Chat now with support
Chat with Support

InTrust 11.3.1 - Release Notes

Release Notes

Quest® InTrust 11.3.1

Release Notes

September 2018

These release notes provide information about the Quest® InTrust release.


About this release

Quest® InTrust 11.3.1 delivers an enterprise-scale event log management solution for multi-location heterogeneous environments.

New features

New features in InTrust 11.3.1:

  • Support for TLS 1.2
    InTrust can now work in environments where TLS 1.2 is used exclusively.
  • Auditing and real-time monitoring of Trend Micro InterScan Web Security virtual appliances
    The new Knowledge Pack for Trend Micro InterScan Web Security Virtual Appliance provides gathering and real-time monitoring capabilities based on Syslog messages forwarded from InterScan Web Security virtual appliances to Linux hosts.
  • CSV format subsumes Excel format for Repository Viewer output
    From this version on, InTrust no longer supports the Microsoft Excel format for scheduled Repository Viewer reports and export of results from Repository Viewer. Instead of continued support for two similar formats, InTrust now has better support for CSV, making sure CSV files open correctly in Excel.

See also:

New features in InTrust 11.3

  • Quest Rebranding
    In this release, the product is rebranded Quest InTrust.
  • Support for Windows Server 2016
    Windows Server 2016 can now be audited and monitored, and InTrust components can be installed on this operating system.
  • InTrust Deployment Manager Overhaul
    InTrust Deployment Manager has received some long-awaited updates:
    • Repository management has a dedicated view.
      You don't have to access repositories in a roundabout way any more. All of your repositories are available on the new Storage tab.
    • You have the option to set up daily repository cleanup for repositories where you keep only the most recent data.
      Keeping such repositories lean and fast is now effortless.
    • The new Home tab guides you through the workflow.
      You can get the hang of InTrust Deployment Manager in minutes, even if you have never worked with the software before.
  • Charts in Repository Viewer Reports
    Printable reports generated by Repository Viewer can now use pie chart and column graph representation.
  • IT Security Search Integration
    You can run relevant searches in IT Security Search from multiple contexts in InTrust:
    • Event details in Repository Viewer
    • Real-time alerts in Monitoring Console (alert template customization needed)
    • Notification messages sent by extended InTrust deployments (notification template customization needed)
To run a search, click the query URL or shortcut menu item provided. This search returns data that is relevant to the event at hand so that you can perform quick analysis.
  • Friendly Event Field Names in Alerts and Notifications
    You can customize templates for notifications and real-time alerts to include named fields that don't occur in the original events but are calculated by InTrust. This makes it easy to include information from such important fields as Who, Whom, When, What, Where, Where From and so on, no matter which original event fields are mapped to them.
  • Conditional Notification During Real-Time Monitoring
    The classic notification operators available in extended InTrust deployments have received a major enhancement. In addition to explicitly specifying accounts as recipients, you can supply scripts that decide who to notify based on events that trigger real-time monitoring alerts. One such script is shipped with InTrust: "Manager Address Discovery". This script finds out the initiator of the captured event and discovers the email address of that user's manager.
    You can provide your own scripts to suit your needs.
  • Support for Debian GNU/Linux
    Debian GNU/Linux 8 can now be audited and monitored.
  • Support for Active Roles 7
    This release extends the Active Roles auditing and monitoring capabilities of InTrust to version 7.


Table 1: Enhancements in InTrust 11.3.1

Enhancement Issue ID

The following Security log events introduced in Windows Server 2016 are now better supported and enriched with normalized fields (where applicable) during gathering: 4825, 4830, 4899, 5050, 5120, 5121, 5123, 5124, 5125, 5126, 5127, 5169, 5170, 6406, 6407, 6408.

The new "Multiple failed logons from the same workstation" predefined real-time monitoring rule helps detect security incidents such as orchestrated dictionary attacks, where matching by user name makes little sense.

Enhancements in InTrust 11.3

Table 2: Enhancements in InTrust 11.3

Enhancement Issue ID

InTrust Manager shows summaries for job sessions, including the total number of events collected for each datasource.


The storing algorithm is optimized to save 20% of space in the repository.


Printable Repository Viewer reports include a summary page.

Correlated event rules support string comparison operators ("starts with", "contains" and others).

In InTrust Manager, the summary page for a site shows other InTrust objects that are using this site.


The number of files created by the repository merge engine has been reduced substantially.

The out-of-the-box Solaris real-time alert “Successful login by root” works on Solaris 10 and 11.

Repository Viewer provides searches for the most common Active Directory changes.


Resolved issues

The following is a list of issues addressed in this release.

