Chatee ahora con Soporte
Chat con el soporte

InTrust 11.4.1 - Preparing for Gathering Audit Collection Services Data

Access to Operations Manager Server

An account under which site computers (Operations Manager servers) will be accessed is either specified explicitly in the site’s settings (Advanced tab), or inherited from the site, job, task, or InTrust server, as described in this section. To access Operations Manager servers, this account requires the following:

  • Access this computer from the network right must be granted.
  • Deny access to this computer from network right must be disabled.
  • Read access to the HKEY_LOCAL_MACHINE\Services\AdtServer\Parameters and HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI registry entries of the computer hosting the Operations Manager server.
  • Read access to the EventSchema.xml (path to this location is stored in the EventSchema registry value at HKEY_LOCAL_MACHINE\Services\AdtServer\Parameters).

All available accounts are listed below in order of usage priority (inheritance order). If an account with higher priority is not specified in the corresponding entity’s properties, then the account with lower priority that follows will be used:

Usage Priority Account

Where the Account Is Set

1 Account intended for connection to Operations Manager server

On the Accounts tab of the data source-related site properties (site’s Advanced Settings | data source properties | Accounts)

2 Account used for site objects access

On the Accounts tab of the site properties (if the site is processed without agents)

3 Account specified for site-processing job

In the job properties

4 Account specified for the task containing site-processing job

In the task properties

5 Account used for InTrust Server operation (if gathering without agents) or for agent operation (if gathering with agents) During the setup. The account for the currently-running agent can be changed in the Quest InTrust Agent service properties.

Access to the ACS Database

The ACS database will be accessed using the account from those listed below (also listed in descending priority order).

Usage Priority Account

Where the Account Is Set

1 Account intended for ACS database connection On the Accounts tab of the data source-related site properties (site’s Advanced Settings | data source properties | Accounts)
2 Account used for connection to Operations Manager server On the Accounts tab of the data source-related properties (site’s Advanced Settings | data source properties | Accounts)
3 Account used for site objects access

On the Accounts tab of the site properties (if the site is processed without agents)

4 Account specified for site-processing job

In the job properties

5 Account specified for the task containing site-processing job

In the task properties

6 Account used for InTrust Server operation (if gathering without agents) or for agent operation (if gathering with agents)

During the setup. The account for the currently-running agent can be changed in the Quest InTrust Agent service properties.

 

Gathering with and without Agents

Usually audit trails are collected using agents. You can install an InTrust agent to a dedicated computer (recommended) or to the Operations Manager server. In some cases you may need to gather event data without agents. Each option is described below.

To use an agent on a dedicated computer

  1. In InTrust Manager, open the All OpsManager ACS Servers in the domain site properties.
  2. Open the Advanced Settings tab, select the Microsoft OpsManager ACS events, and click Add.
  3. Select Microsoft OpsManager ACS events from the list, and click Edit.
  4. In the dialog displayed, open the Agent tab.
  5. Select the Use the specified InTrust agent option, and enter the agent location.
  6. Click OK to save the settings and close the dialog.
  7. In the site properties, open the General tab and clear the Prohibit automatic agent deployment on site computers check box (to allow for agent installation).
  8. In the gathering job properties, open the Gathering tab, and select the Use agents to execute this job on target computers check box.
  9. Commit the changes.

Caution: For data to be collected using an InTrust agent on a dedicated computer, the Operations Manager console must be installed on that computer. Make sure that the console is the same version as the Operations Manager console running on your Operations Manager server.

When the gathering job starts, InTrust agents will be automatically deployed on the specified computers.

To use an agent on the Operations Manager server

  1. In InTrust Manager, select the gathering job that will collect ACS data.
  2. On the Gathering tab of the job properties, select the Use agents to execute this job on target computers check box.
  3. Select the All OpsManager ACS Servers in the domain site, open the Advanced Settings tab, select the Microsoft OpsManager ACS events, and click Add.
  4. Select Microsoft OpsManager ACS events from the list, and click Edit.
  5. In the dialog displayed, open the Agent tab, and select Use the agent installed on the OpsManager server option.
  6. From site’s shortcut menu, select Install Agents (to install agents on Operations Manager servers right away)
  7. To prevent superfluous agent installation, open the site properties, go to the General tab and select the Prohibit automatic agent deployment on site computers check box.

To gather data without agents

  1. In the site properties, select the Prohibit automatic agent deployment on site computers check box.
  2. In the gathering job properties, on the Gathering tab, clear the Use agents to execute this job on target computers check box.

Caution: If you plan to collect data without using InTrust agents, then the Operations Manager console must be installed on the computer hosting the InTrust Server. Make sure that the console is the same version as the Operations Manager console running on your Operations Manager server.

Running Reports

To enrich native reporting with reports on consolidated data collected by InTrust, a special Report Pack for the Operations Manager console (named Quest InTrust for ACS Reports) is provided with the Quest solution. It offers ten predefined reports on various aspects of network security, including user and computer management, file and object access, and user and administrator activity, along with a special report that helps you discover the InTrust for ACS management pack deployment status.

This Report Pack should be deployed on the Microsoft SQL Server Reporting Services (SSRS) that is used to run the Operations Manager console.

To install the Report Pack

  1. Run the Report Pack setup (launch IT_ACS4SCOM.*.*.*.msi from the Add-ins\ACS Add-ins folder in your InTrust distribution).
  2. Specify your name and organization.
  3. Specify the URL of the Report Server (web service) where Operations Manager console runs, for example:
    http://My_SQL_Srv/ReportServer
    -or-
    https://My_SQL_Srv/ReportServer
  4. On the Configure Data Sources step, make sure the data source is associated with InTrust Audit database where events from ACS are stored. (If you want to re-configure the data source later, you can use SSRS Report Manager.)
  5. Complete the wizard.

Note: Some reports may create temporary tables in the data source. To clean them up, a special job is created and scheduled during Report Pack setup. For the Temporary Tables Cleanup job schedule to be applied, make sure the SQL Server Agent is running. If not, start the Agent, and then use data source’s properties in SSRS Report Manager to schedule the cleanup.

After the setup is complete, you can open the Operations Manager console and go to the Reporting tab. Select the Quest InTrust for ACS Reports node in the tree to see the newly installed reports. To generate a report, select it and click Open from the shortcut menu, or use the toolbar button.

Documentos relacionados