InTrust 11.3.2 - Release Notes

If you install InTrust Deployment Manager on a running InTrust server, a restart of the Quest InTrust Server and Quest InTrust Real-Time Monitoring Server services is required. The restart causes some downtime in InTrust operations performed by that server.

If you are installing InTrust on a SQL server and updating SQL Server Native Client through the InTrust setup suite in the process, this causes the locally installed SQL Server service to restart automatically.

To avoid this, update the client to the required version before you set up InTrust.

You may get the following error while trying to install InTrust:

Cannot grant the following privileges: Back up files and directories Log on as a service to <account_name> Your Group Policy settings may be preventing setup from granting the privileges specified.

There must exist a Group Policy that controls the assignment of the specified privilege(s) in your environment. InTrust setup can neither override it nor check if the account inherits the required privilege(s) from a security group the policy applies to. Make sure the policy grants the specified privilege(s) to InTrust service account, either directly or through its membership in a security group, and click the Ignore button in the error dialog to proceed with the installation.

InTrust Monitoring Console and Quest Knowledge Portal cannot be installed into a Virtual Directory with special characters (like !#$%^&()_+|][}{;,-=`~) in the name.

If you receive the following error while upgrading an InTrust Server:

Error Code: 1603 Fatal error during installation.

First of all, check if all of the InTrust Server services have been stopped. Most often, it is Quest InTrust Real-Time Monitoring Server service that takes long to stop and causes the setup to fail with this error. If this is the case, quit the setup, make sure all of the Quest InTrust services have stopped and run the setup again.

If you receive the following error at InTrust setup:

Cannot configure default Audit Database. Error code: 0x80004005. Property value is invalid. Make sure the value is typed correctly. Unspecified error Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. Property value is invalid. Make sure the value is typed correctly.

Check if you have specified a database with a name that starts with a numeric character (0-9) as either Audit or Alert database. The names of all InTrust Audit and Alert databases must start with an alphabetic character (a-z, A-Z).

When you are running the configdb.sql SQL script on a pre-created InTrust configuration database to provide for not giving InTrust service account the database owner right for it, you may receive warnings like the following:

Cannot add rows to sysdepends for the current stored procedure because it depends on the missing object 'dbo.ITRTProcessingRule_change'.

These warnings may be ignored since they do not indicate of any problems that may affect the future InTrust operation.

When you install InTrust or upgrade it from an earlier version, you may receive the following error message:

Error 1335. The cabinet file '<cab_file_name>' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

One of the recommendations you can find in the Microsoft KB article 314810 must help you resolve this problem. The article describes a similar problem with MS Office installation and the resolutions it provides has proved to work for InTrust installation.

When you install a report pack and the SQL Server hosting its target database does not have SQL Server Agent running, you may receive the following warning, sometimes followed by an error dialog with the same text:

Cannot upload report pack: For Temporary Tables Clean-Up job schedule to be applied, make sure that: 1. Authentication method for database access uses the explicitly specified credentials which are stored in the data source (either SQL Server authentication, or Windows authentication). If Integrated Windows authentication i...

When you click OK in this dialog, another error message may be displayed asking you if you want to continue with the setup. Click No and wait for the setup application to prompt you with the options to Retry, Ignore or Abort the installation. When prompted, select Retry. From this point on, the installation of the report pack is expected to run smoothly.

You may receive the following error messages when you install the Knowledge Pack for Microsoft Audit Collection Services (ACS KP) from the command line:

• Error: 0x80040154. Cannot install ACI packages. Reason: Class not registered.
• Error: 0x80070005. Cannot install ADC predefined objects. Reason: Error while performing the following action: Enumerating collection. Reason: Access is denied.

This is not expected to happen again if you click OK in each error dialog window, let the installation process exit and run the knowledge pack installation command one more time.

You may receive the following misleading error message when installing an additional Knowledge Pack into an existing InTrust organization:

Error: 0x80004005. Cannot configure default Audit Database. Reason: Data source name not found and no default driver specified.

This error is not expected to cause any real problem with a Knowledge Pack installation. If you see it, click OK in the error message and let the installation finish. No troubleshooting is required unless you see more errors during the installation or find the Knowledge Pack not working properly when installation is finished.

When you use the default InTrust setup, the installation program does not prompt you for the Communication Port number. If you use the extended InTrust setup to complement a default deployment, you are prompted for the Communication Port value but the setting you make is not applied to the InTrust installation. In this installation scenario, edit this registry value to change the Communication port number after InTrust is installed, if needed:

[HKEY_LOCAL_MACHINE]\SOFTWARE\Aelita\ADC\RpcServer\Endpoints\1

or

[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Aelita\ADC\RpcServer\Endpoints\1 STRING: Endpoint="8340"

It is not recommended to create InTrust configuration database with "." symbol in its name (for example: InTrust_10.6_ConfigDB), though it will be created, such database is unusable and you will receive the error like:

Invalid database name supplied.

Sometimes uninstalling an InTrust component can cause miscellaneous problems for another InTrust component on the same computer. If this happens, open the Programs and Features facility in the Control Panel and perform a Repair operation for the component that is not working properly.

If you have performed an upgrade from version 11.3.1 or earlier without deleting the "Redhat Linux Syslog" data source (as recommended in the Upgrade Guide), then you will still have the old version of this data source after the upgrade. To update the data source in this situation, take the following steps:

1. In InTrust Manager, make a backup copy of the "Redhat Linux Syslog" data source.
2. Delete the original data source.
3. Apply your changes by clicking the Commit button.
4. Close InTrust Manager.
5. Locate the Linux Knowledge Pack setup package LINUX_KP.*.*.*.*.msi in the InTrust\Server folder in your InTrust distribution and launch it and select Repair mode.

After the installation, the up-to-date version of the data source will be available.

In the course of an upgrade, you may get the following error messages during repository indexing and searching:

Unknown field <field_name> referenced in log knowledge base as source of value.

This is caused by differences in log knowledge base definitions between the old and new InTrust versions. The problem should go away as soon as all InTrust components have been upgraded—not just InTrust Server, but also Repository Viewer and others.

When you upgrade an existing installation of InTrust under an account that doesn't have DBO access rights to the InTrust configuration database, you may receive the following error message:

Cannot uninstall CI packages. Error code: 0x80004005. Cannot parse ADCClassInventory query. Error of opening file.

Click OK and continue. This error does not affect the results of the upgrade.

At an upgrade of an InTrust Server in a multiserver InTrust organization, you may receive a misleading error message:

You are about to remove an InTrust server from an InTrust organization. Any jobs configured to run on this server must be manually transferred to another live server in the same organization.

It is safe to ignore this error. Click OK and continue upgrading.

When you create a repository, specifying a local path for it is not prevented, even though InTrust does not support locally-hosted repositories.

Don't delete the Default configuration objects (Default databases, repositories, operators, etc.) even if you never use them in InTrust sites, policies etc. Other predefined objects may have references to the Default objects by default, which may result in hard-to-find errors if referenced objects no longer exist in your InTrust configuration database. Note that the deleted predefined configuration objects are not recreated at InTrust upgrades or reinstallations, some of them causing errors at the setup phase if missing from the configuration database.

The recommended practice is to keep default configuration objects as templates for the custom ones you create for the routine use.

If notification is configured so that email is sent to an operator that represents a group and sending fails for one of the group members (for example, due to an invalid email address), then it also fails for all other members of the group.

This issue does not occur if all selected operators represent individual users; in this case, sending failure for an operator does not affect other operators.

The following error message logged to the session results of an InTrust task may indicate of a frequent changes in the system time on the InTrust Server computer:

Error: 0x80040e2f Cannot initialize the required component. Cannot initialize session. Sessions Error- The statement has been terminated. Sql State: 01000 Native Error Code: 3621 Violation of PRIMARY KEY constraint 'PK_ITGSessionsInfo'. Cannot insert duplicate key in object 'dbo.ITGSessionInfo'. Sql State: 23000 Native Error Code: 2627 , !! IDispatch error #3119

This may be happening because of some problems with hardware or operating system, frequent time synchronizations with multiple hosts on the network or some other reason.

If you see a notification job failing consistently with the following error:

Object Name: (InTrust Server) Data Source: Notification Description: Cannot notify the 'Default Notification Operator' operator using the 'mail' notification type. An error has occurred during sending the mail. Error text: An established connection was aborted by the software in your host machine. Function 'recv' failed.

Verify that the SMTP server handling notification messages from InTrust does not require sender authentication.