Table 3: Resolved issues

Resolved Issue

Issue ID

If the InTrust Real-Time Monitoring Server service restarts while an InTrust repository is unavailable, there is a period between service shutdown and the moment the repository becomes available again. Real-time collection to that repository may lose the events that occur during this period.


If the dllhost.exe process crashes during a Repository Viewer search and then goes up again, subsequent Repository Viewer searches fail, as if dllhost.exe were still unavailable.


In events gathered from computers running Windows Server 2012 R2 and later Windows versions, the OS version is 6.2, although it should be 6.3 or higher. This issue is present in both real-time collection and task-based gathering.


If a gathering job collects events to an audit database and there are more than about 5000 new events, the job fails with the following error: "ADC Error: Operation was terminated.". This does not happen for gathering jobs that collect only to repositories.


If the configuration of any repository in an InTrust organization has an invalid managing server reference, then Repository Viewer and IT Security Search cannot get a list of repositories from that organization.


When you check the installation requirements in the InTrust setup suite, you may get an error like the following:

"System.NullReferenceException: Object reference not set to an instance of an object at InTrust.Setup.CustomActions.Requirements.Model.VcRuntimeRequirement."

One possible reason for this is that a program was incorrectly uninstalled at some point.


When running repository indexing sessions, InTrust doesn't skip those repositories where no new data has been written since the last time. These unnecessary indexing attempts increase CPU load and adversely affect InTrust Server performance.


There is no way to copy text from the dialog box that shows details of collection-wide errors in InTrust Deployment Manager.


Repository Viewer writes Unicode text in the UTF-16 encoding when saving results to CSV format. This causes Excel to open such files as single-column tables. CSV files should use UTF-8 instead.


In Repository Viewer, when you launch the scheduling wizard for a previously scheduled CSV report, the wizard incorrectly shows the format as PDF.


When you save results to a CSV file, Repository Viewer doesn't warn that grouping and sorting are ignored for this format, even though this warning is displayed when you schedule a CSV report. The warning should be shown in both cases, and there should be a choice to disable it.


If InTrust fails to generate a Repository Viewer report that references an unknown event field, a non-informative error message is displayed that doesn't explain the real failure reason.


If the Turkish locale is set on a computer, then Repository Viewer running on that computer fails to open some repositories. This is due to string comparison problems during processing of field names.


During the operation of a reporting job that has report-driven data import enabled, the following error occurs:

Cannot import data from the repository. Error = 0x80004005. Could not connect to repository through InTrust server: Repository not found

If you manually create an import job for the same data, the import job works successfully.


InTrust Deployment Manager crashes when you open the properties of a Syslog collection that has an invalid InTrust server reference (for example, the specified server doesn’t exist anymore).


Resolved issues in InTrust 11.3

Table 4: Upgrade resolved issues

Resolved Issue Issue ID

After upgrade AIX agent may hang and the following error can be found in the InTrust log:

Cannot install the agent on '' because of an error. Error text: Automatic Unix agent installation or repairing unsupported.

To work around this error, you should kill the InTrust agent process on AIX host and restart it. The agent will continue working. Afterwards uninstall the old agent version and install new version


After upgrade Linux agent may stop working and errors like the following can be found in the InTrust log:

InTrust rule (Name = 'Multiple failed logins', ID = {026D8200-EB6A-D911-86B4-00021CF29526}) failed to install to 'sm-redhat' host. Error text: ADC Error: Failed to start data provider Redhat Linux Syslog ( cannot open shared object file: No such file or directory)

InTrust rule (Name = 'ProxyManager Rule: Redhat Linux Syslog', ID = {E747C75B-A419-1FB9-ACA0-9CB8D450CF43}) failed to install to 'sm-redhat' host. Error text: ADC Error: Failed to start data provider Redhat Linux Syslog ( cannot open shared object file: No such file or directory)

To work around this issue, you should install the new version of the InTrust agent without uninstalling the old version. You should answer positively on all the installer's questions.


After upgrade Solaris agent may stop working and errors like the following can be found in the InTrust log:

InTrust rule (Name = 'Group created', ID = {CD6D04B3-C6E0-4A9A-8737-DC0C7AF794E4}) failed to install to 'spb9260' host. Error text: ADC Error: Failed to start data provider Solaris accounts monitoring ( adcscm.solaris_sparc: fatal: open failed: No such file or directory)

InTrust rule (Name = 'ProxyManager Rule: Solaris Syslog', ID = {F89603C8-C20C-19CF-9106-DDA65908AE44}) failed to install to 'spb9260' host. Error text: ADC Error: Failed to start data provider Solaris Syslog ( adcscm.solaris_sparc: fatal: open failed: No such file or directory)

To work around this issue, you should uninstall the old version of the InTrust agent and install the new version.


Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents