지금 지원 담당자와 채팅
지원 담당자와 채팅

InTrust 11.5.1 - Auditing Guide

Windows Scheduled Task Job

A Windows scheduled task job binds Windows scheduled tasks and InTrust gathering workflow. This job requires that you specify a pre-configured scheduled task and provide the path to it. InTrust overrides the existing schedule settings for the task.

Configuration options for this job include synchronous operation. If this option is selected, InTrust will only consider the job completed once the scheduled task finishes. Otherwise, InTrust launches the scheduled task and regards the job as completed.

NOTE: InTrust Manager will be able to find the task only if the task meets both of the following requirements:

  • The task is set up with the Windows Server 2003, Windows XP, Windows 2000 compatibility option enabled (in the Configure for drop-down list in the scheduled task properties). This is available only if you use the Create Task action, not the Create Basic Task action.
  • The task is located in the Task Scheduler Library, and not in its subfolder.

If the task you need is of the Basic Task type, recreate it using the Create Task action.

Application Job

An application job can launch an application, execute a command or a script, and so on. While creating an application job, the wizard requests the path to an executable file (*.exe, *.com, or any other type of file the operating system can execute). You can also set parameters for the application. The progress of the job depends on the file it opens.

Alert Database Cleanup Job

An alert database cleanup job clears obsolete alerts from an alert database. This job relates to the InTrust real-time monitoring process. Alert databases are used by the InTrust real-time monitoring service to store real-time alerts.

When configuring this job, you need to specify the following:

  • The server where to run the job
  • The alert database to be cleared
  • A filter for the alerts to be cleared, based on such parameters as alert severity, age and status

Creating Your Gathering Workflow

InTrust provides three ways to create a contiguous workflow for gathering audit data and reporting on it, as follows:

  • Quick Start Wizard
  • Configuration Wizard
  • Manual configuration of InTrust objects

These three methods serve the same purpose, that is, to define workflow settings for InTrust to act on. However, these methods are progressively more complex and more flexible.

Using the Quick Start Wizard

The interactive Quick Start Wizard is the easiest gathering workflow configuration tool. It is mainly useful for quickly getting acquainted with InTrust's auditing and reporting functionality.

For the sake of simplicity, the Quick Start Wizard provides only the following subset of InTrust's features:

  • Gathers audit data from the Microsoft Windows Security, System and Application event log
  • Gathers with agents
  • Due to rudimentary security configuration, requires that the audit database and the SQL Server Reporting Services are located on the same SQL server
  • Uses the default data stores
  • Shows only 16 most common reports from the Windows Report Pack
  • Shows events only for the last 24 hours in reports.

Note: Links to sub-reports do not work in reports produced by the Quick Start Wizard.

The Quick Start Wizard takes you through five steps that introduce basic InTrust concepts and show what is required for successful auditing and reporting.

Using the Configuration Wizard

The Configuration Wizard can be successfully used to perform typical everyday auditing, reporting and real-time monitoring activity. This wizard suits most such needs. You can also use the Configuration Wizard to rough out a basic workflow that you can manually tweak later.

To create a simple workflow with the Configuration Wizard, select Getting Started | Configuration Wizard node and proceed with the steps in the right pane.

This wizard has five documented steps, as follows:

  1. Creating a site
  2. Creating a policy
  3. Creating a task and a gathering job in it
  4. Creating a reporting job in the task
  5. Setting up real-time monitoring of the site

The wizard shows where to look in the treeview for the objects you create. If you need to reconfigure these objects, do this by editing their properties.

Note: The Configuration Wizard configures auditing and real-time monitoring only for the Microsoft Windows environment. To audit and monitor Unix-like systems, create the necessary InTrust objects manually.

Manual Workflow Configuration

For full functionality and control, access the properties of specific elements that participate in workflow: jobs, tasks, policies and sites.

InTrust provides several predefined tasks, such as Windows and AD Security Daily collection and reporting, SQL Server logs daily collection, and so on. These are some of the most common tasks with typical settings.

To activate a predefined task

  1. In InTrust Manager, expand Workflow | Tasks.
  2. Right-click the necessary task and select Properties to open the properties dialog box.
  3. Select Schedule enabled. If this option is unavailable, click Modify to provide a schedule and then enable it.
  4. Right-click the root node and commit the changes.

The examples below explain how you can organize gathering workflow to obtain a report (or reports) on the network segment you are interested in.

Prerequisites

A typical workflow requires the following:

  • At least one InTrust site from where the audit data will be processed
  • At least one InTrust server responsible for data processing
  • At least one policy
  • That an SMTP server is associated with the InTrust server or servers if you need to perform email notification
  • A notification group with at least one recipient in it, or several such groups
  • At least one notification template

Example 1: A Simple Workflow

The simplest scenario, which can be replicated using the Configuration Wizard, includes the following:

  1. Gathering audit data from a site into a repository and audit database (gathering job)
  2. Generating a report containing the data (reporting job)
  3. Notify a recipient or recipients when the task is completed (notification job)

To implement this scenario, you will need:

  1. A scheduled task that includes the required jobs.
  2. A gathering job that uses a site spanning your network section. Configure the job to store gathered data in a repository and an audit database.
  3. A reporting job that will use the gathered data to prepare the necessary report in the necessary format. If you need a notification as soon as the reports are ready, use the Notify by email option in the job.

This kind of workflow is easy to create but not always acceptable due to the following reasons:

  • A large and/or distributed network or network section makes data processing too slow for such workflow organization.
  • If there is a slow link within an InTrust site, the traffic rate is a consideration. It is not efficient to transfer large amounts of data uncompressed (meaning, gather directly to the database over a slow link), because this would be error-prone and would result in a congested network.

To boost efficiency, gather data from multiple sites that have fast reliable links within them. The following is an example of workflow management.

Example 2: A More Efficient Workflow with Two Reports

Assume that you have an InTrust organization with at least two InTrust sites in it. A separate server processes each of these two sites.

Now, the objectives are as follows:

  1. Gather audit data from the two sites
  2. Generate reports based on the result of the gathering
  3. Notify a recipient or recipients of task completion

A possible way to split this course of action into several stages is as follows:

  1. Simultaneously gather data from both sites, and put each site’s data into a separate repository and a separate audit database.
  2. Draw up two reports.
  3. Send a notification message to a recipient or recipients.
  4. Consolidate data from two repositories for archival and backup.

Follow these instructions to organize workflow based on the described model:

  1. Create a task that will include the jobs required to achieve the goals.
  2. To gather the audit data from two sites, configure two gathering jobs to run simultaneously. Specify a separate repository and a separate audit database as data stores for each job.
  3. Create a reporting job that will use the gathered data to generate the necessary report or reports. Configure this job to have the first gathering job created earlier as its predecessor job.
  4. Create another reporting job. Configure the job to have the second gathering job as its predecessor job.
    When configuring each of the gathering and reporting jobs, select the corresponding InTrust servers (assigned to the sites from which the gathering jobs collect audit data).
  5. 5 Create a notification job to inform a recipient or recipients that the task is completed. Configure the job to have both reporting jobs as its predecessor jobs. Using a notification task instead of built-in reporting job notification means that the recipients will get the message after both reporting jobs have completed.
  6. 6 Create a consolidation job that runs simultaneously with the notification job. Configure the job to consolidate the repository used by the second gathering job into the one used by the first gathering job.

 

Example 3: Consolidating and Importing to Create a Single Report

Another way to split the operation into stages in this case is as follows:

  • Simultaneously gather audit data from both sites and put it in separate repositories
  • Consolidate repository data into one repository
  • Import the result to an audit database
  • Prepare a report based on the gathered data
  • Send a notification message to the recipient or recipients

Follow these instructions to organize workflow based on the model:

  1. Create a task which will include the jobs required to achieve the goals.
  2. Configure two gathering jobs to run simultaneously. Specify a separate repository for each job.
  3. Create a consolidation job that copies the data from one of the used repositories to the other. Configure this job to have both of the jobs created earlier as its predecessor jobs. This will ensure that the schedule job is not started until the gathering is finished.
  4. Create an import job that imports the gathered audit data from the consolidated repository to an audit database.
  5. Create a reporting job that will use the gathered data to generate the necessary report or reports. Enable job completion notification if necessary.
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택