Chat now with support
Chat with Support

InTrust 11.4.1 - Getting Started with InTrust

Example: Configuring Logon and User Session Auditing

InTrust lets you gather two types of data related to users logging on and off computers:

  1. Native Windows Security log events
    These events provide basic logon and logoff information, but contain no indication of the user's presence in the system at any particular time. They only capture the act of logging on and off, and their reliability is limited.
  2. User session events enabled by InTrust
    These advanced events contain enough information to help you track not only logons and logoffs, but also when users are actively using computers. For example, they indicate the exact times and durations of terminal sessions connected to domain controllers. User session events are logged locally on computers that have the InTrust agent installed and are processed by collections where the “InTrust User Session Tracking” data source is enabled.

For logon and user session tracking to be complete, make sure both the “Windows Security Log” and “InTrust User Session Tracking” data sources are enabled in your collections. For details about enabling data sources, see Managing Collections.

Start Gathering

For the purposes of this topic, configure logon event gathering only from domain controllers. Take the following steps:

  1. Right-click Collections and select New Collection.
  2. On the General Properties step, give the collection a name indicating that it contains domain controllers.
  3. Proceed to the Specify Computers step of the wizard, and add your domain controllers to the list. Make sure the Install agents automatically option is selected.
  4. On the Data Sources and Repository step, make sure the “Windows Security Log” and “InTrust User Session Tracking” data sources are enabled.
  5. Complete the steps.

After this, agents are installed on the domain controllers, and gathering starts automatically.

If you want to watch other computers in addition to or instead of domain controllers (for example, Exchange or file servers), create a new collection and add all the computers you need to it. Configure the gathering options for this collection likewise.

Put Auditing to a Test

To confirm that auditing is working as intended, deliberately perform some of the activity you are watching for on the computers you are watching. Do any of the following:

  • Log on to the computers included in the collection and log off
  • Lock and unlock the computers
  • Set a low screensaver timeout to cause the screensaver to start
  • Switch the user

Next, check that your actions have been captured in the repository.

View the Results in Repository Viewer

The InTrust Repository Viewer application lets you explore and analyze the contents of InTrust repositories. To browse the repository you have been collecting to, run Repository Viewer from the Start menu, and click File | Open Repository.

In the dialog box that opens, select the Production repository option, and proceed to specify the repository you have been working with.

Note: A production repository is a repository that is available in InTrust Deployment Manager or InTrust Manager. For details about production and idle repositories, see Repository Connections.

The left pane of the Repository Viewer console shows:

  • A navigation tree that organizes events by domain and log type
  • A collection of predefined search folders with preconfigured popular filters for quick event analysis

You can select any of the search folder nodes or any of the repository hierarchy nodes, and view the events they contain by clicking the Go button. For the purposes of this document, the following predefined searches are useful:

  • Searches in the Logons subfolders of the topmost search folders
  • Searches in the User sessions subfolders of the topmost search folders

Select one of these searches and click Go. If events about your activity are displayed in the right pane, then auditing has been set up correctly.

For detailed Repository Viewer documentation, see Searching in Repositories with Repository Viewer.

Further Reading

This guide dealt with the default InTrust configuration. If you are interested in other InTrust capabilities and alternative workflows, or if you need in-depth information about the topics covered here, go to the InTrust online documentation library.

Related Documents