. If either a forwarding server or an indexing server fails, then the failover rule will switch both the forwarding server and the indexing server, even if one of the servers is OK.

An InTrust server performs self-auditing correctly only if UAC is enabled on that server. Otherwise, some InTrust activity may not be audited.

When you create a repository, specifying a local path for it is not prevented, even though InTrust does not support locally-hosted repositories.

Don't delete the Default configuration objects (Default databases, repositories, operators, etc.) even if you never use them in InTrust sites, policies etc. Other predefined objects may have references to the Default objects by default, which may result in hard-to-find errors if referenced objects no longer exist in your InTrust configuration database. Note that the deleted predefined configuration objects are not recreated at InTrust upgrades or reinstallations, some of them causing errors at the setup phase if missing from the configuration database.

The recommended practice is to keep default configuration objects as templates for the custom ones you create for the routine use.

If notification is configured so that email is sent to an operator that represents a group and sending fails for one of the group members (for example, due to an invalid email address), then it also fails for all other members of the group.

This issue does not occur if all selected operators represent individual users; in this case, sending failure for an operator does not affect other operators.

The following error message logged to the session results of an InTrust task may indicate of a frequent changes in the system time on the InTrust Server computer:

Error: 0x80040e2f Cannot initialize the required component. Cannot initialize session. Sessions Error- The statement has been terminated. Sql State: 01000 Native Error Code: 3621 Violation of PRIMARY KEY constraint 'PK_ITGSessionsInfo'. Cannot insert duplicate key in object 'dbo.ITGSessionInfo'. Sql State: 23000 Native Error Code: 2627 , !! IDispatch error #3119

This may be happening because of some problems with hardware or operating system, frequent time synchronizations with multiple hosts on the network or some other reason.

If you see a notification job failing consistently with the following error:

Object Name: (InTrust Server) Data Source: Notification Description: Cannot notify the 'Default Notification Operator' operator using the 'mail' notification type. An error has occurred during sending the mail. Error text: An established connection was aborted by the software in your host machine. Function 'recv' failed.

Verify that the SMTP server handling notification messages from InTrust does not require sender authentication.

If you are using Windows 2012 running on an ESXi 5.0, 5.1, or 5.5 host, DO NOT USE e1000e default network adapter. This may lead data corruption may occur when copying data over the network and therefore cause problems with repository indexing. You may see the following errors in the log:

Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Unspecified error, error code 0x8adc1005' Indexing of recent items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Field stream is invalid, error code 0x80004005' Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: ADC Error: ADC Error: One or more segments of incoming index data (\\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{7F}, \\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{AE}) could not be merged with the repository index, error code 0x8adc1005' The indexing queue of recent events in repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" exceeded the size limit. Please check the InTrust Server event log for errors, and consider collecting less audit data to this repository and adding more indexing servers.

For more information see the article "Possible data corruption after a Windows 2012 virtual machine network transfer (2058692)": http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2058692

When the InTrust server is switched during a failover operation, you get the following error in InTrust Deployment Manager and in the InTrust Server event log:

Some required components for working with the data source could not be installed

This message is about the user session tracking component of the InTrust agents. The agents may temporarily stop reporting user session events.

Filtering of site objects by registry value works only with the 32-bit registry view on 64-bit systems.

Automatic cleanup is not implemented for the %ALLUSERSPROFILE%\Application Data\Quest Software and %ALLUSERSPROFILE%\Application Data\Quest folders. If these folders grow too large, you can safely clear their contents manually.

In InTrust versions prior to 11.4.1 Update 1, it was a known issue that multiple repository cleanup schedules could be created for the same repository if multiple instances of InTrust Deployment Manager were editing the repository at once.

This was resolved in InTrust 11.4.1 Update 1, but it can still happen if an old instance of InTrust Deployment Manager is editing a repository simultaneously with an up-to-date instance. If you experience this issue, simply set the cleanup schedule again in an up-to-date instance.

If event forwarding is enabled for a repository managed by InTrust Server 11.4.1 or later, then earlier versions of InTrust Deployment Manager show meaningless collection-wide errors for collections that use the repository. These errors can be safely ignored; they are actually incorrectly interpreted data from the forwarding engine's performance counters.

If any indexing errors occur for a repository, they are displayed in the error details dialog box for that repository until the repository-managing InTrust server clears them. However, if the server is removed from the organization before it can clear them, they stay indefinitely.

Before you decommission an InTrust server, make sure you switch all indexing activity to another server that you plan to keep using.

Caution: When a previous-version InTrust Deployment Manager works with a repository managed by a current-version InTrust server, you should never modify the configuration of such a repository. Doing so may invalidate the repository configuration. The version of InTrust Deployment Manager must match or exceed the version of InTrust Server if you want to edit configuration.

In the Computers not in a collection search folder, the type of some non-Windows computers (such as VMware ESXi servers) is erroneously shown as "Workstation".

In InTrust Deployment Manager, if you add objects to a collection through an LDAP query, you may get an object named "<data />" or "<data></data>". This happens if the returned object doesn't have the attribute that you specified in the LDAP query. To work around the issue, try using an attribute that your expected object is guaranteed to have.

Event forwarding fails for repositories whose names are longer than 127 characters.

When you set up forwarding in InTrust Deployment Manager, sometimes the port text box may not recognize a valid value and may give you an incorrect prompt that the port cannot be empty. If this happens, just delete the value an retype it.

When you forward events with long insertion string values (such as encrypted PowerShell logs) using the UDP transport, forwarding may stop for the repository with those events, and you may get error messages like the following in InTrust Deployment Manager:

A message sent on a datagram socket was larger than the internal message buffer.

This problem doesn't occur if you use TCP to forward such events.

If the adcrpcs service is restarted on an InTrust server that forwards events, it may resend duplicates of recent messages.

During rule response action creation in InTrust Manager, unnecessary white space is added by the field picker control. This causes response actions to behave incorrectly, because the specified strings don't match anything due to the white space.

The lists of available InTrust Servers in an organization may differ depending on whether or not InTrust Manager is installed on the same computer as InTrust Server. The RPC Locator service should be enabled on the InTrust Manager computer where InTrust Server is not installed for correct results.

A specific InTrust Server may be also not visible as available for connection with InTrust Manager if it fails to publish itself in Active Directory (AD). This may happen if the Quest InTrust Server service does not have sufficient rights (see the System Requirements document for details) to create a Service Connection Point (SCP) in AD. Check events logs, starting with the InTrust log, on the InTrust Manager and InTrust Server machines for events looking related to possible problem with the RPC Locator service and creating an SCP in AD, respectively.

Besides, if you know that a specific InTrust Server is available, you can connect to it by specifying it manually, whether or not it is on the list.

You may receive the following error:

Internet Explorer Script Error: 'm_idBaloon.style' is null or not an object

when you have the Quick Start node selected in the left pane and click the right pane. You must be clicking there too early. Wait for the content of the right pane to be fully loaded before you click it.

Quick Start will fail to generate reports you specify if InTrust is configured to use SRS running on a computer different than SQL Server machine hosting the InTrust database(s) you are trying to report on, and Windows authentication is used to connect to Reporting Services.

The following error message will be received:

Login failed for NT AUTHORITY\Anonymous Logon.

If InTrust Servers in an Organization are concurrently running too many tasks, you may receive the following error in results of some sessions:

"Components Manager: Failed to find Storage Accessors. Error=0x80004005: Timeout expired. Unspecified error."

This happens because each task accesses InTrust Configuration database, and some of them fail to do that because of query timeout expiration. If you cannot reduce the number of task that run concurrently, consider increasing the value of the timeout setting on the SQL Server level using the sp_configure stored procedure.

The agent.ini file, which contains the configuration of the InTrust agent, uses the UTF-8 encoding on Windows. Editing this file manually on Windows is strongly discouraged, because it is easy to change the encoding and make the agent configuration invalid.

