Chat now with support
Chat with Support

InTrust 11.3.1 - Getting Started with InTrust

First Steps

InTrust is an event-log management solution that provides for collection, correlation, archival, and reporting on the heterogeneous audit data from your enterprise-wide network. InTrust real-time alerting and notification capabilities allow you to stay aware of what is going on in your network and how your business-critical resources are functioning.

Although InTrust is a powerful and comprehensive framework for audit data, deployments can range widely in complexity. The following types of coverage are all possible:

  • Basic everyday security auditing with a minimal set of components
  • Archival of audit data in compressed repositories for regulations compliance
  • Fast search and reporting tools that work with repository data
  • Real-time monitoring for critical security events, with alert tracking and automated response actions
  • Auditing of multiple platforms and custom logs with advanced reporting based on SQL Server Reporting Services
  • Combinations of the above

This guide explains only the use of the basic InTrust deployment. More sophisticated features and workflows are described elsewhere in the InTrust documentation set—for example, in the Deployment Guide.

Installing InTrust

Before you begin installation, confirm that the system requirements are met (see System Requirements). Also note that the InTrust installer verifies this automatically.

To begin installation, use the Autorun application that comes with your InTrust distribution; click InTrust Default Suite on the Install tab to begin setup.

Note: If you need custom InTrust capabilities, consider the InTrust Extended Suite option, which is not covered in this set of topics. For details, see the Deployment Guide.

Next, complete the remaining steps.

Caution: The default InTrust components require that ports 900, 8340 and 8341 be open for inbound traffic. The InTrust installer knows how to configure these ports automatically in Windows Firewall. However, if you use a hardware or third-party software firewall, make sure these ports are open.

Participation in the Quest Software Improvement Program

One of the setup steps prompts you to select the country where you are performing InTrust installation. This choice affects whether your participation in the Quest Software Improvement Program is enabled automatically.

The Software Improvement Program involves Quest receiving anonymous usage statistics from the Quest software you install. No personal identifying data (such as account names) is included in this feedback. The purpose is to determine which features are most popular and find out how their use can be streamlined.

The following information is transmitted:

  • Hardware configuration
  • Which product features are used
  • External IP addresses

Participation is voluntary. Although it is enabled automatically for some countries, you can change your choice at any time after InTrust setup is complete; for details, see the Installing the First Server in InTrust Organization topic in the InTrust Deployment Guide.

Collecting Events in Real Time

After you have installed the default components, run the InTrust Deployment Manager console by clicking its entry in the Start menu. This console manages gathering of audit data to InTrust repositories.

In the console, you need to specify the computers you want to audit and specify what kinds of events you need. This is done by setting up collections. Collection settings include the computers to collect from, data sources (definitions of the types of events) and the repository to collect to. Simply put, the point of a collection is to “get this kind of data from these computers to this repository”.

For gathering to work, computers in collections need to have InTrust agents installed. You can install agents on specific computers by selecting them in the right pane while a collection is highlighted and clicking Install Agents. Alternatively, enable the Install agents automatically option while you are creating or editing a collection to automatically install them on all computers in the collection. If this option is off in a newly-created collection, no gathering occurs. Once you enable it, agents are installed and gathering begins.

Caution: If the Install agents automatically option is enabled for a collection, InTrust will try to keep the agents on all computers in the collection. If you uninstall an agent from a computer in such a collection, it will be reinstalled automatically.

In this situation, to stop gathering from a computer, you need to remove it from the collection.

If the Install agents automatically option is disabled, you need to install and uninstall agents manually using toolbar commands.

When you run InTrust Deployment Manager, you are directed to the home view, where you are briefly introduced to the basics of real-time event collection workflow. This view explains collections (how InTrust organizes computers to collect from) and repositories (stores to collect data to), and it provides quick action links to help you get work done.

If you are starting InTrust Deployment Manager for the first time, take the opportunity to create a collection in the home view: either a Windows collection for gathering from Windows computers or a Syslog collection for capturing Syslog messages from devices and hosts.

Introduction to Repositories

An InTrust repository is a store for audit data collected by InTrust. Its architecture is such that massive amounts of data can be stored efficiently in a compact way and indexed for fast browsing in InTrust Repository Viewer and streamlined access by IT Security Search.

This helps achieve security regulations compliance and provides a ready-made toolset for event analysis. For an in-depth description of InTrust repositories, see the Understanding InTrust Repositories topic.

For the purposes of this guide, however, it is sufficient to know the following about repositories:

  • When you set up InTrust, a default repository is automatically created for you in the InTrust installation folder (by default, installation to Program Files is suggested). Note that the default repository is not recommended for real production use, but only for evaluation and training. When you are confident with the InTrust workflow, create your own repository on a server that has ample disk space and is ready for intensive disk writes.
  • You can use the default repository for all your logon and user session auditing needs (unless further scaling is required).
  • The folder where you create a repository should be available over the network.
  • If necessary, you can have multiple repositories, specialized by the type of data they are supposed to contain, by their location, or by some other characteristic. However, try to keep a manageable number of repositories.
  • The toolset described in this document works only with indexed repositories.

To manage repositories, use the Storage view in InTrust Deployment Manager.

Common Tasks

The following topics describe how you can manage and adapt InTrust using the InTrust Deployment Manager console.

Managing Collections

You can add, delete and edit collections at any time. To work with collections, go to the Collections view of InTrust Deployment Manager.

To create a collection, right-click the Collections node and select New Windows Collection or New Syslog Collection. To edit or delete a collection, right-click it and use the corresponding command.

To add computers to a collection

Use any of the following methods:

  • In the wizard that opens when you edit a collection, change the computer list on the Specify Computers step.
  • Select the computers you need in the Computers not in a collection search folder in the navigation pane and click Add to Collection (in the toolbar or in the shortcut menu), and then select the collection you need.
  • Supply a computer list in a plain-text file. For that, in the wizard that opens when you edit a collection, click Add Computer and type the local path to the file containing computer names or IP addresses of computers you want to collect from. Note that this is only a one-off import action. InTrust does not track changes to the file or remember its location.

To delete computers from a collection

  1. Right-click the collection and select Edit Collection.
  2. In the wizard that opens, go to the Specify Computers step.
  3. In the list of computers, select the computers you do not need, and click Remove (in the toolbar or in the shortcut menu).

To stop gathering from a computer without removing it from a collection

This works only in collections where the Install agents automatically option is disabled. In such collections, use the Install agent and Uninstall agent commands (in the toolbar or in the shortcut menu) to manage gathering without affecting collection membership.

In addition, the following management actions can be done in the wizard:

  • Change the account used for connecting to the computers in the collection
    Set the credentials on the Specify Computers step.
  • Change the list of logs that are gathered
    Select the data sources you need on the Data Sources and Repository step.

Note: Some of the computers in the collection may not have the logs that the data sources expect. If you do not want InTrust to treat such situations as errors, select the Suppress errors from non-existent data sources option on the Data Sources and Repository step. This will make sure that the auditing status of an agent will not be affected if a specified log is not found.

  • Change the repository that events are gathered to
    Select the repository on the Data Sources and Repository step.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
What's New
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents