InTrust Sites
InTrust provides for collection, correlation, archival, and reporting on the heterogeneous audit data from your enterprise-wide network, as well as for real-time alerting and notification.
The two main processes in InTrust are audit data gathering and real-time monitoring for critical events. You can set them up using InTrust Manager—an MMC snap-in intended for InTrust configuration.
Both gathering and monitoring are performed on InTrust sites. An InTrust site is a representation of several computers and the settings associated with them. Sites logically group those computers for which the auditing and monitoring requirements are similar. So, by using sites you map out your environment for InTrust—this is the first step you make when configuring gathering or monitoring workflow.
InTrust provides several predefined sites but you need to populate these sites manually. Depending on the InTrust Knowledge Pack you have installed, your configuration can include different predefined sites, for example:
- InTrust for Windows Knowledge Pack offers the “All Windows Servers in the domain” site.
- InTrust for IIS Knowledge Pack brings in the “All IIS Servers” site, and so on.
Besides, you can create your own sites, following the steps described in the Creating Sites topic.
Every time you create a new InTrust object or make any other changes to the InTrust configuration, you must apply these changes. For that, right-click the InTrust Manager root node and select the Commit option from the shortcut menu or press Commit on the toolbar.
In InTrust Manager, sites are shown grouped by environment (such as Microsoft Windows Network and UNIX Network) under Configuration | Sites.
To process logs on site computers, InTrust agents can be used.
Creating Sites
To create a site
- In InTrust Manager, double-click Configuration | Sites.
- Right-click the appropriate environment (for example, Microsoft Windows Network); and select New Site.
- Follow the instructions of the New Site Wizard.
The wizard prompts you for the method to use for enumerating site objects and the InTrust server that will process the site.
You can perform domain enumeration for the site, either by using the Computer Browser service, or by getting the computer list from a domain controller.
- For InTrust gathering, site objects will be enumerated each time a gathering session starts.
- For InTrust real-time monitoring, you can schedule enumeration using site properties.
|
|
Note: By default, the Computer Browser service is disabled on Windows Server 2008 and later computers, so it is recommended that you use the alternative enumeration method (that is, get the computer list from a domain controller). |
- Next, populate the site with objects. Specify computers by doing any of the following:
- Selecting the whole network
- Specifying or selecting particular computers
- Specifying or selecting domains that contain the computers you are interested in
- Specifying an IP address range
- Selecting organizational units
- Selecting or specifying an Active Directory site
- Adding all domain controllers in the domain or Active Directory site
- Supplying a list of computers in a file
- Specifying a script that enumerates the computers (for details, see the Site Enumeration Scripts topic)
A computer list file uses the plain text format. Each name must be a separate line in the file. You can add comments prefixed either with double slashes or with semicolons. The following is a sample file:
;This is a comment
EDITOR
Deborah
//This is a comment using a different style
Backup
10.35.28.196
\\Exchange
A computer can appear in the list as any of the following:
- A computer name
- A NetBIOS name
- An FQDN
- An IP address
- After that you can provide a filter that narrows your selection of site objects based on computer properties. Object filters enable you, for example, to select all computers in your environment with a particular OS installed. This way, you include the entire network as the site object and still get the required precision without having to deal with particular computer names or IP addresses. For more information about object filters, see Using Filters in InTrust Manager.
- Finally, specify the name and description for the new site.
- Review the settings and click Finish to complete the wizard. The new site will appear in the left-pane treeview.
Modifying Sites
In a site’s properties dialog box invoked from the shortcut menu, you can modify the site settings specified during the site creation procedure, as well as some other settings, including:
- An account to be used for accessing the objects in the site (in particular, the gathering engine will use this account to collect data from site computers without agents).
- An account to be used by InTrust agents installed on the site.
|
|
Note: To supply either of these accounts, open the Accounts tab. |
-
If the role-based administration feature is enabled, you can specify users who will be able to see and edit the site or use the site objects. For that, open the Security tab.
You can also use the site’s shortcut menu to:
- Add objects to the site
- Install agents on the site’s computers
Site Enumeration Scripts
If you want to specify your own algorithm for the enumeration of objects in the site, you can use the Enumeration Script option, which prompts you for a script that will perform the enumeration. This option is available:
- During site creation: on the Site Objects step
- For an existing site: from the context menu, or in the site properties on the Objects tab
Selecting Enumeration Script prompts you for the script you want to use. The scripts are located in the Configuration | Advanced | Scripts container node.
InTrust comes with the example “Enumeration script: LDAP query” script for this purpose. For your sites, you can use this script, copies of it, or your own scripts.
The “Enumeration script: LDAP query” script has the following parameters, which you can customize without modifying the script itself:
| Parameter | Meaning |
|---|---|
| Attribute Name | Name of the attribute that will be used as the object name in the list of site objects. |
| Bind String | ADSI bind string; for example, “GC:” means that the entire AD forest will be searched, “LDAP:” specifies the current domain. |
| Filter | LDAP filter, such as (objectCategory=serviceConnectionPoint) |
| Need Deep Search |
What to do if the search in the entire forest finds objects whose names (specified by the Attribute Name parameter) cannot be read:
This parameter is considered only if the Bind String begins with GC:. |
| Search Scope |
Search scope in LDAP terms, with the following values:
|