I need an example of how to set triggers in the InTrust when someone accesses, modifies, copies or deletes a file using ITFA (InTrust Plug-in for File Access).
Below is an example of how to create a real-time rule. From step 21 through 31, an example of setting a filter to filter for only .xls and .pdf is described.
1. Open Intrust Manager.
2. Create a new rule group in Real-Time Rules. (expand Real-Time Monitoring | right click on Rules and create a new group.).
3. Right click on the new Rule group, and create a new rule.
4. Go through the New Rule Wizard. Pick "File Access: Quest File Access Audit log" as the Data Source.
5. In the Rule Template, select Single Event.
6. In the Event filter Filter Template, select File Access Audit: Quest File Access Audit log: custom filter.
7. In the Event filter. Rule Temple, select the Parameters that you want to search for. (Note: Event insertion strings are listed in Appendix B and C of the ITFA User's Guide.). For example: I want to get accesses, modifications, copy, or delete some specified files or folders, I can check for Event ID. You may need to customize as to what you want to look for. In my example, I'm just interested in occurrences for certain event IDs.
8. Finish creating the new Rule.
9. Right click the new rule and click Properties.
10. Check "Enabled" in the General tab.
11. Click the "Matching" tab, and select the "Event filter" and click "Edit".
12. Highlight "Event ID" and click Edit.
13. Select the event IDs from Appendix B in the ITFA User's Guide. In this example, choose 769, 1025, 1281, 1537, 1793, 2049, 770, 1026, 1282, 1538, 1794, 2050. Here we have 12 events listed.
14. Set the Notification by clicking the Notifications tab and select Email or net send.
15. Click OK.
16. Create a new Real-Time policy by expanding "Real-Time Monitoring" | right click on "Policies" and create a new Policy.
17. Go through the wizard and add the site, the new rule you just created, check "Notify selected operators if a rule is triggered." and add the operators. Check Activate Policy and click finish.
(Note: If you don't have an operator already created, create one in Configuration | Personnel | Operators.)
18. Make sure you check the blue check commit button.
19. Check the Log file to see if the ITFA agent machine's agent was reinstalled. If so, then the changes should have taken place. You should have a message like the following after the change and commit has been made.
20. Test by creating and deleted a file in the audited folder. Give it a little bit of time. Check the InTrust log file, which should have a "Real-time Monitoring" event under the "Operation" column.
21. Make sure the above works. Then right click on the rule and click on Properties as done in step 9.
22. Click "Matching" tab.
23. Click "Edit" Button.
24. Check "IS#7" then click "Edit" button.
25. Click "Add".
26. Add the following:
27. Click "OK".
28. Repeat step 25-27 for each file extension. (i.e. *pdf )
29. Click "OK" and "OK" to finish.
30. Click the blue check commit button.
31. Test by creating a file with a filename .xls in the audit folder (ie: C:\DEMO).
The meanings of event id 769, 1025, 1281, 1537, 1793, 2049, 770, 1026, 1282, 1538, 1794 and 2050 are listed below and also described in Appendix B of the ITFA User manual.
"Appendix B: File Access Log Events
The following types of events are written to the File Access log.
EVENT ID MEANING
1 InTrust Plug-in for File Access Service started
2 InTrust Plug-in for File Access Service stopped
3 InTrust Plug-in for File Access Service error
4 InTrust Plug-in for File Access Service configuration changed
257 User Failed to Access Object Remotely
769 User read file content remotely
1025 User wrote to file remotely
1281 User created object remotely
1537 User deleted object remotely
1793 User moved object remotely
2049 User renamed object remotely
2305 User changed the owner of object remotely
273 User changed object permissions remotely
258 User failed to access object locally
770 User read file locally
1026 User wrote to file locally
1282 User created object locally
1538 User deleted object locally
1794 User moved object locally
2050 User renamed object locally
2306 User changed the owner of object locally
274 User changed object permissions locally "