To ensure the integrity of event data from the specified data source, you can create agent-side log backup. This will help you to protect data from losses that may occur due to accidental or malicious log cleanup on the target machine. Log backup can be created for the most frequently used data sources (for example, Windows Event logs).
Agent-side log backup uses a compression method similar to that used in InTrust repositories. On average, the contents of the event cache are compressed to 1/15th their original size.
Agent-side cache is always used to process data from monitoring-only data sources. For the data sources used in both gathering and monitoring processes, you can select whether to create agent-side log backup.
Agent-side log backup is unavailable for gathering-only data sources, for example, MS ISA Server logs and MS Proxy Server logs.
|
TIP: By default, the agent-side log backup feature is disabled but it is recommended to enable this option. This mismatch between the default and recommended setting value arises due to specificity of the InTrust task execution. |
To configure agent-side log backup
|
Caution: After you enable agent-side log backup, the log will be cleared the next time it is gathered. Subsequent gathering sessions do not clear the log. |
|
Important: Agent-side log backup will be created only if both of the following are true:
|
To set the log backup retention period
Each type of InTrust job has a number of settings, both general and job type-specific. They general settings are available on the General tab of the job’s properties, and specify the following:
So, to make your job available for execution, you must supply the job name and enable the job.
On the Deadline tab of the job’s properties, you can provide an optional deadline value for a job. The deadline is the period of time that will pass before the job is started.
The countdown starts in the following situations:
When the specified time runs out, this setting launches the next job or jobs without terminating the job in progress.
A deadline can be specified for any job in the task, unless it is the job that starts the task or one of such task-starting jobs running simultaneously.
|
Note: Turning on the deadline and specifying zero values for days, hours and minutes is the same as turning the deadline off. |
See the following topics for details about the specific job types:
A gathering job collects audit data to a repository and/or audit database.
To configure a gathering job
|
Caution: Do not configure gathering jobs to collect events to repositories that are used for real-time gathering in InTrust Deployment Manager. |
Gathering to a database always starts with events that follow the last gathered event. Thus, if you have gathered data for a certain period of time using a certain filter, then you cannot gather data for the same period of time using a different filter.
When gathering to a repository, you always store events as specified by the filters you use. Duplicate events are also stored.
Events from the data sources of Microsoft Windows Events type (such as Windows Application log) have standard descriptions. If you are gathering these events to a repository, event descriptions are collected automatically. If you are gathering events to an audit database and you need to store these descriptions, take the following steps:
Data can be gathered with or without agents. To decide whether or not to use agents, consider the following:
To automatically install agents to all site computers in bulk, from site's shortcut menu, select Install Agents. Note that this is possible only in the Windows environment, on computers that are on the same side of a firewall.
For detailed description of manual agent installation, see Installing Agents Manually.
You can automate the installation of agents using Group Policy settings. InTrust is shipped with a Windows Installer file containing the agent package.
To automatically install agents on specific computers using Group Policy
To prohibit automatic agent installation on site computers
To gather audit data with agents
You can enable agent-server authentication using SRP and agent-side data encryption using 3DES.
To enable agent-server authentication and agent-side data encryption
A consolidation job copies audit data from one repository to another.
When you create or modify a consolidation job, you need to select the following:
You can consolidate audit data from a repository that is located on an InTrust server behind a firewall. To do it, first find out the local repository path on the InTrust server behind the firewall and the password of the InTrust organization behind the firewall. Then take the following steps:
|
Caution: The path you specify is not verified. The repository object you created on step 1 is just a representation of the source repository. The actual repository will be found as long as the path is correct. |
Now, you can configure job dependencies in the task and use the task as necessary.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center