Events that arrive in a repository can be passed on to SIEM systems that know how to receive, store and index them for analysis. This is known as audit data forwarding and is configured on a per-repository basis.
Forwarding has a dedicated group of settings in the properties of a repository. Use the Enable forwarding option to turn it on and off for the repository you are working with.
From the moment you turn forwarding on, events that arrive in the repository during real-time collection will be forwarded. Events that were already in the repository will be ignored.
NOTE: Forwarding does not work for events that are gathered to repositories by InTrust gathering jobs as part of the workflow described in the Auditing Guide.
For details about repository options, see Managing Repositories.
Caution: Do not forward events to an InTrust server that listens for Syslog messages, because the messages will arrive with incorrect timestamps.
The following options control how forwarding is performed:
SIEM appliances expect data in a specific format. For forwarding to be useful, InTrust must convert the contents of the repository to that format before passing them on.
The following output formats are supported:
You can add support for other formats by providing custom format definition scripts.
To specify a different format, select the Custom Format item in the Message format drop-down list, click Edit, and use the editor that opens.
Note the following specifics:
For more details about formatting custom messages, study the default formatting script provided in the built-in editor. This is a valid script that replicates the functionality of the predefined SecureWorks forwarding component in InTrust. To change the message format, either edit the Format variable or write your own custom script using this default script as an example. In the Format string, event field names enclosed in percent signs (%) will be replaced by their values.
For details about event objects and the InTrust object model in general, see Customization Kit.
For best results, consider using a dedicated repository for event forwarding. You can create the repository in advance in the Storage view of InTrust Deployment Manager. Alternatively, you can select to create a new repository when you create your new forwarding-oriented collection in the Collections view.
To make sure your repository doesn't waste disk space, set up daily cleanup for it. Cleanup is configured in the repository properties in the Storage view.