InTrust provides for collection, correlation, archival, and reporting on the heterogeneous audit data from your enterprise-wide network, as well as for real-time alerting and notification.
The two main processes in InTrust are audit data gathering and real-time monitoring for critical events. You can set them up using InTrust Manager—an MMC snap-in intended for InTrust configuration.
Both gathering and monitoring are performed on InTrust sites. An InTrust site is a representation of several computers and the settings associated with them. Sites logically group those computers for which the auditing and monitoring requirements are similar. So, by using sites you map out your environment for InTrust—this is the first step you make when configuring gathering or monitoring workflow.
InTrust provides several predefined sites but you need to populate these sites manually. Depending on the InTrust Knowledge Pack you have installed, your configuration can include different predefined sites, for example:
Besides, you can create your own sites, following the steps described in the Creating Sites topic.
Every time you create a new InTrust object or make any other changes to the InTrust configuration, you must apply these changes. For that, right-click the InTrust Manager root node and select the Commit option from the shortcut menu or press Commit on the toolbar.
In InTrust Manager, sites are shown grouped by environment (such as Microsoft Windows Network and UNIX Network) under Configuration | Sites.
To process logs on site computers, InTrust agents can be used.
To create a site
The wizard prompts you for the method to use for enumerating site objects and the InTrust server that will process the site.
You can perform domain enumeration for the site, either by using the Computer Browser service, or by getting the computer list from a domain controller.
Note: By default, the Computer Browser service is disabled on Windows Server 2008 and later computers, so it is recommended that you use the alternative enumeration method (that is, get the computer list from a domain controller).
A computer list file uses the plain text format. Each name must be a separate line in the file. You can add comments prefixed either with double slashes or with semicolons. The following is a sample file:
;This is a comment
//This is a comment using a different style
A computer can appear in the list as any of the following:
In a site’s properties dialog box invoked from the shortcut menu, you can modify the site settings specified during the site creation procedure, as well as some other settings, including:
Note: To supply either of these accounts, open the Accounts tab.
If the role-based administration feature is enabled, you can specify users who will be able to see and edit the site or use the site objects. For that, open the Security tab.
You can also use the site’s shortcut menu to:
If you want to specify your own algorithm for the enumeration of objects in the site, you can use the Enumeration Script option, which prompts you for a script that will perform the enumeration. This option is available:
Selecting Enumeration Script prompts you for the script you want to use. The scripts are located in the Configuration | Advanced | Scripts container node.
InTrust comes with the example “Enumeration script: LDAP query” script for this purpose. For your sites, you can use this script, copies of it, or your own scripts.
The “Enumeration script: LDAP query” script has the following parameters, which you can customize without modifying the script itself:
|Attribute Name||Name of the attribute that will be used as the object name in the list of site objects.|
|Bind String||ADSI bind string; for example, “GC:” means that the entire AD forest will be searched, “LDAP:” specifies the current domain.|
|Filter||LDAP filter, such as (objectCategory=serviceConnectionPoint)|
|Need Deep Search||
What to do if the search in the entire forest finds objects whose names (specified by the Attribute Name parameter) cannot be read:
This parameter is considered only if the Bind String begins with GC:.
Search scope in LDAP terms, with the following values: