Results which are older/outside the time-frame specified may be returned. Other filter criteria appears to work as expected.
If the InTrust agent is terminated unexpectedly it will attempt to find its last gathered event position in the log (otherwise the beginning of the log).
Depending on the events collected in to a single rep file, InTrust will derive that all events in the the rep file match the time filter even when some events may be outside the specified time-frame. This is a defect in the search algorithm/optimization used for returning events.
This result is more likely to occur on event log which is low volume and has wide time-span available (Application log for example).
WORKAROUND
None.
STATUS
Issue will be resolved in InTrust 11.3.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center