When a collection is selected, the right pane shows a table with information about the collection members. The table supports multi-level grouping of collection computers, so that you can organize the computers in tree-like views using any criteria. For example, you can group computers by status, then by domain, then by type.
To use multi-level grouping, drag table column names from the computer list to the area above the list. The computer list changes accordingly.
|
Note: The difference between the “Not Installed” and “Failed” computer statuses is as follows:
|
To hide the computers you are not interested in, you can use view filtering. To configure a view filter, use the controls underneath the table column names: click the operator icon to select the operator, and specify the value to filter by.
The same grouping and view filtering techniques are available in the views with search folder results.
You can save information about the currently selected collection to a CSV file for comparison, bookkeeping or analysis. For that, click Export list to CSV in the toolbar above the collection view. Alternatively, right-click a collection in the left pane and select Export List to CSV. Note that the exported information is not necessarily the same as in the collection view; the specifics are as follows:
The data fields in CSV are made independent of the collection view by design. This way the data layout stays the same and is easier to handle with the tools you use for working with CSV.
If you need to troubleshoot your collections or examine your real-time gathering workflow in the greatest possible detail, you can use the RealTimeCollectionStatus.ps1 script, which outputs raw information about your collections to a CSV file. For details, see Tracking Real-Time Event Collection State.
You can add, delete and edit repositories at any time. To work with repositories, go to the Storage view of InTrust Deployment Manager.
In this view, the left-hand pane lists the available repositories, and the right-hand pane shows the properties of the selected repository.
To create and delete repositories, use the New and Delete buttons. To edit the properties of a repository, select it and click the Edit link for the group of settings you want.
|
IMPORTANT: The defining property of a repository is the path to the network share that contains the collected data. When you specify the path, use a UNC name. This makes the repository available to client applications in the network, such as Repository Viewer and IT Security Search. It will also make it easier to integrate the repository into an extended InTrust deployment if you decide to perform it. |
You can also create a repository when you create a new collection or edit an existing collection (see Managing Collections), on the Data Sources and Repository step of the wizard.
Repositories should not be located on the InTrust server. Admittedly, the default repository is automatically created on the server, but this is only a fallback choice. For day-to-day real-time event collection purposes, create repositories in network shares on separate computers to which client applications, such as Repository Viewer and IT Security Search, have fast network connections.
You can configure a repository to keep only recent data and automatically discard data that is too old. For that, edit the Daily Cleanup settings in the repository properties in the Storage view. Specify how old data can get before it is considered too old and at what time daily cleanup should start.
To gather a third-party Windows event log that is available in the Applications and Services Logs subtree in Windows Event Viewer, you need to create a data source for it. This is done in the wizard used for creating and editing collections, on the Data Sources and Repository step.
Proceed to that step, and then do the following:
|
Note: If you don't know the name, look it up in Event Viewer, as follows:
|
One of the available Windows log types is Forwarded Events. If subscription-based logging of these events is enabled, InTrust can collect them just like other events. It is possible to configure the gathering using the procedure above; the exact log name in step 3 is ForwardedEvents in this case.
However, due to the limitations of this forwarding technology, data in the forwarded events is mostly meaningless. You can gather it to a repository, but you cannot search in it or build reports on it. Therefore, collecting this data is not recommended. Instead, use InTrust to gather the original events from the sender computers.
The metrics and suggestions in this section are based on tests performed by quality control.
InTrust agents send events to InTrust servers in batches. By default, the event submission rates are as follows:
There are two primary limits to consider when estimating if an InTrust server can cope with its load. On the one hand, an InTrust server can gather from no more than 10,000 computers (servers or workstations) at a time. On the other hand, an InTrust server should not receive more than 60,000 events per second in a steady stream. The rate of events from a computer depends very much on the number of data sources that are processed on that computer.
For example, a collection of about 3000 computers with 5 data sources each, 4 events per second per data source, produces a combined stream of 60,000 events per second. This is a load that a 16-core InTrust server with SSD storage and 16GB of memory should handle without problems.
Tips on avoiding excessive workload on a server:
|
Caution: When adding an InTrust server to your existing organization, you should run InTrust setup under an account that can manage the InTrust configuration. The account used for installing the first InTrust server automatically has these privileges. To add InTrust organization administrators, in InTrust Deployment Manager click Manage | Configure Access. Of course, to add organization administrators, you must be an organization administrator yourself. |
© ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center