This example describes how you can transfer data from an InTrust audit database to an InTrust repository. InTrust does not provide a job type that does this. However, you may want to move data from a database to a repository in some situations.
The following information is not gathered in this example:
To transfer data from an InTrust audit database to an InTrust repository
select
e.ID,e.SessionID,e.VersionMajor,e.VersionMinor,
e.Computer,e.UserName,e.UserDomain,e.EventType,e.Source,e.EventID,e.Category,e.GMT,e.LocalTime,
s.S1,s.S2,s.S3,s.S4,s.S5,s.S6,s.S7,s.S8,s.S9,s.S10,s.S11,s.S12,s.S13,s.S14,s.S15,s.S16,s.S17,s.S18,s.S19,s.S20,s.S21,s.S22,s.S23,s.S24,s.S25,s.S26,s.S27,s.S28,s.S29,s.S30,s.S31,s.S32,s.S33,s.S34,s.S35,s.S36,s.S37,s.S38,s.S39,s.S40,s.S41,s.S42,s.S43,s.S44,s.S45,s.S46,s.S47,s.S48,s.S49,s.S50,
isnull(d.Description,'') Description
from
Events e
inner join
(
select
e.ID,
e.SessionID,
max(case s.StringIndex when 1 then s.StringValue else null end) S1,
max(case s.StringIndex when 2 then s.StringValue else null end) S2,
max(case s.StringIndex when 3 then s.StringValue else null end) S3,
max(case s.StringIndex when 4 then s.StringValue else null end) S4,
max(case s.StringIndex when 5 then s.StringValue else null end) S5,
max(case s.StringIndex when 6 then s.StringValue else null end) S6,
max(case s.StringIndex when 7 then s.StringValue else null end) S7,
max(case s.StringIndex when 8 then s.StringValue else null end) S8,
max(case s.StringIndex when 9 then s.StringValue else null end) S9,
max(case s.StringIndex when 10 then s.StringValue else null end) S10,
max(case s.StringIndex when 11 then s.StringValue else null end) S11,
max(case s.StringIndex when 12 then s.StringValue else null end) S12,
max(case s.StringIndex when 13 then s.StringValue else null end) S13,
max(case s.StringIndex when 14 then s.StringValue else null end) S14,
max(case s.StringIndex when 15 then s.StringValue else null end) S15,
max(case s.StringIndex when 16 then s.StringValue else null end) S16,
max(case s.StringIndex when 17 then s.StringValue else null end) S17,
max(case s.StringIndex when 18 then s.StringValue else null end) S18,
max(case s.StringIndex when 19 then s.StringValue else null end) S19,
max(case s.StringIndex when 20 then s.StringValue else null end) S20,
max(case s.StringIndex when 21 then s.StringValue else null end) S21,
max(case s.StringIndex when 22 then s.StringValue else null end) S22,
max(case s.StringIndex when 23 then s.StringValue else null end) S23,
max(case s.StringIndex when 24 then s.StringValue else null end) S24,
max(case s.StringIndex when 25 then s.StringValue else null end) S25,
max(case s.StringIndex when 26 then s.StringValue else null end) S26,
max(case s.StringIndex when 27 then s.StringValue else null end) S27,
max(case s.StringIndex when 28 then s.StringValue else null end) S28,
max(case s.StringIndex when 29 then s.StringValue else null end) S29,
max(case s.StringIndex when 30 then s.StringValue else null end) S30,
max(case s.StringIndex when 31 then s.StringValue else null end) S31,
max(case s.StringIndex when 32 then s.StringValue else null end) S32,
max(case s.StringIndex when 33 then s.StringValue else null end) S33,
max(case s.StringIndex when 34 then s.StringValue else null end) S34,
max(case s.StringIndex when 35 then s.StringValue else null end) S35,
max(case s.StringIndex when 36 then s.StringValue else null end) S36,
max(case s.StringIndex when 37 then s.StringValue else null end) S37,
max(case s.StringIndex when 38 then s.StringValue else null end) S38,
max(case s.StringIndex when 39 then s.StringValue else null end) S39,
max(case s.StringIndex when 40 then s.StringValue else null end) S40,
max(case s.StringIndex when 41 then s.StringValue else null end) S41,
max(case s.StringIndex when 42 then s.StringValue else null end) S42,
max(case s.StringIndex when 43 then s.StringValue else null end) S43,
max(case s.StringIndex when 44 then s.StringValue else null end) S44,
max(case s.StringIndex when 45 then s.StringValue else null end) S45,
max(case s.StringIndex when 46 then s.StringValue else null end) S46,
max(case s.StringIndex when 47 then s.StringValue else null end) S47,
max(case s.StringIndex when 48 then s.StringValue else null end) S48,
max(case s.StringIndex when 49 then s.StringValue else null end) S49,
max(case s.StringIndex when 50 then s.StringValue else null end) S50
from
Events e
left join EventsStrings s on s.SessionID=e.SessionID and s.EventID=e.ID and s.StringIndex<=50
group by
e.ID,
e.SessionID
) s
on s.SessionID=e.SessionID and s.ID=e.ID
left join EventsDescriptions d on d.SessionID=e.SessionID and d.EventID=e.ID
WHERE EVENTLOG = 'Security' and GMT >= %LAST_GATHERED_EVENT% ORDER BY GMT
The External Events data source type is not represented by any predefined data sources. It is different from other data source types in that it generates event records with fields that you define and hands them over to the InTrust agent to process.
Data sources of this type are represented by a command-line utility on the agent side and an InTrust data source object on the InTrust server side.
This command-line utility forces special events on the InTrust agent running on the same computer. The agent stores the events in its backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.
To create an External Events data source
For details about External Events data source settings, see the Configuring Data Sources topic the InTrust Auditing Guide.
InTrust provides an additional option to create a custom data source using the Script Event Provider.
This functionality allows you to create a script that starts with pre-set frequency. Under some conditions that are specified in this script events are generated and then are passed to the InTrust agent. Events are stored in the agent's backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.
You can specify in the certain script: what information is stored and how it is ordered in the certain events, what conditions are required for event generation.
To create a custom data source with Script Event Provider
Letter | Date or Time Component | Examples |
---|---|---|
G | Era designator |
AD |
y | Year |
1996; 96 |
M | Month in year |
July; Jul; 07 |
w | Week in year |
27 |
W | Week in month |
2 |
D | Day in year |
189 |
d | Day in month |
10 |
F | Day of week in month |
2 |
E | Day in week |
Tuesday; Tue |
a | A.M./P.M. marker |
PM |
H | Hour in day (0-23) |
0 |
k | Hour in day (1-24) |
24 |
K | Hour in A.M./P.M. (0-11) |
0 |
h | Hour in A.M./P.M. (1-12) |
12 |
m | Minute in hour |
30 |
s | Second in minute |
55 |
S | Millisecond |
978 |
Z | RFC 822 time zone |
-0800 |
t | Second in POSIX time |
1095379198 |
© ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center