Analyzing Collections
When a collection is selected, the right pane shows a table with information about the collection members. The table supports multi-level grouping of collection computers, so that you can organize the computers in tree-like views using any criteria. For example, you can group computers by status, then by domain, then by type.
To use multi-level grouping, drag table column names from the computer list to the area above the list. The computer list changes accordingly.
|
|
Note: The difference between the “Not Installed” and “Failed” computer statuses is as follows:
|
To hide the computers you are not interested in, you can use view filtering. To configure a view filter, use the controls underneath the table column names: click the operator icon to select the operator, and specify the value to filter by.
The same grouping and view filtering techniques are available in the views with search folder results.
Managing Repositories
You can add, delete and edit repositories at any time. To work with repositories, go to the Storage view of InTrust Deployment Manager.
In this view, the left-hand pane lists the available repositories, and the right-hand pane shows the properties of the selected repository.
To create and delete repositories, use the New and Delete buttons. To edit the properties of a repository, select it and click the Edit link for the group of settings you want.
|
|
IMPORTANT: The defining property of a repository is the path to the network share that contains the collected data. When you specify the path, use a UNC name. This makes the repository available to client applications in the network, such as Repository Viewer and IT Security Search. It will also make it easier to integrate the repository into an extended InTrust deployment if you decide to perform it. |
You can also create a repository when you create a new collection or edit an existing collection (see Managing Collections), on the Data Sources and Repository step of the wizard.
Where to Keep Repositories
Repositories should not be located on the InTrust server. Admittedly, the default repository is automatically created on the server, but this is only a fallback choice. For day-to-day real-time event collection purposes, create repositories in network shares on separate computers to which the InTrust server has fast network connections.
Setting Up Daily Cleanup
You can configure a repository to keep only recent data and automatically discard data that is too old. For that, edit the Daily Cleanup settings in the repository properties in the Storage view. Specify how old data can get before it is considered too old and at what time daily cleanup should start.
Gathering a Third-Party Application or Service Log
Gathering Windows Logs Other than Security, Application and System
Applications and Services Logs
To gather a third-party Windows event log that is available in the Applications and Services Logs subtree in Windows Event Viewer, you need to create a data source for it. This is done in the wizard used for creating and editing collections, on the Data Sources and Repository step.
Proceed to that step, and then do the following:
- Click Add. The New Data Source dialog box opens.
- Specify a meaningful name for the new data source. Optionally, provide a description.
- In the text box below, specify the exact log name.
|
|
Note: If you don't know the name, look it up in Event Viewer, as follows:
|
- Click OK to save the new data source, and select the check box next to it in the data source list.
- Complete the wizard.
Forwarded Events
One of the available Windows log types is Forwarded Events. If subscription-based logging of these events is enabled, InTrust can collect them just like other events. It is possible to configure the gathering using the procedure above; the exact log name in step 3 is ForwardedEvents in this case.
However, due to the limitations of this forwarding technology, data in the forwarded events is mostly meaningless. You can gather it to a repository, but you cannot search in it or build reports on it. Therefore, collecting this data is not recommended. Instead, use InTrust to gather the original events from the sender computers.
Load Balancing
The metrics and suggestions in this section are based on tests performed by quality control.
InTrust agents send events to InTrust servers in batches. By default, the event submission rates are as follows:
- On Windows servers, including domain controllers, a batch file is sent every minute.
- On workstations, a batch file is sent every seven minutes.
There are two primary limits to consider when estimating if an InTrust server can cope with its load. On the one hand, an InTrust server can gather from no more than 10,000 computers (servers or workstations) at a time. On the other hand, an InTrust server should not receive more than 60,000 events per second in a steady stream. The rate of events from a computer depends very much on the number of data sources that are processed on that computer.
For example, a collection of about 3000 computers with 5 data sources each, 4 events per second per data source, produces a combined stream of 60,000 events per second. This is a load that a 16-core InTrust server with SSD storage and 16GB of memory should handle without problems.
Tips on avoiding excessive workload on a server:
- Keep track of how many computers there are per InTrust server.
- Add InTrust servers if necessary.
- Assign different servers to different collections.
- Distribute the computers among your collections evenly.
|
|
Caution: When adding an InTrust server to your existing organization, you should run InTrust setup under an account that can manage the InTrust configuration. The account used for installing the first InTrust server automatically has these privileges. To add InTrust organization administrators, in InTrust Deployment Manager click Manage | Configure Access. Of course, to add organization administrators, you must be an organization administrator yourself. |
