An import job copies audit data from an InTrust repository to an audit database; then InTrust reporting will be able to use this data for reports generation.
Although import jobs are part of the task-based gathering workflow, they work equally well with repository data gathered using real-time collection. The only difference is that real-time collection doesn't commit all of the data immediately, and periodic merge operations are required for the data to become available for import. For details about real-time event collection, see the Collecting Events in Real Time topic.
When you create or modify an import job, you need to select the following:
You can select whether events imported during previous gathering sessions will be imported again during a session that is going to take place. For that:
When you are importing events from the data source of Microsoft Windows Events type, you may need to retain their standard descriptions. For that, select this data source from Configuration | Data Sources, open its properties, click the Microsoft Windows Events tab, and select Store event descriptions to database.
A reporting job adds reporting capabilities to the InTrust workflow by using the Reporting Services feature of Microsoft SQL Server.
Reporting jobs are normally run after import or gathering jobs and prepare reports based on the newly-gathered data.
To generate a report, InTrust connects to the Reporting Web service on the SQL server. The actual report generation process takes place on the reporting server.
To configure the reporting job, specify the following:
To modify the default URLs related to reporting jobs
The reporting server's Web service URL is first specified during InTrust setup. Although setup verifies it, you can select to proceed without a valid URL. If InTrust was installed like that, no default value is suggested in InTrust Manager, and you must supply the URL explicitly, for example, when creating a reporting job with New Job Wizard:
By default, the Web service URL is formed as follows:
http://<SQL_server_name>/reportserver
If you want to connect to a SQL server instance, then the URL may be formed differently. In a default configuration, it is constructed as follows:
http://<SQL_server_name>/reportserver$<SQL_server_instance_name>
|
Notes:
|
Contact your SQL Server administrator for the correct Web service URL.
When you create a reporting job, on the Reporting Server and InTrust Database step of the wizard, you can select the source from which data for reports should be taken:
The following options are available:
|
Caution: For this option to take effect properly, you should check the corresponding report properties (Data Sources property) and verify that the data source is properly associated with the desired InTrust database. |
If you need to report on data that is currently stored in an InTrust repository but not in the database, you should instruct InTrust to import missing data from the repository. For example, when creating a new job, on the Import Missing Data step, select Import objects from the following repository option, and select the source repository.
You can instruct InTrust to cut off unnecessary events during import by configuring filters. For that, on the Reports step of the wizard, select a report from the list and click Filters. During data import, the following two filters can be applied: DateRange and Select Computers (if applicable). Select the filter and edit the filter value.
|
Note: Other filters configured for the report will be applied during report generation. |
The default location for compiled reports is initially specified during InTrust installation. You can specify new defaults or use individual settings for each job.
Reporting Services configuration includes the following timeout settings for reports that take too long to generate:
Option |
Default Value |
Configured Where |
---|---|---|
Report timeout |
1800 seconds |
In the administration page for a Reporting Services site, on the General tab. You can set a custom value or disable the timeout altogether. |
HTTP timeout |
9000 seconds |
In the Web.config file on the report server. This option has no UI representation. For details about changing it, see the procedure below. |
If report generation times out for the reports you configure in your reporting job, consider changing the timeout settings.
To change the HTTP timeout
Like any other job, a reporting job runs under the account it inherits from the task or the account that is set specifically for the job. However, to function properly, reporting requires more security settings than that.
To successfully create a reporting job, use an account that can read report definitions on the reporting server. Otherwise, you will not get the list of reports to select from.
The account you use to run InTrust Manager must have a role that enables read access to report definitions on the reporting server. The “Browser” role, which is a standard role in Reporting Services, has sufficient privileges.
When you create a reporting job using the New Job Wizard, you specify the location of Reporting Services and the database to be used as the Reporting Services data source.
The Credentials button lets you set the credentials that Reporting Services will use to connect to the database. You have the following choices as regards the credentials:
Option |
Meaning and use |
---|---|
Windows authentication (using job account) |
Specifies that the Reporting Services will connect to the specified database using the credentials of the account that the job is running under. This authentication method is always used if you select to Import objects from the repository (that is, use the report-driven data import feature). This option is the best choice if Reporting Services and SQL Server with the specified database are deployed on the same computer. If they are deployed on different computers but you still want to use this option, enable delegation for the computer that runs Reporting Services. For that, take the following steps:
|
Windows authentication |
Lets you explicitly specify the credentials. Use this option if Reporting Services and the database reside on different computers. For secure transfer of these credentials, make sure Reporting Services communicate through the HTTPS protocol. An alternative to this option is to use the first option combined with delegation, as described above. |
SQL Server authentication | Specifies that SQL Server-specific credentials are used. For secure transfer of these credentials, make sure Reporting Services communicate through the HTTPS protocol. |
InTrust reporting uses the audit trails stored in the audit database. Typically, this database keeps information for the last 2–4 weeks (recommended retention period). However, an InTrust administrator may want to create a certain report, for example, on suspicious logons over 3 months. Data for this period is usually kept in the repository and has to be imported into the audit database for analysis and reporting. However, to report on the events you need, you do not necessarily have to create a chain of import and reporting jobs but configure the reporting job to import the necessary data from the specified repository right before report generation. To use this feature, you can do the following:
So, whenever you need to report on events logged 3 months or a year ago, configure your reporting job like this, and all data required to generate the reports will be imported automatically.
|
Note: When you specify a value for time period when configuring filters for a job that uses report-driven data import, time will be always treated as Local time (even if Use GMT time option was selected in the reporting job properties). |
If you need to run such a reporting job periodically, you can schedule the task that contains this job. If you need to run it once, disable the job once the task session is complete. Importing and reporting operation details are written to the corresponding tasks' session logs and can be examined under the Workflow | Sessions node in InTrust Manager.
The following accounts are used during the reporting job that has data import enabled:
Access credentials and the authentication method for database access during import and reporting are specified on the Reporting tab of the job properties, where you should click Credentials to open the Credentials Settings dialog box.
Requirements for each account are listed in the table below. Some of these accounts may coincide depending on the authentication method you select, so refer to the next section to assign sufficient access rights to proper accounts.
Account | Requirements |
Notes |
---|---|---|
Reporting job account |
|
|
Import job account |
|
If a specific account for repository access is specified in repository properties, then the import job account can be assigned local administrative rights on the computer where the repository is located (instead of Read permission). |
Database connection account |
|
After you click Credentials on the Reporting tab of the job properties, three authentication options are available to you:
If you are using report-driven data import in your reporting job, the available authentication methods will depend on the database you select to get data from:
If you select Windows authentication (using job account), then the job will use a single account for all operations. That means the database and repository will be accessed using the account that the reporting job runs under.
|
Caution: In case SQL Server and Knowledge Portal are installed separately from InTrust Server, take the steps described below to make Integrated Windows Authentication work properly. |
To make Integrated Windows authentication work properly
If you select Windows authentication, then you should specify credentials explicitly. They will be used to access the repository and the database.
If you select SQL Server authentication, credentials must be also specified explicitly in the Credentials Settings dialog box. This account will be used to connect to the audit database.
A notification job sends net send or email messages to selected recipients, notifying them of the results of the task.
Before configuring a notification job that uses email notification, make sure the selected InTrust server is associated with an SMTP server. Open the job processing server’s properties dialog box, click the Notification Parameters tab, and specify the SMTP server.
To configure a notification job, select the following:
Messages are based on notification templates. Use notification templates to make InTrust notification messages informative by including data gathered from the network. Such messages are a faster means of notification than reports.
To create a notification template
To insert data in the message subject or body, you should use variable names delimited by two “%” signs. These variable names are substituted with values retrieved from a database. The rest of the message text that you specify is left unchanged.
The text between the delimiting “%” signs must match the name of a column in the record set returned by the SQL server when a database is queried. For example:
The event from %Source% occurred at %Time%.
would be resolved like this in the message:
The event from IISLog occurred at 13:51:00.
|
Note: To be able to send net send messages, make sure that the Messenger service is running on the InTrust server and the target recipient's computer. By default, this service is disabled. |
During template configuration, you can provide the following two SQL queries:
Type these queries after specifying the subject and body of the template.
The two queries described are executed separately, and do not analyze the results of one another. However, notification depends greatly on what queries are specified. The following four situations are possible:
What is specified |
What happens |
---|---|
Both queries | Notification takes place if the condition provided with the evaluation query is true. Data for the notification message is retrieved from the record set returned by the notification query. |
Neither query | Notification takes place unconditionally. The notification message cannot contain any data from any database. Such a message is a fixed body of text. |
Only the evaluation query |
Notification takes place if the condition provided with the evaluation query is true. The notification message is a fixed body of text and cannot contain any data from any database. |
Only the notification query | Notification takes place unconditionally. Data for the notification message is retrieved from the record set returned by the notification query. |
There are two kinds of cleanup job that involve clearing audit data:
When configuring any of them, you need to select:
If necessary, you can also provide a date and time range filter for obsolete audit data.
You can schedule a cleanup job in a separate task rather than perform it each time you gather audit data. For example, a job that clears data older than a month should be scheduled to run monthly.
Note that though the gathered data is cleared, information about the gathering session is still kept. The next time a gathering job is started, InTrust collects data that has been written to audit trails since the last gathering session.
The repository may contain too long directory or file names. Make sure that your operating system supports long file names. Otherwise, use the special utilities to work with these names or delete a repository from disk. To delete a repository, use the ITRepositoryRemover.exe command-line utility, as described in the Removing Repositories topic.
© ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center