Event Tracing for Windows (ETW) is a system diagnostics and performance measurement infrastructure. For details about the technology, see Event Tracing.
Windows traces can helpfully complement event log-based auditing and provide deep insights into security incidents.
However, unlike event logs, traces are not suitable for continuous capture and storage. Tracing doesn't work well as an "always-on" auditing facility due to the overwhelming amounts of loosely structured data that it generates. It is best used in situations where a particular incident occurs or is suspected and event tracing is turned on specifically for getting as much relevant information as possible about the circumstances and then turned off again.
To make ETW part of the InTrust auditing workflow, install the ETW Add-on preview for InTrust. The add-on brings the Event Tracing for Windows data source type that represents event traces and enables InTrust to treat them as logs. It also adds a predefined data source of this type, called "Microsoft ETW Log".
The Event Tracing for Windows data source type installed by the add-on works as a collection of data providers, each of which captures a particular category of event traces. The following are some of the activities for which providers are available:
It's up to you how many data sources of the Event Tracing for Windows type you create and how you organize the providers in them.
Install the add-on on any InTrust 11.4.1 server in your organization with or without Update 1 installed. Take the following steps on that server:
1. From the InTrust_11.4.1_Update_20200703.zip archive, unpack the QuestInTrust1141Update20200703.exe file.
2. Close the following applications if any of them are running: InTrust Manager, InTrust Deployment Manager, Repository Viewer.
3. Run the QuestInTrust1141Update20200703.exe file and complete the setup.
To obtain support for the ETW Add-on while it is in Technical Preview please use the InTrust Forum.
Please post any questions, issues, comments, product improvement suggestions, etc. to the InTrust Community Forum: https://www.quest.com/community/quest/intrust/
The ETW Add-on release package and documentation are attached
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center