Chat now with support
Chat with Support

InTrust 11.4.1 - Auditing Guide

Import Job

An import job copies audit data from an InTrust repository to an audit database; then InTrust reporting will be able to use this data for reports generation.

Although import jobs are part of the task-based gathering workflow, they work equally well with repository data gathered using real-time collection. The only difference is that real-time collection doesn't commit all of the data immediately, and periodic merge operations are required for the data to become available for import. For details about real-time event collection, see the Collecting Events in Real Time topic.

When you create or modify an import job, you need to select the following:

  • The server where to run the job
  • The source repository
  • The destination audit database
  • The policy according to which data will be picked for import
  • The objects from which the data is taken

You can select whether events imported during previous gathering sessions will be imported again during a session that is going to take place. For that:

  1. Select the import policy the job uses, and open the properties of the necessary data source
  2. Click the General tab:
    • To import only those events that follow the last imported event, select the Import incrementally, starting with last imported event option.
    • To import events gathered at any time, clear this option.

When you are importing events from the data source of Microsoft Windows Events type, you may need to retain their standard descriptions. For that, select this data source from Configuration | Data Sources, open its properties, click the Microsoft Windows Events tab, and select Store event descriptions to database.

Reporting Job

A reporting job adds reporting capabilities to the InTrust workflow by using the Reporting Services feature of Microsoft SQL Server.

Reporting jobs are normally run after import or gathering jobs and prepare reports based on the newly-gathered data.

To generate a report, InTrust connects to the Reporting Web service on the SQL server. The actual report generation process takes place on the reporting server.

To configure the reporting job, specify the following:

  • The URL of the reporting server's Web service
  • The database to be used as the data source for the reports; the database you specify must exist and have the structure of an InTrust database
  • Optionally, the repository to import the necessary data from (see the Report-Driven Data Import topic)
  • Optionally, the credentials for creating the reports
  • The reports and filters you need
  • Where to deliver the ready reports—email address, network share or a Reporting Server snapshot that you can view using Knowledge Portal.
  • Optionally, the repository from which to import data that is missing from the database.
  • Optionally, settings for notification about job completion by email
  • The InTrust server where the job runs

To modify the default URLs related to reporting jobs

  1. Open the properties of the root node in the InTrust Manager treeview.
  2. On the Parameters tab, select the Show all option.
  3. Edit the following parameters:
    • Reporting_default_SRS—URL of the reporting server's Web service
    • Reporting_default_report_share—location of the folder where completed InTrust reports are stored
    • Reporting_default_QRS—URL of the Reporting Services user interface application's virtual directory
Web Service URL

The reporting server's Web service URL is first specified during InTrust setup. Although setup verifies it, you can select to proceed without a valid URL. If InTrust was installed like that, no default value is suggested in InTrust Manager, and you must supply the URL explicitly, for example, when creating a reporting job with New Job Wizard:

 

By default, the Web service URL is formed as follows:

http://<SQL_server_name>/reportserver

If you want to connect to a SQL server instance, then the URL may be formed differently. In a default configuration, it is constructed as follows:

http://<SQL_server_name>/reportserver$<SQL_server_instance_name>

Notes:

  • If the HTTPS protocol is used in your SSRS deployment, the URLs you specify should begin with “https://”.
  • It is recommended that you specify the reporting server's DNS alias instead of its actual name. This will help avoid situations where changing the reporting server clears the list of reports selected for the reporting job. If you use an alias, the server switch involves changing the server that the alias points to, leaving the reporting job intact.

Contact your SQL Server administrator for the correct Web service URL.

Data Source Selection

When you create a reporting job, on the Reporting Server and InTrust Database step of the wizard, you can select the source from which data for reports should be taken:

The following options are available:

  • Use SRS data source associated with each report—each report will be filled in with data from the data source associated with it. This data source can be found in report properties. Remember that each data source should point to a certain InTrust database—this is configured automatically during setup, or manually in Knowledge Portal or Reporting Services Report Manager.

Caution: For this option to take effect properly, you should check the corresponding report properties (Data Sources property) and verify that the data source is properly associated with the desired InTrust database.

