Creating and Removing Repositories
The methods for creating and removing production InTrust repositories (Add and Remove) are available in the IInTrustRepositoryCollection interface, which provides access to all repositories in a particular InTrust organization.
|
|
Caution: For these operations to succeed, the account you are using must be an InTrust organization administrator. To configure this privilege for the account, do one of the following:
|
For details about obtaining a collection of repositories, see Connecting to a Repository.
Instead of a production repository (which is registered with InTrust, managed by an InTrust server and has an entry in the InTrust configuration), you may want to create an idle repository (which has only the raw repository file structure). For that, use the IIdleRepositoryFactory interface, which constructs IIdleRepository interfaces.
Working with Repository Properties
Repositories can have properties attached to them. They use the IProperty interface and are accessed collectively through IPropertyCollection interfaces. These collection interfaces are associated with a IInTrustRepository interface, which has getter and setter methods for supported property groupings. The following groupings are available at this time:
- Forwarding properties
These properties are used by the event forwarding engine in InTrust (see Integration into SIEM Solutions Through Event Forwarding). For details about these properties, see Using Forwarding Properties. - Custom attributes
These are arbitrary properties that you can set as necessary for your own purposes. For details, see Using Custom Attributes.
Using Custom Attributes
You can associate custom attributes with InTrust repositories. They are available through the CustomAttributes methods of an IInTrustRepository interface.
There are no custom attribute guidelines; what custom attributes you add and how you use them is up to you. However, note that the following limits are set for the generic IProperty interface used by custom attributes:
- Name: 64 characters
- If you set a string of the BSTR type for the value: 1024 characters
It is also recommended that you keep the number of custom attributes low: tens rather than hundreds.
For details about the generic property interfaces used for custom attributes, see IProperty and IPropertyCollection.
Example (C#)
/* Connect to repository */
IInTrustEnvironment2 env = new InTrustEnvironment();
IInTrustServer server = env.ConnectToServerWithCredentials("8.8.8.8", @"domain\user_name", "password");
IInTrustOrganization org = server.Organization;
IInTrustRepository rep = org.Repositories.Item("Default InTrust Audit Repository");
/* Get collection of custom attributes */
IPropertyCollection fwd_props = rep.CustomAttributes;
/* Set custom attributes */
fwd_props.Set("NumberAttr", 12);
fwd_props.Set("StringAttr", "Initial status");
/* Get attribute by name */
IProperty stringAttr = fwd_props.Item("StringAttr");
/* Get value */
System.Console.WriteLine("String attribute value is {0}", stringAttr.PropertyValue);
/* Set new value */
stringAttr.PropertyValue = "Updated status";
/* Enumerate all attributes */
foreach (IProperty prop in fwd_props)
{
System.Console.WriteLine("Attibute : {0}, Value : {1}", prop.PropertyName, prop.PropertyValue);
}
/* Delete attribute */
fwd_props.Remove("NumberAttr");
/* Create new collection */
PropertyCollection coll = new PropertyCollection();
coll.Set("FirstAttr", "First value");
coll.Set("SecondAttr", "Second value");
rep.CustomAttributes = coll;
Using Forwarding Properties
These properties control how the InTrust event forwarding engine handles the repository. They are available through the ForwardingProperties methods of an IInTrustRepository interface.
The table below lists the supported properties and explains their values. For details about the event forwarding feature, see Integration into SIEM Solutions Through Event Forwarding.
|
|
Caution: Although the generic IProperty interface used by forwarding properties supports the polymorphic VARIANT type for values, you should set them to strings of the BSTR type. Internally, InTrust assumes forwarding property values to be strings. |
|
Name |
Format |
Details |
|---|---|---|
|
ForwardingEnabled |
"0" or "1" |
"0"—forwarding is disabled "1"—forwarding is enabled |
|
ForwardingServer |
GUID in curly braces |
The ID of the InTrust server that forwards the events. Forwarding does not work if this property is empty. |
|
Formatter |
GUID in curly braces |
The following values are acceptable:
|
|
CustomFormatScript |
JavaScript code |
Used only if Formatter is set to "{06F5C239-CB32-4cf0-905F-9547365D0B6D}" (custom format). |
|
Sender |
GUID in curly braces |
At this time, only UDP is supported as the sender, with the GUID {943e412f-f58a-450d-bec7-96cfa954645e}. |
|
Host |
Address of the host that forwards events |
|
|
Port |
Port that is used for forwarding |
|
|
MessageEncodingCodePage |
Character encoding to expect in the messages |
If omitted, Windows-1251 is assumed. |
|
ForwardingFilter |
One of the following:
|
If forwarding is configured through InTrust Deployment Manager, the value can be a path of GUIDs representing an existing Repository Viewer search folder. You can set a custom REL query for message filtering prior to forwarding. |