If an agent consistently fails to start on a Windows machine, and you find the following error in the local Application event log:

InTrust agent stopped unexpectedly. Error occurred: An attempt was made to access a socket in a way forbidden by its access permissions. (Win32 error: 10013). or the following error from the agent process is written to syslog on the Unix machine hosting an InTrust agent: InTrust agent stopped unexpectedly. Address already in use (CRuntime error: 98).

Сheck if any other active process (application, service, daemon) is configured to listen on the port you are going to use as the InTrust agent communication port on this machine (TCP port 900 by default). If you find some, reconfigure either the agent or the other application/service/daemon to use a different port. To change the communication port setting for InTrust agent, edit the agent.ini file located in the agent folder.

When agents are used to gather audit data, the following error may occur:

Agent has not yet established connection to the InTrust Server (0x8adc2c09).

This situation may occur due to network problems, or when InTrust services have just been restarted, and agents have not communicated to the InTrust Server yet.

An attempt to manually register an agent on an InTrust server may fail with the following error message:

'Cannot register agent on the InTrust server <...> No connection could be made because the target server actively refused it. <Win32 Error 10061>.'

Check if the Quest InTrust Agent service is running and not stopped on the InTrust server. If the service is stopped, start it and try registering the agent again.

Also note that this error is possible if port 900 is closed by a firewall between the agent and the server.

If a repository becomes unavailable during real-time collection, the InTrust server that manages this repository may put duplicate events in the other repositories that it manages. This happens because the server re-submits everything that was in the event queue at the moment the repository became unavailable.

Using the same repository for real-time event collection and task-based workflow is discouraged.

One of the possible consequences of using it for both methods is that after you start real-time collection from a computer for the first time, no data from that computer will be available to InTrust import and consolidation jobs for the first 24 hours, even though the data will be available in Repository Viewer.

There are other implications as well. Specialize your repositories by type of auditing method.

If you have multiple collections performing real-time event gathering of the same log from the same computer, then you will have duplicate events in the repository and in reports created by Repository Viewer.

In the properties of the "VMware ESX and ESXi events" and "VMware vCenter events" data sources, the Clear log after gathering option has no effect.

Suppose you have a gathering job that collects custom text logs to either a repository or an audit database, but not both at once. If you change the job settings so that it collects both to a repository and to an audit database, then you may experience the following issues during the next gathering session after this change:

• You may get duplicate events, or some events may be lost, even though you will not get any error or warning messages.
• The gathering can be slow and take hours or even days if there are a lot of matching files to collect from.

These problems don't occur if the specified repository and audit database are new and haven't been used.

When you gather IIS logs, you may get the following error message in the Sessions view:

The specified log doesn't exist.

In cases where the necessary logs clearly exist, this misleading message is shown if the IIS 6 Metabase Compatibility role service is not installed on the IIS server. Install the service to fix the problem.

When you monitor IIS servers, you may get an error like the following in the InTrust Server log:

Cannot install package IISRT.

This cryptic error may mean that the IIS 6 Metabase Compatibility role service is not installed on the IIS server. Install the service to fix the problem.

If changing IndexManager Server or path to an index of the indexed repository, gathering into this repository may fail with an error like:

Failed to insert event to repository. ADC Error: The repository at "\\?\C:\Repository\" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically.

Some successful InTrust activities, such as event forwarding and running jobs, can cause error messages if the system time is not synchronized between the InTrust Server and the SQL Server that hosts the InTrust configuration database.

This is the case in the following situations:

• Task sessions in InTrust Manager show an error message like this: "The session terminated unexpectedly", while the job sessions in the tasks are marked as successful
• An irrelevant collection-wide error message about repository file processing is shown InTrust Deployment Manager; this is really related to event forwarding

You should keep the system time synchronized between the two servers.

Alert suppression has the expected effect, but doesn't affect the logging of rule matches. Rule match events are always written to the InTrust Server log, whether alerts were raised or suppressed.

