InTrust is an event-log management solution that provides for collection, correlation, archival, and reporting on the heterogeneous audit data from your enterprise-wide network. InTrust real-time alerting and notification capabilities allow you to stay aware of what is going on in your network and how your business-critical resources are functioning.
Although InTrust is a powerful and comprehensive framework for audit data, deployments can range widely in complexity. The following types of coverage are all possible:
This guide explains only the use of the basic InTrust deployment. More sophisticated features and workflows are described elsewhere in the InTrust documentation set—for example, in the Deployment Guide.
Before you begin installation, confirm that the system requirements are met (see System Requirements). Also note that the InTrust installer verifies this automatically.
If the computer where you are going to install InTrust is a SQL server, then make sure in advance that the installed version of SQL Server Native Client is no earlier than the version required by InTrust 11.3.2; version 11.0.6538.0 of the client is redistributed with InTrust.
To begin installation, use the Autorun application that comes with your InTrust distribution; click InTrust Default Suite on the Install tab to begin setup.
Note: If you need custom InTrust capabilities, consider the InTrust Extended Suite option, which is not covered in this set of topics. For details, see the Deployment Guide.
Next, complete the remaining steps.
Caution: The default InTrust components require that ports 900 and 8340 be open for inbound traffic. The InTrust installer knows how to configure these ports automatically in Windows Firewall.
In addition, IT Security Search and the InTrust repository API work with port 8341, which is not configured automatically. If you use the API or IT Security Search, make sure this port is open.
One of the setup steps prompts you to select the country where you are performing InTrust installation. This choice affects whether your participation in the Quest Software Improvement Program is enabled automatically.
The Software Improvement Program involves Quest receiving anonymous usage statistics from the Quest software you install. No personal identifying data (such as account names) is included in this feedback. The purpose is to determine which features are most popular and find out how their use can be streamlined.
The following information is transmitted:
Participation is voluntary. Although it is enabled automatically for some countries, you can change your choice at any time after InTrust setup is complete; for details, see the Installing the First Server in InTrust Organization topic in the InTrust Deployment Guide.
After you have installed the default components, run the InTrust Deployment Manager console by clicking its entry in the Start menu. This console manages gathering of audit data to InTrust repositories.
In the console, you need to specify the computers you want to audit and specify what kinds of events you need. This is done by setting up collections. Collection settings include the computers to collect from, data sources (definitions of the types of events) and the repository to collect to. Simply put, the point of a collection is to “get this kind of data from these computers to this repository”.
For gathering to work, computers in collections need to have InTrust agents installed. You can install agents on specific computers by selecting them in the right pane while a collection is highlighted and clicking Install Agents. Alternatively, enable the Install agents automatically option while you are creating or editing a collection to automatically install them on all computers in the collection. If this option is off in a newly-created collection, no gathering occurs. Once you enable it, agents are installed and gathering begins.
Caution: If the Install agents automatically option is enabled for a collection, InTrust will try to keep the agents on all computers in the collection. If you uninstall an agent from a computer in such a collection, it will be reinstalled automatically.
In this situation, to stop gathering from a computer, you need to remove it from the collection.
If the Install agents automatically option is disabled, you need to install and uninstall agents manually using toolbar commands.
When you run InTrust Deployment Manager, you are directed to the home view, where you are briefly introduced to the basics of real-time event collection workflow. This view explains collections (how InTrust organizes computers to collect from) and repositories (stores to collect data to), and it provides quick action links to help you get work done.
If you are starting InTrust Deployment Manager for the first time, take the opportunity to create a collection in the home view: either a Windows collection for gathering from Windows computers or a Syslog collection for capturing Syslog messages from devices and hosts.
An InTrust repository is a store for audit data collected by InTrust. Its architecture is such that massive amounts of data can be stored efficiently in a compact way and indexed for fast browsing in InTrust Repository Viewer and streamlined access by IT Security Search.
This helps achieve security regulations compliance and provides a ready-made toolset for event analysis. For an in-depth description of InTrust repositories, see the Understanding InTrust Repositories topic.
For the purposes of this guide, however, it is sufficient to know the following about repositories:
To manage repositories, use the Storage view in InTrust Deployment Manager.
The following topics describe how you can manage and adapt InTrust using the InTrust Deployment Manager console.
You can add, delete and edit collections at any time. To work with collections, go to the Collections view of InTrust Deployment Manager.
To create a collection, right-click the Collections node and select New Windows Collection or New Syslog Collection. To edit or delete a collection, right-click it and use the corresponding command.
To add computers to a collection
Use any of the following methods:
To delete computers from a collection
To stop gathering from a computer without removing it from a collection
This works only in collections where the Install agents automatically option is disabled. In such collections, use the Install agent and Uninstall agent commands (in the toolbar or in the shortcut menu) to manage gathering without affecting collection membership.
In addition, the following management actions can be done in the wizard:
Note: Some of the computers in the collection may not have the logs that the data sources expect. If you do not want InTrust to treat such situations as errors, select the Suppress errors from non-existent data sources option on the Data Sources and Repository step. This will make sure that the auditing status of an agent will not be affected if a specified log is not found.