  • Select InTrust database for reporting—use this option to specify the InTrust database you want to take data from. Click Credentials to specify the authentication method and database access credentials (for details, see the Reporting Job Security section below).
Source Repository

If you need to report on data that is currently stored in an InTrust repository but not in the database, you should instruct InTrust to import missing data from the repository. For example, when creating a new job, on the Import Missing Data step, select Import objects from the following repository option, and select the source repository.

Filtering

You can instruct InTrust to cut off unnecessary events during import by configuring filters. For that, on the Reports step of the wizard, select a report from the list and click Filters. During data import, the following two filters can be applied: DateRange and Select Computers (if applicable). Select the filter and edit the filter value.

Note: Other filters configured for the report will be applied during report generation.

Report Storage Location

The default location for compiled reports is initially specified during InTrust installation. You can specify new defaults or use individual settings for each job.

Avoiding Report Timeouts

Reporting Services configuration includes the following timeout settings for reports that take too long to generate:

Option

Default Value

Configured Where

Report timeout

1800 seconds
(30 minutes)

In the administration page for a Reporting Services site, on the General tab. You can set a custom value or disable the timeout altogether.

HTTP timeout

9000 seconds
(2.5 hours)

In the Web.config file on the report server. This option has no UI representation. For details about changing it, see the procedure below.

If report generation times out for the reports you configure in your reporting job, consider changing the timeout settings.

To change the HTTP timeout

  1. On the report server, locate the Web.config file. It should be in the <installation_folder>\Reporting Services\ReportServer folder.
  2. In the file, find the <httpRuntime> tag, and change the value of the executionTimeout parameter (the value is in seconds). If <httpRuntime> doesn't exist, create it within the section enclosed in the <system.web> tag pair. For example:
    <system.web>
        ...
        <httpRuntime executionTimeout = "18000" />
        ...
    </system.web>

Reporting Job Security

Like any other job, a reporting job runs under the account it inherits from the task or the account that is set specifically for the job. However, to function properly, reporting requires more security settings than that.

Report Selection

To successfully create a reporting job, use an account that can read report definitions on the reporting server. Otherwise, you will not get the list of reports to select from.

The account you use to run InTrust Manager must have a role that enables read access to report definitions on the reporting server. The “Browser” role, which is a standard role in Reporting Services, has sufficient privileges.

Database Connection

When you create a reporting job using the New Job Wizard, you specify the location of Reporting Services and the database to be used as the Reporting Services data source.

The Credentials button lets you set the credentials that Reporting Services will use to connect to the database. You have the following choices as regards the credentials:

Option

Meaning and use

Windows authentication (using job account)

Specifies that the Reporting Services will connect to the specified database using the credentials of the account that the job is running under.

This authentication method is always used if you select to Import objects from the repository (that is, use the report-driven data import feature).

This option is the best choice if Reporting Services and SQL Server with the specified database are deployed on the same computer.

If they are deployed on different computers but you still want to use this option, enable delegation for the computer that runs Reporting Services. For that, take the following steps:

  1. Open the Active Directory Users and Computers MMC snap-in.
  2. Open the properties of the account that the reporting job runs under.
  3. Make sure that the Account is sensitive and cannot be delegated option on the Account tab is disabled.
  4. Open the properties of the computer that runs Reporting Services.
  5. On the General tab, select Trust computer for delegation.
Windows authentication

Lets you explicitly specify the credentials. Use this option if Reporting Services and the database reside on different computers. For secure transfer of these credentials, make sure Reporting Services communicate through the HTTPS protocol.

An alternative to this option is to use the first option combined with delegation, as described above.

SQL Server authentication Specifies that SQL Server-specific credentials are used. For secure transfer of these credentials, make sure Reporting Services communicate through the HTTPS protocol.

Report-Driven Data Import

InTrust reporting uses the audit trails stored in the audit database. Typically, this database keeps information for the last 2–4 weeks (recommended retention period). However, an InTrust administrator may want to create a certain report, for example, on suspicious logons over 3 months. Data for this period is usually kept in the repository and has to be imported into the audit database for analysis and reporting. However, to report on the events you need, you do not necessarily have to create a chain of import and reporting jobs but configure the reporting job to import the necessary data from the specified repository right before report generation. To use this feature, you can do the following:

  • While creating a new reporting job, on the Import Missing Data step of the New Job Wizard, select the Import objects from the following repository option.
  • If you need to modify an existing reporting job so that it imports the necessary data from the repository, select the job, and on its Properties page, click the Reporting tab and select the same option.

So, whenever you need to report on events logged 3 months or a year ago, configure your reporting job like this, and all data required to generate the reports will be imported automatically.

Note: When you specify a value for time period when configuring filters for a job that uses report-driven data import, time will be always treated as Local time (even if Use GMT time option was selected in the reporting job properties).

If you need to run such a reporting job periodically, you can schedule the task that contains this job. If you need to run it once, disable the job once the task session is complete. Importing and reporting operation details are written to the corresponding tasks' session logs and can be examined under the Workflow | Sessions node in InTrust Manager.

Access Rights

The following accounts are used during the reporting job that has data import enabled:

  • Reporting job account—the one under which the reporting job is launched. Reporting job account is specified in the job properties on the General tab.
  • Import job account—the one under which data is imported from the source repository to the audit database.
  • Database connection account—the one under which the audit database is accessed to import data and report on it.

Access credentials and the authentication method for database access during import and reporting are specified on the Reporting tab of the job properties, where you should click Credentials to open the Credentials Settings dialog box.

Requirements for each account are listed in the table below. Some of these accounts may coincide depending on the authentication method you select, so refer to the next section to assign sufficient access rights to proper accounts.

Account Requirements

Notes

Reporting job account
  1. Log on as a batch job on the InTrust Server
  2. Read permission on %WinDir%
  3. Full control permission on the InTrust Server installation folder
  4. Content Manager SRS role for the InTrust\SharedDatasources folder and for the folder where the report is located (under the InTrust folder) in SQL Reporting Services
  5. Browser SRS role for the Home folder in SQL Reporting Services
  6. Read permission on configuration objects used by the job
  1. This account must belong to the domain where SRS hosting Knowledge Portal is installed, Otherwise, membership in the Authenticated Users group (for the SRS server's domain) is required.
  2. To minimize access rights, the following item-level rights in SQL Server Reporting Services can be granted to the reporting job account (on the General tab):
    • View Data Sources permission for the InTrust\SharedDatasources folder,
    • View Folders permissions on the Home folder under InTrust
    • Manage Reports, View Folders and View Reports permissions on the necessary subfolders (where the reports are stored) of the InTrust folder
    • To access sub-reports, View Data Sources permission on the folder where sub-reports are stored.
    • View Resources permission on the InTrust\SharedResources folder.
Import job account
  1. Read permission on the source repository
  2. InTrust Gathering database role for the audit database (this role is created by setup)
  3. Read permission on configuration objects used by the job

If a specific account for repository access is specified in repository properties, then the import job account can be assigned local administrative rights on the computer where the repository is located (instead of Read permission).

Database connection account
  1. InTrust Gathering database role for the audit database
  2. Reporting Console User database role for the audit database
 

Credentials Settings for Report-Driven Data Import

After you click Credentials on the Reporting tab of the job properties, three authentication options are available to you:

  • Windows authentication (using job account)
  • Windows authentication
  • SQL Server authentication

If you are using report-driven data import in your reporting job, the available authentication methods will depend on the database you select to get data from:

  • If you use the Select InTrust database for reporting option and specify the database explicitly, then you can click Credentials and select any authentication method you need.
  • If you select Use SRS data source associated with each report option, then Windows authentication (using job account) will always be used. In this case, make sure the job account has sufficient access rights to connect to the databases configured as data sources for the reports that will be processed.
Integrated Windows Authentication

If you select Windows authentication (using job account), then the job will use a single account for all operations. That means the database and repository will be accessed using the account that the reporting job runs under.

  1. Open the General tab in the job properties.
  2. Make sure the specified account meets all the requirements listed in the table.

Caution: In case SQL Server and Knowledge Portal are installed separately from InTrust Server, take the steps described below to make Integrated Windows Authentication work properly.

To make Integrated Windows authentication work properly

  1. In the Active Directory Users and Computers MMC snap-in, select the user account under which the reporting job will connect to the data source.
  2. Select Properties and click the Account tab.
  3. Make sure the Account is sensitive and cannot be delegated option is cleared.
  4. Select Account is trusted for delegation.
  5. Select the computer where Reporting Services and Knowledge Portal are installed.
  6. Select Properties and click the General tab.
  7. Select Trust computer for delegation.
Basic Windows Authentication

If you select Windows authentication, then you should specify credentials explicitly. They will be used to access the repository and the database.

