Chat now with support
Chat with Support

InTrust 11.3.1 - Product Overview

Introduction to InTrust

InTrust is a powerful framework for enterprise log management, provision of regulations compliance and IT data analytics.

What InTrust Can Do for You

InTrust focuses on logs, which make up the bulk of IT data in the enterprise. The log-oriented approach helps you achieve the following:

  • Securely collect and archive logs in real time from across the diverse enterprise network
  • Automate the log review process without hiring event log experts
  • Pass audits by providing faster answers to the questions auditors will ask
  • Conduct efficient investigations of security incidents and fraudulent activity of insiders
  • Improve day-to-day operations by minimizing the number of tools and making IT data readily available
  • Assess the robustness of security and operations without much effort

What's Inside

InTrust has many components, but not all of them are needed for most scenarios. The default components are few, accessible and easy to deploy; yet they cover the most common log management needs and incorporate impressive InTrust expertise.

The remaining components help manage rare logs, implement specialized scenarios and provide advanced capabilities such as reporting powered by SQL Server Reporting Services and real-time monitoring with alerts and automated response.

Default Deployment

The following components are installed by default:

  • InTrust Server
    This is the principal component that provides most of the capabilities of InTrust, in both default and extended deployments. It is a back-end that keeps the InTrust configuration up to date and runs the operations according to that configuration.
  • InTrust Deployment Manager
    This console is used for setting up real-time data gathering. This workflow is based on collections of Windows computers or Syslog devices, from which data is continuously gathered to the InTrust repository that you specify. In addition, InTrust Deployment Manager lets you forward Syslog messages and events from repositories to SIEM solutions such as SecureWorks.
  • InTrust Repository Viewer
    This application lets you browse the contents of InTrust repositories, which are data stores that keep the InTrust-gathered data. Repository Viewer offers flexible searching, grouping, sorting and filtering for focused event analysis. It also supports running search-based scheduled reports on a regular basis, with customizable layouts and convenient delivery options.

Extended Deployment

The other components you can set up are also built around InTrust Server but geared for a different workflow and style of configuration. These components form an extended InTrust deployment.

  • InTrust Manager
    This console sets up scheduled task-based gathering, reporting based on SQL Server Reporting Services, and real-time monitoring. InTrust Manager is required for all of these advanced features. For details about them, see the following documentation:
  • Knowledge Portal
    This Web application is an alternative to the Reporting Services Web UI, streamlined for use with InTrust reports.
  • InTrust Monitoring Console
    This Web application displays real-time alerts produced by InTrust and lets you track and manage their state.
  • Knowledge Packs
    These are collections of InTrust resources that are needed for supporting specific platforms and logs. For example, installing the Solaris Knowledge Pack enables InTrust to gather logs from Solaris hosts (through InTrust agents), monitor these hosts in real time and build SSRS reports based on the collected data. The range of supported platforms and logs is broader for extended deployments than for default deployments.

Key Concepts

The following terms are important for understanding the basics of InTrust.

InTrust Server

An InTrust server is a computer where the InTrust Server component is set up. It processes requests from client applications such as Repository Viewer and InTrust Deployment Manager, performs the operations they request and handles the configuration.

InTrust Repository

The repository is the primary type of data store in InTrust. Repositories are intended for long-term archiving of data in a compressed format. For fast access to the data they contain, repositories have indexes, which are maintained by the InTrust server.

Repositories are normally file-based, but in extended deployments you also have the option of associating a repository with an EMC Centera appliance.

The same repository can be used for both real-time gathering and scheduled task-based gathering; the only restriction is that the same data from the same computers must not be gathered using both methods at once.

InTrust Organization

An InTrust organization is a group of InTrust servers with a shared configuration, for which a SQL Server database is used.

An InTrust organization provides the following:

  • Load balancing among InTrust servers
  • A common list of InTrust organization administrators
  • A uniform selection of available data sources for all member InTrust servers

InTrust Agents

An InTrust agent is an application which is usually automatically installed by InTrust Server on target computers to locally perform audit data gathering and, in extended deployments, real-time monitoring. Alternatively, you install and uninstall agents explicitly using InTrust Deployment Manager (or InTrust Manager). However, you can install InTrust agents manually (for example, if the target computer is behind a firewall or in an untrusted domain). In addition, a Windows Installer package for the InTrust agent makes it possible to manage agent installations using Group Policy.

During its operation an agent communicates with InTrust Server over the TCP protocol. In complex environments, agents require only one open port to allow incoming traffic to the InTrust server address.

Note: For extended deployments, consider the following:

  • In some scheduled task-based gathering scenarios, agents are not required for working with Windows networks. However, they are still recommended due to improved performance, better security and reduced network load.
  • Scheduled task-based gathering from Unix networks requires agents, which must be installed manually.
  • Agents are mandatory for real-time monitoring in both Windows and Unix networks.

If an agent cannot connect to the InTrust Server for the certain time period (for example, if the InTrust server was removed), it is “retired” (uninstalled) automatically.

How It Works

The following diagram summarizes the points made in the Introduction to InTrust topic and shows where the components fit in the big picture. The roles of the users shown here are pure examples. Of course, each of them can benefit from all of the client applications.

Note that the diagram shows only the default InTrust deployment. For a representation of an extended deployment, see Technical Insight.

Supported Platforms and Data Sources

Supported Platforms and Logs

This is a breakdown of how InTrust handles heterogeneous audit data. Instead of "log", the broader term "data source" is used, because some of the valuable transient data that InTrust can watch is not strictly logs.

The real-time gathering feature is part of the default InTrust deployment.

The task-based gathering and real-time monitoring features come with the extended deployment.

Microsoft Windows

64-bit architecture:

  • Microsoft Windows Server 2016
  • Microsoft Windows 10
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2012
  • Microsoft Windows 8
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows 7
  • Microsoft Windows Server 2008

32-bit architecture:

  • Microsoft Windows 10
  • Microsoft Windows 7
  • Microsoft Windows Server 2008
Data sources Real-time gathering Task-based gathering Real-time monitoring
Windows event logs (such as Application or Security log) Yes Yes Yes
User session events captured by the InTrust agent for superior user activity tracking Yes Yes Yes
Text logs of any format No Yes No
Windows Security Log events collected by Microsoft System Center Operations Manager 2007 and 2012 Audit Collection Services No Yes No

Solaris

  • Oracle Solaris 11.1 (standard installation): 32-bit and 64-bit (on Sparc v9 and AMD-64 architectures)
  • Sun Solaris 10.0 (standard installation): 32-bit and 64-bit (on Sparc v9 and AMD-64 architectures)
  • Sun Solaris 9.0 (standard installation): 32-bit and 64-bit (on Sparc v9 architecture)
  • Sun Solaris 8.0 (standard installation with patch 112439-01): 32-bit and 64-bit (on Sparc v9 architecture)
Data sources Real-time gathering Task-based gathering Real-time monitoring
Solaris Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes
Solaris audit logs generated by Basic Security Module (BSM) No Yes No

Red Hat Enterprise Linux

  • Red Hat Enterprise Linux 7 – 7.4
  • Red Hat Enterprise Linux 6.3 – 6.9
  • Red Hat Enterprise Linux AS 5
  • Red Hat Enterprise Linux ES 5
  • Red Hat Enterprise Linux AS 4
  • Red Hat Enterprise Linux ES 4
Data sources Real-time gathering Task-based gathering Real-time monitoring
Linux Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes

Oracle Linux

  • Oracle Linux 7 – 7.4
  • Oracle Linux 6.3 – 6.9
Data sources Real-time gathering Task-based gathering Real-time monitoring
Linux Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes

SUSE Linux Enterprise Server

  • SUSE Linux Enterprise Server 11 (32-bit and 64-bit on AMD-64)
  • SUSE Linux Enterprise Server 10 (32-bit and 64-bit on AMD-64)
Data sources Real-time gathering Task-based gathering Real-time monitoring
Linux Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes

Debian GNU/Linux

Debian GNU/Linux 8

Data sources Real-time gathering Task-based gathering Real-time monitoring
Linux Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes

IBM AIX

  • IBM AIX V7.1
  • IBM AIX V6
  • IBM AIX 5L 5.3
Data sources Real-time gathering Task-based gathering Real-time monitoring
IBM AIX Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes
AIX audit logs No Yes Yes

HP-UX

  • HP-UX 11i v3
  • HP-UX 11i v2
  • HP-UX 11i
Data sources Real-time gathering Task-based gathering Real-time monitoring

HP-UX Syslog

No

Yes

Yes

Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes
HP-UX audit logs No Yes No

VMware ESX and ESXi

  • VMware ESXi 5.5
  • VMware ESXi 5.0
  • VMware ESX 4.1
  • VMware ESXi 4.1
  • VMware ESX 4.0 Update 2
  • VMware ESX 4.0 Update 1
  • VMware ESXi 4.0 Update 1
Data source Real-time gathering Task-based gathering Real-time monitoring
VMware vCenter, ESX and ESXi events No Yes No

Trend Micro InterScan Web Security Virtual Appliance

Trend Micro InterScan Web Security Virtual Appliance 6.5

Data source Real-time gathering Task-based gathering Real-time monitoring
Syslog messages forwarded from virtual appliances to Linux hosts No Yes Yes
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents