Introduction to InTrust
InTrust is a powerful framework for enterprise log management, provision of regulations compliance and IT data analytics.
What InTrust Can Do for You
InTrust focuses on logs, which make up the bulk of IT data in the enterprise. The log-oriented approach helps you achieve the following:
- Securely collect and archive logs in real time from across the diverse enterprise network
- Automate the log review process without hiring event log experts
- Pass audits by providing faster answers to the questions auditors will ask
- Conduct efficient investigations of security incidents and fraudulent activity of insiders
- Improve day-to-day operations by minimizing the number of tools and making IT data readily available
- Assess the robustness of security and operations without much effort
What's Inside
InTrust has many components, but not all of them are needed for most scenarios. The default components are few, accessible and easy to deploy; yet they cover the most common log management needs and incorporate impressive InTrust expertise.
The remaining components help manage rare logs, implement specialized scenarios and provide advanced capabilities such as reporting powered by SQL Server Reporting Services and real-time monitoring with alerts and automated response.
Default Deployment
The following components are installed by default:
- InTrust Server
This is the principal component that provides most of the capabilities of InTrust, in both default and extended deployments. It is a back-end that keeps the InTrust configuration up to date and runs the operations according to that configuration. - InTrust Deployment Manager
This console is used for setting up real-time data gathering. This workflow is based on collections of Windows computers or Syslog devices, from which data is continuously gathered to the InTrust repository that you specify. In addition, InTrust Deployment Manager lets you forward Syslog messages and events from repositories to SIEM solutions such as SecureWorks. - InTrust Repository Viewer
This application lets you browse the contents of InTrust repositories, which are data stores that keep the InTrust-gathered data. Repository Viewer offers flexible searching, grouping, sorting and filtering for focused event analysis. It also supports running search-based scheduled reports on a regular basis, with customizable layouts and convenient delivery options.
Extended Deployment
The other components you can set up are also built around InTrust Server but geared for a different workflow and style of configuration. These components form an extended InTrust deployment.
- InTrust Manager
This console sets up scheduled task-based gathering, reporting based on SQL Server Reporting Services, and real-time monitoring. InTrust Manager is required for all of these advanced features. For details about them, see the following documentation: - Knowledge Portal
This Web application is an alternative to the Reporting Services Web UI, streamlined for use with InTrust reports. - InTrust Monitoring Console
This Web application displays real-time alerts produced by InTrust and lets you track and manage their state. - Knowledge Packs
These are collections of InTrust resources that are needed for supporting specific platforms and logs. For example, installing the Solaris Knowledge Pack enables InTrust to gather logs from Solaris hosts (through InTrust agents), monitor these hosts in real time and build SSRS reports based on the collected data. The range of supported platforms and logs is broader for extended deployments than for default deployments.
Key Concepts
The following terms are important for understanding the basics of InTrust.
InTrust Server
An InTrust server is a computer where the InTrust Server component is set up. It processes requests from client applications such as Repository Viewer and InTrust Deployment Manager, performs the operations they request and handles the configuration.
InTrust Repository
The repository is the primary type of data store in InTrust. Repositories are intended for long-term archiving of data in a compressed format. For fast access to the data they contain, repositories have indexes, which are maintained by the InTrust server.
Repositories are normally file-based, but in extended deployments you also have the option of associating a repository with an EMC Centera appliance.
The same repository can be used for both real-time gathering and scheduled task-based gathering; the only restriction is that the same data from the same computers must not be gathered using both methods at once.
InTrust Organization
An InTrust organization is a group of InTrust servers with a shared configuration, for which a SQL Server database is used.
An InTrust organization provides the following:
- Load balancing among InTrust servers
- A common list of InTrust organization administrators
- A uniform selection of available data sources for all member InTrust servers
InTrust Agents
An InTrust agent is an application which is usually automatically installed by InTrust Server on target computers to locally perform audit data gathering and, in extended deployments, real-time monitoring. Alternatively, you install and uninstall agents explicitly using InTrust Deployment Manager (or InTrust Manager). However, you can install InTrust agents manually (for example, if the target computer is behind a firewall or in an untrusted domain). In addition, a Windows Installer package for the InTrust agent makes it possible to manage agent installations using Group Policy.
During its operation an agent communicates with InTrust Server over the TCP protocol. In complex environments, agents require only one open port to allow incoming traffic to the InTrust server address.
|
|
Note: For extended deployments, consider the following:
|
If an agent cannot connect to the InTrust Server for the certain time period (for example, if the InTrust server was removed), it is “retired” (uninstalled) automatically.
How It Works
The following diagram summarizes the points made in the Introduction to InTrust topic and shows where the components fit in the big picture. The roles of the users shown here are pure examples. Of course, each of them can benefit from all of the client applications.
Note that the diagram shows only the default InTrust deployment. For a representation of an extended deployment, see Technical Insight.
Supported Platforms and Data Sources
Supported Platforms and Logs
This is a breakdown of how InTrust handles heterogeneous audit data. Instead of "log", the broader term "data source" is used, because some of the valuable transient data that InTrust can watch is not strictly logs.
The real-time gathering feature is part of the default InTrust deployment.
The task-based gathering and real-time monitoring features come with the extended deployment.
Microsoft Windows
64-bit architecture:
- Microsoft Windows Server 2016
- Microsoft Windows 10
- Microsoft Windows Server 2012 R2
- Microsoft Windows 8.1
- Microsoft Windows Server 2012
- Microsoft Windows 8
- Microsoft Windows Server 2008 R2
- Microsoft Windows 7
32-bit architecture:
- Microsoft Windows 10
- Microsoft Windows 7
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Windows event logs (such as Application or Security log) | Yes | Yes | Yes |
| User session events captured by the InTrust agent for superior user activity tracking | Yes | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Windows Security Log events collected by Microsoft System Center Operations Manager 2007 and 2012 Audit Collection Services | No | Yes | No |
Solaris
- Oracle Solaris 11.1 (standard installation): 32-bit and 64-bit (on Sparc v9 and AMD-64 architectures)
- Sun Solaris 10.0 (standard installation): 32-bit and 64-bit (on Sparc v9 and AMD-64 architectures)
- Sun Solaris 9.0 (standard installation): 32-bit and 64-bit (on Sparc v9 architecture)
- Sun Solaris 8.0 (standard installation with patch 112439-01): 32-bit and 64-bit (on Sparc v9 architecture)
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Solaris Syslog | No | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
| Solaris audit logs generated by Basic Security Module (BSM) | No | Yes | No |
Red Hat Enterprise Linux
- Red Hat Enterprise Linux 7 – 7.4
- Red Hat Enterprise Linux 6.3 – 6.9
- Red Hat Enterprise Linux AS 5
- Red Hat Enterprise Linux ES 5
- Red Hat Enterprise Linux AS 4
- Red Hat Enterprise Linux ES 4
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Linux Syslog | No | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
Oracle Linux
- Oracle Linux 7 – 7.4
- Oracle Linux 6.3 – 6.9
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Linux Syslog | No | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server 11 (32-bit and 64-bit on AMD-64)
- SUSE Linux Enterprise Server 10 (32-bit and 64-bit on AMD-64)
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Linux Syslog | No | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
Debian GNU/Linux
Debian GNU/Linux 9, 8
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Linux Syslog | No | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
Ubuntu Linux
Ubuntu Linux 18.04, 16.04, 14.04
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Linux Syslog | No | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
IBM AIX
- IBM AIX V7.1
- IBM AIX V6
- IBM AIX 5L 5.3
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| IBM AIX Syslog | No | Yes | Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
| AIX audit logs | No | Yes | Yes |
HP-UX
- HP-UX 11i v3
- HP-UX 11i v2
- HP-UX 11i
| Data sources | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
|
HP-UX Syslog |
No |
Yes |
Yes |
| Text logs of any format | No | Yes | No |
| Configuration files (modifications) | No | Yes | Yes |
| HP-UX audit logs | No | Yes | No |
VMware ESX and ESXi
- VMware ESXi 5.5
- VMware ESXi 5.0
- VMware ESX 4.1
- VMware ESXi 4.1
- VMware ESX 4.0 Update 2
- VMware ESX 4.0 Update 1
- VMware ESXi 4.0 Update 1
| Data source | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| VMware vCenter, ESX and ESXi events | No | Yes | No |
Trend Micro InterScan Web Security Virtual Appliance
Trend Micro InterScan Web Security Virtual Appliance 6.5
| Data source | Real-time gathering | Task-based gathering | Real-time monitoring |
|---|---|---|---|
| Syslog messages forwarded from virtual appliances to Linux hosts | No | Yes | Yes |