This information applies to InTrust starting with version 11.4.1 Update 1. The update introduced the Event Log notification type and the Event Log Recipient object. They were added as a way to represent InTrust rule matches by Windows events, written to the InTrust event log as event ID 17408.

In the default configuration, the Event Log notification type is not specified in any rules and has to be selected manually for each individual rule. To avoid this tedious work, you can use the NotifyThroughEventLog.exe utility. It adds Event Log as a notification option to all existing rules and makes it active.

Download the NotifyThroughEventLog.exe utility to any InTrust server in your organization and run it in the command prompt. It doesn't matter which InTrust server you choose. The utility will ask for confirmation before it makes the configuration changes. If you want detailed information about the progress of the operation, supply the -v or --verbose parameter on the command line.

Mind the Real-Time Monitoring Policies

For the logging to work, don’t forget to enable Event Log Recipient in the properties of the policies that apply your rules to sites.

For details, see:

·         Configuring Notification Groups and Recipients (http://support.quest.com/technical-documents/intrust/11.4.1/deployment-guide/intrust-configuration/configuring-notification-groups-and-recipients)

·         Understanding Real-Time Monitoring Policies  (http://support.quest.com/technical-documents/intrust/11.4.1/real-time-monitoring-guide/understanding-real-time-monitoring-policies)

Download

Download NotifyThroughEventLog.exe from attachments section

Known Issue

IN-11726

If you run the NotifyThroughEventLog.exe utility on a computer that is not an InTrust server, you get a Windows Visual C++ Runtime error instead of a message that InTrust Server is required.