  1. Make sure the account you specified here meets the requirements for the import job account (middle row).
  2. Open the General tab and make sure the reporting job account meets the requirements in the top row of the table.
SQL Server Authentication

If you select SQL Server authentication, credentials must be also specified explicitly in the Credentials Settings dialog box. This account will be used to connect to the audit database.

  1. Make sure the account you specified here meets the requirements for the database connection account (bottom row in the table).
  2. Open the General tab. The account specified there will be used as the reporting job account and import job account (that means, to launch the reporting job and to access the source repository to pick up required events). Make sure it meets corresponding requirements (top and middle rows) except the InTrust Gathering database role—the audit database will be accessed under the SQL Server account specified in the Credentials Settings dialog box.

Notification Job

A notification job sends net send or email messages to selected recipients, notifying them of the results of the task.

Before configuring a notification job that uses email notification, make sure the selected InTrust server is associated with an SMTP server. Open the job processing server’s properties dialog box, click the Notification Parameters tab, and specify the SMTP server.

To configure a notification job, select the following:

  • The server where to run the job
  • The type of notification to be used
  • The template for the message
  • The database from which to get data to be included in the message (select the configuration database)
  • The recipient or recipients of the message

Notification Templates

Messages are based on notification templates. Use notification templates to make InTrust notification messages informative by including data gathered from the network. Such messages are a faster means of notification than reports.

To create a notification template

  1. In InTrust Manager, select Configuration | Advanced.
  2. Right–click Notification Templates and select New Notification Template to start the New Notification Template Wizard.

Creating Variable Messages

To insert data in the message subject or body, you should use variable names delimited by two “%” signs. These variable names are substituted with values retrieved from a database. The rest of the message text that you specify is left unchanged.

The text between the delimiting “%” signs must match the name of a column in the record set returned by the SQL server when a database is queried. For example:

The event from %Source% occurred at %Time%.

would be resolved like this in the message:

The event from IISLog occurred at 13:51:00.

Note: To be able to send net send messages, make sure that the Messenger service is running on the InTrust server and the target operator's computer. By default, this service is disabled.

Specifying Evaluation and Notification Queries

During template configuration, you can provide the following two SQL queries:

  • Evaluation query. This query performs a check against a database to determine whether to send the message. Along with an evaluation query, you must specify a conditional expression. This expression is compared to the number of rows that the query has retrieved from the database. If the expression is true, notification is performed.
  • Notification query. Specify this query to include data from a database in a notification message.

Type these queries after specifying the subject and body of the template.

The two queries described are executed separately, and do not analyze the results of one another. However, notification depends greatly on what queries are specified. The following four situations are possible:

What is specified

What happens

Both queries Notification takes place if the condition provided with the evaluation query is true. Data for the notification message is retrieved from the record set returned by the notification query.
Neither query Notification takes place unconditionally. The notification message cannot contain any data from any database. Such a message is a fixed body of text.
Only the evaluation query

Notification takes place if the condition provided with the evaluation query is true. The notification message is a fixed body of text and cannot contain any data from any database.

Only the notification query Notification takes place unconditionally. Data for the notification message is retrieved from the record set returned by the notification query.

Audit Database Cleanup Job and Repository Cleanup Job

There are two kinds of cleanup job that involve clearing audit data:

  • An audit database cleanup job clears obsolete audit data from an audit database.
  • A repository cleanup job clears obsolete audit data from an InTrust repository.

When configuring any of them, you need to select:

  • The server where to run the job
  • The database or repository

If necessary, you can also provide a date and time range filter for obsolete audit data.

You can schedule a cleanup job in a separate task rather than perform it each time you gather audit data. For example, a job that clears data older than a month should be scheduled to run monthly.

Note that though the gathered data is cleared, information about the gathering session is still kept. The next time a gathering job is started, InTrust collects data that has been written to audit trails since the last gathering session.

Deleting a Repository

The repository may contain too long directory or file names. Make sure that your operating system supports long file names. Otherwise, use the special utilities to work with these names or delete a repository from disk. To delete a repository, use the ITRepositoryRemover.exe command-line utility, as described in the Removing Repositories topic.

Related Documents