Real-time monitoring policies are essentially different from gathering policies (explained in Understanding Policies): they maintain rule and site dependencies, and handle notification.
When you create a monitoring policy, you bind rules to sites and define notification message recipients. By default, real-time monitoring policies are disabled. Enable policies manually.
To create a real-time monitoring policy
You can change monitoring policy settings using the policy's properties. The following is an overview of the settings that you can specify during real-time monitoring policy creation or for existing real-time monitoring policies.
The scope of the policy is defined by the sites that it is associated with, and it can be refined by applying an object filter to site members. In the properties of a policy, the sites are specified on the Sites tab and the filter on the Filter tab.
You can specify the set of rules for a policy by selecting individual rules or entire rule groups. In the properties of a policy, this is done on the Rules tab.
Whenever a rule is matched, it generates notification messages of the types that are specified for that rule. A policy specifies who gets the messages. As long as the corresponding notification type is enabled for a rule, a message from that rule is sent to the recipients specified by the policy. For details, see Configuring Notification Groups and Recipients.
The following notification types are supported:
Notification type |
Details |
---|---|
|
In the properties of a real-time monitoring policy, this is configured on the E-mail tab. You can specify regular recipients, notification groups and dynamic operators. |
Event Log |
In the properties of a real-time monitoring policy, this is configured on the Event Log tab. You can specify only Event Log Recipient, which implements logging of rule match events. Using other recipients has no effect for this notification type. For details about Event Log Recipient, see Configuring Notification Groups and Recipients. Note that even though Event Log Recipient is not really a message addressee, you still need to enable it so that rules with the Event Log notification type can log their match events. |
If you need to set up fine-grained access to the resulting alerts in Monitoring Console, you can do it on the Alert security tab in the properties of a policy. Specify Active Directory accounts and define alert permissions for them. This affects whether Monitoring Console lets these accounts view and resolve the alerts generated by the associated rules in the policy.
InTrust Real-Time Monitoring Console is a Web-based application that you can use to view and manage InTrust real-time alerts (stored in an InTrust alert database).
|
Caution: If you are using Monitoring Console installed on Microsoft IIS 6.0 or 7.0, make sure ASP extensions are allowed. Refer the documentation of your version of IIS for details about allowing extensions. |
Monitoring Console administrators control user access to the alerts by configuring profiles.
A profile defines which InTrust server provides the alert records a user can work with, and specifies other user preferences for Monitoring Console operation (such as language and display style). A user selects a profile and works with associated alert views. An alert view is a collection of settings that define alert choice and presentation.
Alert records are available to users only if their accounts have sufficient privileges to view the alerts or change their state (for example, from New to Acknowledged, or from Acknowledged to Resolved).
By default, InTrust organization administrators (explained in the InTrust Organization Administrators topic) have all privileges for working with all alerts (Read and Change Alert State). If you cannot view the alerts you need, see the policy security settings.
To provide users with these rights, Alert Security settings should be configured in InTrust Manager in the following way:
Monitoring Console offers profiles to allow authorized users or groups work with the alerts they need. During InTrust suite setup, a default profile for Monitoring Console users is created automatically.
However, if Monitoring Console installation was not a part of InTrust suite setup (that is, Monitoring Console's own setup was used), no default profile is created, and you have to create it manually from the Monitoring Console Administration page.
|
Caution: To create or edit a profile, your user account should be granted an Administrator role for COM+ System Application on the computer where the Monitoring Console runs. To check if you have this role, open the Component Services MMC snap-in on the computer with Monitoring Console, and view the Computers | My Computer | COM+ Applications | System Application | Roles | Administrator | Users node. |
When configuring a profile, you are prompted for the Run As account. This account will be used to connect to the InTrust server responsible for alert generation. To ensure a proper connection and correct flow of the monitoring process, this account requires sufficient privileges. The minimal requirements are:
|
Caution: Consider that the Run As account of the default profile is listed as an InTrust organization administrator, thus having all required privileges. New profiles with the Run As account listed as an InTrust organization administrator can be also created. |
To create a profile
|
Notes:
|
You can also modify settings for existing profiles by selecting a profile from the list and opening the corresponding tabs.
For more details on working with the profiles, see the help topic for the Monitoring Console Administration page.
After a new profile is configured, you can customize alert views for this profile in Monitoring Console. Monitoring Console can be opened from the Start menu.
To create a view
For an existing view, you can configure filters based on alert state and generation time in addition to the settings specified in the wizard.
Within a view, you can examine alert statistics, analyze the alerts in detail, or search for the alerts.
For more details, see the Monitoring Console help.
The easiest way to configure real-time monitoring is to use predefined objects (making copies is recommended): sites, rules and policies.
To learn to watch out for activity that you are interested in, consider the following scenarios:
You can use them directly, adapt them to your own environment or make your own real-time monitoring configurations based on them.
In this scenario, let’s assume you intend to monitor user account creation performed by unauthorized personnel, meaning:
To achieve this, you must configure the following:
All of the required elements are predefined in InTrust, so all you need to do is to make the copies of these objects and associate them with one another as follows:
|
Caution: Populate your predefined sites with objects you need and confirm that the sites span objects reside in the right domain. (You can enumerate site objects by clicking Refresh on the site’s Enumeration pane.) |
You can modify such settings as alerting, response actions, rule activity time, or others at any time as necessary.
To create your own InTrust object (site, rule, policy and so on), copy the corresponding InTrust predefined object and edit this object according to your specific needs. InTrust treats all sites, rules and policies the same whether they are predefined or user-defined.
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center