If you run Event Viewer and view the InTrust Server log before there are any events with event ID 17408 in the log, and such events arrive later, then the Task Category field will show "(1)" for the events. The value of Task Category should be "Rule match".

It may take the InTrust Real-Time Monitoring Server service a long time to stop if the Alert Database is overloaded with alerts and slow to respond.

If you experience a degrade in the Alert Database performance, try increasing values of the two InTrust configuration parameters that control the buffer and queue sizes for the connection InTrust makes to the Alert Database. Running the following SQL query on the InTrust configuration database will increase both sizes from the default value of 800KB (819200 bytes) to 10MB (10485760 bytes):

UPDATE ADCOrganizationParameter SET [Value] = '10485760' WHERE (Name = 'ITRT_CommMaxSizePerConnection') OR (Name = 'ITRT_CommQueueSize')

You may receive the following error at an attempt to import an exported user settings in InTrust Monitoring Console:

Cannot import user.

Enhanced error information.

Number: 0x80004005

Description: 007~ASP 0104~Operation not Allowed~

This is most likely to be caused by the settings of MS IIS hosting InTrust Monitoring Console. A solution that works for this issue is proposed in the Microsoft article HTTP Error 404.13 - CONTENT_LENGTH_TOO_LARGE when you visit a web site that is hosted on a server that is running IIS 7.0.

A Repository Viewer search that is locked for editing can still be modified in some non-straightforward ways.

If you create a search and it becomes selected as a forwarding filter during the same Repository Viewer session, that search does not become locked for editing in that same session. The next time you open Repository Viewer, the search is locked as it should be.

If a search is used as an event forwarding filter, the tooltip for that search lists the repositories that use it for filtering. The tooltip is all one line, and it may not fit on the screen if the list is long.

In PDF reports created by Repository Viewer, international characters (for example, Japanese, Chinese or Korean) are rendered incorrectly if the Arial Unicode MS font is not installed on the report-making InTrust server. As a workaround, set a valid international font for reports, as described in Quest Support knowledge base article 318235.

When Repository Viewer shows the details for a parsed Syslog event that has named insertion strings whose names start with an underscore (for example, _Address), such strings are always hidden. You can see the values of such fields only in the description, which contains the entire original message.

Repository Viewer opens a repository under the same account that you are using to run it, no matter what access credentials are specified in the properties of that repository.

One workaround is to use the runas command to explicitly make Repository Viewer use the account that is allowed access to the repository. For example, if mycorp\intrust_admin is such a user account, then start Repository Viewer as follows:

runas /netonly /user:mycorp\intrust_admin new_RV.exe

As a result, Repository Viewer runs under your current account, but uses the mycorp\intrust_admin account for network operations.

Repository Viewer doesn't start on a computer where the original .NET 4.0 is installed but updates for it are not.

The Delete and Backspace keys don't work as expected in filter boxes using the "Last" keyword.

Custom values cannot be specified in the Environment and Type data fields. Сustom-made events written through the InTrust API may have any value in this field, but they cannot be matched by those fields in Repository Viewer.

If you search for events where a specific insertion string or resolved insertion string has a particular value or is blank, then the results can include events where there is no such string at all.

Searches by the "Whom" field are slow.

Searches by "Any field" are slow.

Searches by some resolved insertion strings don't work.

Don't add too many reports to one reporting job. Doing so may make the whole Tasks node not responding to your attempts to browse it, with the following error message displayed:

Enumerating collection failed. Reason: Not enough storage is available to complete this operation.

If you are absolutely sure you need hundreds of reports to be processed with one reporting job, consider installing additional memory on the SQL Server computer that hosts InTrust configuration database.

If you modify a model of a report that is already included in some reporting jobs, for example, add or remove a filter, reporting job(s) configured to compile this report will fail with the following error:

Object reference not set to an instance of an object.

After you modify a report model, you will have to remove it from any reporting jobs that use it and add them to those jobs again.

A report with query based parameters or filters cannot be added to a reporting job if a data source specified for this report is configured with invalid settings. An attempt to add such a report to a job fails with the following error:

Cannot create a connection to data source 'MainDataSource'.

If you receive this error, edit the properties of the related data source to make sure it lets the report access a valid InTrust Audit database.

The unclear error message:

Report "<report_name>" failed to process: An error has occurred during report processing. An error has occurred during report processing. An error has occurred during report processing. Query execution failed for data set 'MainDataSet'.

is logged to the session results for each report in a reporting job that is configured to use a Data Storage that is not accessible when the job starts.

If InTrust reporting is configured to access MS SQL Reporting Services over an HTTPS connection, and the InTrust Server computer does not have a certificate installed for the specified MS SRS server, an attempt to access Reporting Services results in the following error:

Error 0x00004659: Internal error occurred. Reason: 0x80131509: The underlying connection was closed: Could not establish trust relationship with remote server.

To install a required certificate, you can use Internet Explorer to open the URL of MS SRS specified in the properties of the Reports node in InTrust Manager as 'MS SQL Reporting Services path'. When prompted for certificate installation, accept it. When the certificate is installed, you will be able to perform any operations with reports and reporting jobs in InTrust Manager.

A reporting job may fail with the following error:

The job was finished, but no entry was created for it in the task session because of an error.

If this happens, check whether the account under which the job starts has the Read access permission to the Windows folder on the InTrust Server computer.

If a reporting job fails with the following error:

The remote server returned an error: (500) Internal Server Error.

check the reports in the job for incorrect filter settings. This error may be logged to the session results, for example, when some report has a filter that requires a non-empty value specified, and that filter is disabled.

You may receive the following confusing error:

"Query execution failed for data set 'MainDataSet'."

during an attempt to open a subreport of a report generated by a reporting job. If this happens, check if the subreport uses a different data source than the main report included into the job, and if that data source is configured with valid settings (server, database, access credentials).

A reporting job configured to import required data from a repository may sometimes fail with the following error logged to the session results (RDDI Import node):

Description: Cannot initialize the required component. Cannot create one of the InTrust components.Cannot open repository. The system cannot find the path specified.

or

Description: Cannot import data from the repository.Cannot enumerate the repository objects.

If this happens, check if there is a database or some other object under Data Stores node in the configuration with a name identical to that of the source repository for the job. Rename one of the objects to make names of all objects under the Data Stores node unique.

You cannot specify a name of a text file listing parameter values in the input field on a report parameter tab in the reporting job configured to import required data from a repository. If you do so, the reporting job will fail with the error message looking like:

Internal error: Cannot initialize required component.ADC Error0x8add2102: Failed to initialize DataFilters.

If a reporting job configured to import required data from a repository fails with the following error:

Preparing for data import has finished with errors.

check that a semicolon (";") is the last character of a connection string specified in the data source of every report included into the job.

When a repository cleanup job starts under an account that has insufficient rights for deleting data from the target repository, the job fails with an error message that does not mention the reason for the failure:

Cannot clean up obsolete data from one or more data stores. Cannot remove one or more files.

You may receive the following misleading error message in Repository Viewer when you open an indexed repository through an InTrust Server:

Could not open repository. Error details: Repository is not ready for index-based search. Select a different repository.

In InTrust Manager, go to /Configuration/Data Stores/Repositories, open the Properties dialog for the affected repository and verify that the path to it is specified in the InTrust configuration as a UNC and not as a local path that is valid for only one InTrust Server machine in the organization.

Indexing a repository located on a local disk of an InTrust Server computer that manages indexing of this repository may fail with the following error message in the InTrust Server log (Event ID 14128 in the InTrust event log):

Indexing of repository "<repository_name>" failed. Details: Indexing on agent localhost failed, reason 'ADC Error: ADC Error0x80004005: Cannot create temp directory Unspecified error (Win32 error: 0x80004005), error code 0x80004005 '.

This happens if a specific account is specified in the properties of an InTrust Server local repository to be used for access to it, and this account does not have sufficient access rights to the %TEMP% folder of the Quest InTrust Server service account. Consider either changing the account used to access the repository or giving it rights to write to and read from that folder.

You may get the following non-informative error message in the InTrust Server log:

Indexing of repository "<repository_name>" failed. Details: Indexing on agent <agent_name> failed, reason 'ADC Error 0x80070643'.

It usually means that an agent has failed to install IndexingTool.exe on its local machine (for example, because system requirements were not met or user privileges were insufficient).

If you open a repository in Repository Viewer installed on an InTrust Server computer where the port number for InTrust Manager connection has been changed from the default value (8340), and you select the option to open a Production repository on Local computer, you will receive the following error message:

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

To avoid this, change your choice on the Select InTrust Server wizard step from Local computer to This InTrust server, and select the name of the local computer from the list.

You may receive confusing error messages when you try to open a repository as an indexed one, but the indexing of this repository has not started yet.

If you see repository indexing on an agent failing with the following non-informative error:

ADC Error: , error code 0x8adc1006

check if the agent account specified in the Properties of the InTrust site differs from the account specified in the Properties of the repository for indexing. If the accounts are different, it is likely that the repository indexing account does not have access to the Local Settings subfolder in the profile of the agent account on the agent machine. Consider changing this setup to have an agent service account specified either in the site Properties OR in the repository indexing settings, or giving the indexing account Read and Modify access permissions to the profile of the agent account.

You may see repository indexing on an agent failing with the following error:

A required privilege is not held by the client

This is likely to mean that you have one and the same account explicitly specified as the agent account in the Properties of the InTrust site and the account specified for indexing in the Properties of the repository. If this is the case, verify that the account has the following user rights on the agent machine:

• Replace a process level token
• Log on as service
• Log on as batch job
• Adjust memory quotas for a process

Repository indexing on a remote machine may fail to start with the following error message registered in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing

Computer:

Description: Indexing of repository "Default InTrust Audit Repository" failed. Details: Indexing on agent localhost failed, reason 'ADC Error0x80070643'.

This is likely to happen if the %TEMP% folder for the local system on the agent machine is missing. The automatic installation of Quest InTrust Indexing Tool (IndexingTool.msi) is being run under the local system account and fails with this error if it cannot access the temporary folder (normally %SYSTEMROOT%\Temp). Make sure the folder exists and the installation process can access it.

If you see the following error message in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing

Computer:

Description: Indexing of repository "Default InTrust Audit Repository" failed on agent <computername>. Reason: 'ADC error: ADC Error0x80070006: The handle is invalid. The handle is invalid. (Win32 error: 6), error code 0x80070006..

this may be a result of the computer hosting the repository being too busy and slow to respond at the time of indexing. Try reducing the load on the repository machine or re-indexing the repository later.

Repository Viewer may fail to display events from a repository with the following error message that may be confusing:

The process cannot access the file because it is being use by another process.

This error is likely to mean one of the following:

• The idle repository you are trying to view is opened with another instance of Repository Viewer.
• You try to view an idle repository that is currently being indexed.
• You select the Open Idle Repository option in Repository Viewer to open a repository that should be accessed through an InTrust Server.

When you create a custom text log data source, you can supply a regular expression with a number of groups defined. If you reference a field index that is out of range of those groups, you get the following script error: "val has no properties".

Instead of an error, this should be a warning.

In the DB-based log provider query, data fields of type(s) TEXT or/and NTEXT must be either come last in the SELECT statement or be explicitly converted to the NVARCHAR data type. Otherwise the following error will be received at gathering:

[Microsoft][ODBC SQL Server Driver]Invalid Descriptor Index.

If you run the Evt2Repository.exe tool on a Windows 2008 machine to import events from an event log saved to an .evt file on a pre-Windows 2008 computer, the tool fails with an error message saying the event log file is corrupted. To work around this problem, you can do one of the following:

1. Process the file with Evt2Repository.exe on a computer running Windows Server 2003 or earlier.
2. Open the .evt file with Windows 2008 Event Viewer and save it in the .evtx format. Then run Evt2Repository.exe again to import events from the saved .evtx file.