Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Auditing and Monitoring Active Roles

Data Gathering and Reporting

To gather audit data and include it in SSRS reports, use the InTrust Manager MMC snap-in. Alternatively, you can use real-time event collection in InTrust Deployment Manager and analyze events using Repository Viewer.

The following two topics deal with how to use these components for the task:

Setting Up Gathering and Reporting with InTrust Manager

The combination of InTrust and the Knowledge Pack for Active Roles lets you easily gather audit data and create reports on it. The most convenient way to accomplish both of these objectives is to use a single InTrust task. You configure this task in the InTrust Manager MMC snap-in.

This section concentrates on what you do with InTrust Manager that involves objects from the Active Roles Knowledge Pack. For detailed instructions on how to do it, see the Auditing Guide.

Jobs and Tasks

InTrust tasks are chains of specialized operations called jobs. To gather Active Roles-related audit data and report on it, you need a task that includes at least a properly configured gathering job and a reporting job.

The necessary tasks are provided for you in the Knowledge Pack: “Active Roles: Daily events collection” and “Active Roles: Weekly reporting”. In general, there are tasks intended for gathering and those meant for reporting. The collection tasks gather audit data to the repository. The reporting tasks import the necessary data to the database, compile reports using that database, and then clean up the database.

The default configuration requires that you simply set an appropriate schedule for the tasks. However, if you want to split the reporting workflow into several tasks, you can make copies of the predefined reporting tasks and edit the parameters of the reporting jobs.

When configuring gathering jobs, you must supply the following information:

  • Where to get the data
    This is determined by your choice of an InTrust site, which is a collection of audited computers. The Knowledge Pack comes with predefined sites you can use.
    You need to populate the required sites as necessary and make sure that agents are installed on site computers. Agents are installed as soon as site members are first enumerated, but you can force agent installation at any time by right-clicking the site and selecting Install Agents.
  • What data to gather
    This is defined by InTrust gathering policies. On the one hand, policies let you narrow down the choice of audited computers. On the other hand, they provide filters for data that arrives in InTrust data storages. The predefined gathering policies that come with the Knowledge Pack are "Active Roles: All Administration Service log events", "Active Roles: Change Auditor for AD log events", and "Active Roles: Security log events".
    There are also import policies that specify which data is brought from repositories into audit databases for reporting.
    You can gather everything in the Active Roles logs for analysis and bring in data from the Change Auditor log and Security log for additional capabilities.
  • Where to store the data
    InTrust supports two types of audit data storage: repositories and audit databases. Repositories are for long-term archival of arbitrary amounts of data, and audit databases should store data for immediate reporting needs. You can gather to a repository and then import data for reports to a database by including an InTrust import job in the task. This is the recommended way, and the predefined tasks are built around this model. You can also gather to a repository and a database at once if you want.

Reports

Reports help you find out about any event from the Active Roles Administration log in detail. In particular, you can report on the following:

  • Assignment of user privileges
  • Object management (including account management) in general

When configuring InTrust reporting jobs, you have access to reports shipped with the Knowledge Pack. In addition to the choice of reports, the following settings are important for reporting jobs:

  • The URL of the reporting server's Web service
  • The database to be used as the data source for the reports; the database you specify must exist and have the structure of an InTrust database
  • Optionally, the credentials for creating the reports
  • The reports and filters you need
  • Where to deliver the ready reports—email address, network share or a Reporting Server snapshot that you can view using Knowledge Portal.
  • Optionally, the repository from which to import data that is missing from the database.
  • Optionally, settings for notification about job completion by email
  • The InTrust server where the job runs

Example

The simplest way to organize reporting is as follows:

  1. Adjust the schedule of the “Active Roles: Daily events collection” task or a copy of this task.
  2. Adjust the schedule of the “Active Roles: Weekly reporting” task or a copy of this task so that the task runs after the necessary data has been gathered.
  3. Configure the list of reports you want to get by editing the reporting job in the reporting task.

Real-Time Monitoring of Business-Critical Events

As described in this guide, real-time monitoring facilities provided by the Knowledge Pack focus on the health and functionality of the Active Roles service.

InTrust Manager and InTrust Monitoring Console are the two components that enable you to work with real-time monitoring objects.

InTrust sends out alerts as soon as certain events or conditions occur. Alerts are viewable in InTrust Monitoring Console. Notifications about alerts can be email or net send messages.

For more details, see the following topics:

  • Setting Up Monitoring with InTrust Manager
  • Viewing Alerts in InTrust Monitoring Console

Setting Up Monitoring with InTrust Manager

InTrust Manager lets you set up real-time monitoring. Real-time monitoring is governed by InTrust rules. To get a rule to work successfully, make sure of the following:

  • Agents are installed on the computers to be monitored.
  • The rule is enabled.
  • All the parameters necessary for the rule are specified.
  • The rule is bound to an InTrust site by a real-time monitoring policy.
  • The policy is active.

To enable notifications

  • Ensure that notification messages are defined for rules and activated.
  • For real-time monitoring policies, check that notification of the right operators is turned on. Operators are addressees of InTrust notification messages.

For an example of the described configuration, see the Checking Policy Compliance topic. For other settings, such as configuring response actions and scheduling monitoring, refer to the InTrust documentation.

Viewing Alerts in InTrust Monitoring Console

Monitoring Console provides a centralized Web interface for real-time monitoring alerts. People responsible for resolution of certain types of alerts can have corresponding profiles to view only the reports they need.

Before you can use InTrust Monitoring Console to work with rules from the Knowledge Pack, complete the following preparatory steps:

  1. In InTrust Manager, configure the rules you are going to use. Make sure that the rules are set to send out alerts.
  2. Still in InTrust Manager, assign inspectors to the sites you want to monitor and the rule groups that include the rules you want to use. Inspectors are the personnel who will be viewing alerts. In a default configuration, inspectors must be assigned to the “Active Roles: Servers” site. The same people must be inspectors for the rule groups that contain the rules you need. By specifying inspectors, you ensure that these people can view the alerts that the rules generate.

After this, make some changes to Monitoring Console configuration by creating the following:

  • An alerting profile
    It defines who can read alerts and change their state.
  • An alert view
    It specifies what alerts you are interested in.

Creating an Alerting Profile

Open the Monitoring Console Administration page. For that, click the Monitoring Console entry in the Start menu, and when the page loads, append "/Administration" to the URL in the address bar.

On the Administration page, click New in the left pane to start the New Alerting Profile Wizard.

The wizard lets you select the InTrust Server that generates the alerts and specify who views these alerts. You let your personnel view alerts by assigning the roles of alert readers and alert managers. To allow a user to view alerts, assign the alert reader role to the user account; to allow a user to add comments and to acknowledge and resolve alerts, assign the alert manager role. Alert records are available to users (alert readers and alert managers) only if their accounts are inspectors for both monitored sites and rule groups.

After a new profile has been successfully configured, you can customize alert views for this profile in Monitoring Console. To open Monitoring Console, you can click its entry in the Start menu.

Creating an Alert View

Creating alert views doesn't involve the Administration page. To create a view, open the regular Monitoring Console page (click the Monitoring Console entry in the Start menu).

Click New to start the New Alert View Wizard. This wizard lets you select the rules and sites that you want to monitor, and saves your preferences as an alert view. For an existing view, you can configure filters based on alert state and generation time and other alert properties. Within a view, you can examine alert statistics and analyze the alerts in detail. For more information, refer to the Monitoring Console help.

You can create as many alert views as you need for organizing your alert resolution workflow.

Related Documents