If you are using Windows 2012 running on an ESXi 5.0, 5.1, or 5.5 host, DO NOT USE e1000e default network adapter. This may lead data corruption may occur when copying data over the network and therefore cause problems with repository indexing. You may see the following errors in the log:

Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Unspecified error, error code 0x8adc1005' Indexing of recent items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Field stream is invalid, error code 0x80004005' Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: ADC Error: ADC Error: One or more segments of incoming index data (\\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{7F}, \\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{AE}) could not be merged with the repository index, error code 0x8adc1005' The indexing queue of recent events in repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" exceeded the size limit. Please check the InTrust Server event log for errors, and consider collecting less audit data to this repository and adding more indexing servers.

For more information see the following article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2058692

When the InTrust server is switched during a failover operation, you get the following error in InTrust Deployment Manager and in the InTrust Server event log:

Some required components for working with the data source could not be installed

This message is about the user session tracking component of the InTrust agents. The agents may temporarily stop reporting user session events.

Filtering of site objects by registry value works only with the 32-bit registry view on 64-bit systems.

Automatic cleanup is not implemented for the %ALLUSERSPROFILE%\Application Data\Quest Software and %ALLUSERSPROFILE%\Application Data\Quest folders. If these folders grow too large, you can safely clear their contents manually.

The lists of available InTrust Servers in an organization may differ depending on whether or not InTrust Manager is installed on the same computer as InTrust Server. The RPC Locator service should be enabled on the InTrust Manager computer where InTrust Server is not installed for correct results.

A specific InTrust Server may be also not visible as available for connection with InTrust Manager if it fails to publish itself in Active Directory (AD). This may happen if the Quest InTrust Server service does not have sufficient rights (see the System Requirements document for details) to create a Service Connection Point (SCP) in AD. Check events logs, starting with the InTrust log, on the InTrust Manager and InTrust Server machines for events looking related to possible problem with the RPC Locator service and creating an SCP in AD, respectively.

Besides, if you know that a specific InTrust Server is available, you can connect to it by specifying it manually, whether or not it is on the list.

You may receive the following error:

Internet Explorer Script Error: 'm_idBaloon.style' is null or not an object

when you have the Quick Start node selected in the left pane and click the right pane. You must be clicking there too early. Wait for the content of the right pane to be fully loaded before you click it.

Quick Start will fail to generate reports you specify if InTrust is configured to use SRS running on a computer different than SQL Server machine hosting the InTrust database(s) you are trying to report on, and Windows authentication is used to connect to Reporting Services.

The following error message will be received:

Login failed for NT AUTHORITY\Anonymous Logon.

If InTrust Servers in an Organization are concurrently running too many tasks, you may receive the following error in results of some sessions:

"Components Manager: Failed to find Storage Accessors. Error=0x80004005: Timeout expired. Unspecified error."

This happens because each task accesses InTrust Configuration database, and some of them fail to do that because of query timeout expiration. If you cannot reduce the number of task that run concurrently, consider increasing the value of the timeout setting on the SQL Server level using the sp_configure stored procedure.

If an agent consistently fails to start on a Windows machine, and you find the following error in the local Application event log:

InTrust agent stopped unexpectedly. Error occurred: An attempt was made to access a socket in a way forbidden by its access permissions. (Win32 error: 10013). or the following error from the agent process is written to syslog on the Unix machine hosting an InTrust agent: InTrust agent stopped unexpectedly. Address already in use (CRuntime error: 98).

Сheck if any other active process (application, service, daemon) is configured to listen on the port you are going to use as the InTrust agent communication port on this machine (TCP port 900 by default). If you find some, reconfigure either the agent or the other application/service/daemon to use a different port. To change the communication port setting for InTrust agent, edit the agent.ini file located in the agent folder.

When agents are used to gather audit data, the following error may occur:

Agent has not yet established connection to the InTrust Server (0x8adc2c09).

This situation may occur due to network problems, or when InTrust services have just been restarted, and agents have not communicated to the InTrust Server yet.

An attempt to manually register an agent on an InTrust server may fail with the following error message:

'Cannot register agent on the InTrust server <...> No connection could be made because the target server actively refused it. <Win32 Error 10061>.'

Check if the Quest InTrust Agent service is running and not stopped on the InTrust server. If the service is stopped, start it and try registering the agent again.

Also note that this error is possible if port 900 is closed by a firewall between the agent and the server.

Using the same repository for real-time event collection and task-based workflow is discouraged.

One of the possible consequences of using it for both methods is that after you start real-time collection from a computer for the first time, no data from that computer will be available to InTrust import and consolidation jobs for the first 24 hours, even though the data will be available in Repository Viewer.

There are other implications as well. Specialize your repositories by type of auditing method.

If you have multiple collections performing real-time event gathering of the same log from the same computer, then you will have duplicate events in the repository and in reports created by Repository Viewer.

If changing IndexManager Server or path to an index of the indexed repository, gathering into this repository may fail with an error like:

Failed to insert event to repository. ADC Error: The repository at "\\?\C:\Repository\" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically.

If you receive the following error message in the task session results:

The session terminated unexpectedly.

while the individual job sessions under this task are marked as successful, check if the system time is synchronized between the InTrust Server and the SQL Server that hosts the InTrust configuration database.

If you experience a degrade in the Alert Database performance, try increasing values of the two InTrust configuration parameters that control the buffer and queue sizes for the connection InTrust makes to the Alert Database. Running the following SQL query on the InTrust configuration database will increase both sizes from the default value of 800KB (819200 bytes) to 10MB (10485760 bytes):

UPDATE ADCOrganizationParameter SET [Value] = '10485760' WHERE (Name = 'ITRT_CommMaxSizePerConnection') OR (Name = 'ITRT_CommQueueSize')

You may receive the following error at an attempt to import an exported user settings in InTrust Monitoring Console:

Cannot import user.

Enhanced error information.

Number: 0x80004005

Description: 007~ASP 0104~Operation not Allowed~

This is most likely to be caused by the settings of MS IIS hosting InTrust Monitoring Console. For more information see Microsoft KB article 327659.

Repository Viewer opens a repository under the same account that you are using to run it, no matter what access credentials are specified in the properties of that repository.

One workaround is to use the runas command to explicitly make Repository Viewer use the account that is allowed access to the repository. For example, if mycorp\intrust_admin is such a user account, then start Repository Viewer as follows:

runas /netonly /user:mycorp\intrust_admin new_RV.exe

As a result, Repository Viewer runs under your current account, but uses the mycorp\intrust_admin account for network operations.

Repository Viewer doesn't start on a computer where the original .NET 4.0 is installed but updates for it are not.

The Delete and Backspace keys don't work as expected in filter boxes using the "Last" keyword.

Custom values cannot be specified in the Environment and Type data fields. Сustom-made events written through the InTrust API may have any value in this field, but they cannot be matched by those fields in Repository Viewer.

If you search for events where a specific insertion string or resolved insertion string has a particular value or is blank, then the results can include events where there is no such string at all.

Searches by the "Whom" field are slow.

Searches by "Any field" are slow.

Searches by some resolved insertion strings don't work.

Don't add too many reports to one reporting job. Doing so may make the whole Tasks node not responding to your attempts to browse it, with the following error message displayed:

Enumerating collection failed. Reason: Not enough storage is available to complete this operation.

If you are absolutely sure you need hundreds of reports to be processed with one reporting job, consider installing additional memory on the SQL Server computer that hosts InTrust configuration database.

If you modify a model of a report that is already included in some reporting jobs, for example, add or remove a filter, reporting job(s) configured to compile this report will fail with the following error:

Object reference not set to an instance of an object.

After you modify a report model, you will have to remove it from any reporting jobs that use it and add them to those jobs again.

A report with query based parameters or filters cannot be added to a reporting job if a data source specified for this report is configured with invalid settings. An attempt to add such a report to a job fails with the following error:

Cannot create a connection to data source 'MainDataSource'.

If you receive this error, edit the properties of the related data source to make sure it lets the report access a valid InTrust Audit database.

The unclear error message:

Report "<report_name>" failed to process: An error has occurred during report processing. An error has occurred during report processing. An error has occurred during report processing. Query execution failed for data set 'MainDataSet'.

is logged to the session results for each report in a reporting job that is configured to use a Data Storage that is not accessible when the job starts.

If InTrust reporting is configured to access MS SQL Reporting Services over an HTTPS connection, and the InTrust Server computer does not have a certificate installed for the specified MS SRS server, an attempt to access Reporting Services results in the following error:

Error 0x00004659: Internal error occurred. Reason: 0x80131509: The underlying connection was closed: Could not establish trust relationship with remote server.

To install a required certificate, you can use Internet Explorer to open the URL of MS SRS specified in the properties of the Reports node in InTrust Manager as 'MS SQL Reporting Services path'. When prompted for certificate installation, accept it. When the certificate is installed, you will be able to perform any operations with reports and reporting jobs in InTrust Manager.

A reporting job may fail with the following error:

The job was finished, but no entry was created for it in the task session because of an error.

If this happens, check whether the account under which the job starts has the Read access permission to the Windows folder on the InTrust Server computer.

If a reporting job fails with the following error:

The remote server returned an error: (500) Internal Server Error.

check the reports in the job for incorrect filter settings. This error may be logged to the session results, for example, when some report has a filter that requires a non-empty value specified, and that filter is disabled.

You may receive the following confusing error:

"Query execution failed for data set 'MainDataSet'."

during an attempt to open a subreport of a report generated by a reporting job. If this happens, check if the subreport uses a different data source than the main report included into the job, and if that data source is configured with valid settings (server, database, access credentials).

A reporting job configured to import required data from a repository may sometimes fail with the following error logged to the session results (RDDI Import node):

Description: Cannot initialize the required component. Cannot create one of the InTrust components.Cannot open repository. The system cannot find the path specified.

or

Description: Cannot import data from the repository.Cannot enumerate the repository objects.

If this happens, check if there is a database or some other object under Data Stores node in the configuration with a name identical to that of the source repository for the job. Rename one of the objects to make names of all objects under the Data Stores node unique.

You cannot specify a name of a text file listing parameter values in the input field on a report parameter tab in the reporting job configured to import required data from a repository. If you do so, the reporting job will fail with the error message looking like:

Internal error: Cannot initialize required component.ADC Error0x8add2102: Failed to initialize DataFilters.

If a reporting job configured to import required data from a repository fails with the following error:

Preparing for data import has finished with errors.

check that a semicolon (";") is the last character of a connection string specified in the data source of every report included into the job.

When you configure a report to use filter values from a file, on a 64-bit Microsoft SQL Server 2008 the report will fail with an error message stating:

OLE DB provider 'Microsoft.Jet.OLEDB.4.0' cannot be used for distributed queries because the provider is configured to run in single-threaded apartment mode.

Follow these steps to work around this problem:

1. Download the report from your Microsoft SQL Reporting Services Server as an .RDL file, edit this file to replace the 'Microsoft.Jet.OLEDB.4.0' text with 'Microsoft.ACE.OLEDB.12.0' and upload the updated file back to the SSRS.
2. Execute the following batch on your 64-bit Microsoft SQL Server:
   USE [master]
   GO EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'AllowInProcess', 1
   GO
   EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'DynamicParameters', 1

When a repository cleanup job starts under an account that has insufficient rights for deleting data from the target repository, the job fails with an error message that does not mention the reason for the failure:

Cannot clean up obsolete data from one or more data stores. Cannot remove one or more files.

You may receive the following misleading error message in Repository Viewer when you open an indexed repository through an InTrust Server:

Could not open repository. Error details: Repository is not ready for index-based search. Select a different repository.

In InTrust Manager, go to /Configuration/Data Stores/Repositories, open the Properties dialog for the affected repository and verify that the path to it is specified in the InTrust configuration as a UNC and not as a local path that is valid for only one InTrust Server machine in the organization.

Indexing a repository located on a local disk of an InTrust Server computer that manages indexing of this repository may fail with the following error message in the InTrust Server log (Event ID 14128 in the InTrust event log):

Indexing of repository "<repository_name>" failed. Details: Indexing on agent localhost failed, reason 'ADC Error: ADC Error0x80004005: Cannot create temp directory Unspecified error (Win32 error: 0x80004005), error code 0x80004005 '.

This happens if a specific account is specified in the properties of an InTrust Server local repository to be used for access to it, and this account does not have sufficient access rights to the %TEMP% folder of the Quest InTrust Server service account. Consider either changing the account used to access the repository or giving it rights to write to and read from that folder.

You may get the following non-informative error message in the InTrust Server log:

Indexing of repository "<repository_name>" failed. Details: Indexing on agent <agent_name> failed, reason 'ADC Error 0x80070643'.

It usually means that an agent has failed to install IndexingTool.exe on its local machine (for example, because system requirements were not met or user privileges were insufficient).

If you open a repository in Repository Viewer installed on an InTrust Server computer where the port number for InTrust Manager connection has been changed from the default value (8340), and you select the option to open a Production repository on Local computer, you will receive the following error message:

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

To avoid this, change your choice on the Select InTrust Server wizard step from Local computer to This InTrust server, and select the name of the local computer from the list.

You may receive confusing error messages when you try to open a repository as an indexed one, but the indexing of this repository has not started yet.

If you see repository indexing on an agent failing with the following non-informative error:

ADC Error: , error code 0x8adc1006

check if the agent account specified in the Properties of the InTrust site differs from the account specified in the Properties of the repository for indexing. If the accounts are different, it is likely that the repository indexing account does not have access to the Local Settings subfolder in the profile of the agent account on the agent machine. Consider changing this setup to have an agent service account specified either in the site Properties OR in the repository indexing settings, or giving the indexing account Read and Modify access permissions to the profile of the agent account.

You may see repository indexing on an agent failing with the following error:

A required privilege is not held by the client

This is likely to mean that you have one and the same account explicitly specified as the agent account in the Properties of the InTrust site and the account specified for indexing in the Properties of the repository. If this is the case, verify that the account has the following user rights on the agent machine:

• Replace a process level token
• Log on as service
• Log on as batch job
• Adjust memory quotas for a process

Repository indexing on a remote machine may fail to start with the following error message registered in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing

Computer:

Description: Indexing of repository "Default InTrust Audit Repository" failed. Details: Indexing on agent localhost failed, reason 'ADC Error0x80070643'.

This is likely to happen if the %TEMP% folder for the local system on the agent machine is missing. The automatic installation of Quest InTrust Indexing Tool (IndexingTool.msi) is being run under the local system account and fails with this error if it cannot access the temporary folder (normally %SYSTEMROOT%\Temp). Make sure the folder exists and the installation process can access it.

If you see the following error message in the Application event log:

Event ID: 14128

Type: Error

Source: Indexing Launcher

Operation: Indexing

Computer:

Description: Indexing of repository "Default InTrust Audit Repository" failed on agent <computername>. Reason: 'ADC error: ADC Error0x80070006: The handle is invalid. The handle is invalid. (Win32 error: 6), error code 0x80070006..

this may be a result of the computer hosting the repository being too busy and slow to respond at the time of indexing. Try reducing the load on the repository machine or re-indexing the repository later.

Repository Viewer may fail to display events from a repository with the following error message that may be confusing:

The process cannot access the file because it is being use by another process.

This error is likely to mean one of the following:

• The idle repository you are trying to view is opened with another instance of Repository Viewer.
• You try to view an idle repository that is currently being indexed.
• You select the Open Idle Repository option in Repository Viewer to open a repository that should be accessed through an InTrust Server.

When you are gathering BSM log events from a Solaris host that does not have access to a DNS server and has an entry for itself in the hosts file only by a FQDN and not by its short name, gathering fails with the following error:

'ADC Error: Failed to collect from network object. (Internal error: Failed to enumerate event logs. (host/servername not known (CRuntime error: 8)))'.

Edit the hosts file on the Solaris host to include an entry for the short name of that host.

The following reports from the InTrust for Solaris report pack work only for events collected from Solaris 8 and 9:

• Forensic Analysis / Solaris Syslog Events
• Normal User Activity / Logins / Failed logins
• Normal User Activity / Logins / Successful logins
• Normal User Activity / Privileged User Logins / Failed logins of privileged users
• Normal User Activity / Privileged User Logins / Successful logins of privileged users

In the DB-based log provider query, data fields of type(s) TEXT or/and NTEXT must be either come last in the SELECT statement or be explicitly converted to the NVARCHAR data type. Otherwise the following error will be received at gathering:

[Microsoft][ODBC SQL Server Driver]Invalid Descriptor Index.

If you run the Evt2Repository.exe tool on a Windows 2008 machine to import events from an event log saved to an .evt file on a pre-Windows 2008 computer, the tool fails with an error message saying the event log file is corrupted. To work around this problem, you can do one of the following:

1. Process the file with Evt2Repository.exe on a computer running Windows Server 2003 or earlier.
2. Open the .evt file with Windows 2008 Event Viewer and save it in the .evtx format. Then run Evt2Repository.exe again to import events from the saved .evtx file.