Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Auditing and Monitoring Active Roles

Data Archiving and Analysis

This scenario represents the regular practice of gathering and archiving audit data, and then analyzing it. This is not a course of action for emergency situations.

InTrust provides you with long-term storage for Active Roles-related audit data. Keeping all the data in databases is impractical, so you use InTrust repositories for long-term storage.

You gather the audit data to InTrust repositories and import recent portions of it to audit databases to build reports. You are interested in data related to Active Directory object management.

To implement this scenario

  1. Create a separate InTrust audit database for this purpose. You should not use your regular database in this case, because only one task should depend on it.
  2. Create a new InTrust task and schedule it to run as often as you need it to.
  3. In the new task, create a cleanup job than clears all data from the special audit database you have created. This job ensures that the database is emptied before any new data arrives in it.
  4. Create a successor import job that imports data you are going to analyze. This job must import only Active Roles Administration log data.
  5. Create a successor notification job to inform you of task completion.
  6. When you get notified that the data has becomes available, see the “Active Roles all server events” report in Quest Knowledge Portal.

Using report filters, you can easily determine which events need attention and analyze them in depth.

Knowledge Pack Objects

Site

  • Active Roles: Servers

Notification Group

  • Active Roles Operators

Rules

  • Administration Services
    • Active Roles Service: General response
    • Active Roles Service: Physical memory usage
    • Active Roles Service: Reserved virtual memory
    • Active Roles: License system failure
    • Active Roles: Administration Service internal error
    • Active Roles: Critical error on startup
    • Active Roles: Event with Error severity
    • Active Roles: Event with Warning severity
    • Active Roles: Multiple failure audit
    • Active Roles: Policy compliance check
    • Active Roles: Replication monitoring

Data Sources

  • Active Roles Administration Log
  • Active Roles Service: General Response - Script
  • Active Roles Service: Physical memory usage - Script
  • Active Roles Service: Reserved virtual memory - Script
  • Active Roles: Change Auditor for AD log
  • Active Roles: Policy compliance check - Script
  • Active Roles: Replication monitoring - Script

Real-Time Monitoring Policy

  • Active Roles: Administration Service Policy

Gathering Policies

  • Active Roles: All Administration Service log events
  • Active Roles: Change Auditorfor AD log events
  • Active Roles: Security log events

Import Policy

  • Active Roles: All Events

Tasks

  • Active Roles: Daily events collection
  • Active Roles: Weekly reporting

Repository Viewer Searches

  • Active Roles
    • All events produced by Active Roles
    • All operations and operation requests
    • Operation requests for computers
    • Operation requests for groups
    • Operation requests for miscellaneous objects
    • Operation requests for users
    • Operations on computers
    • Operations on groups
    • Operations on miscellaneous objects
    • Operations on users

Reports

  • Active Roles\Active Directory Management Bypassing Active Roles
    • Account management performed outside Active Roles (Security Log)
    • All activity within and outside of Active Roles
  • Active Roles\Active Directory Management using Active Roles

    • Active Roles Deprovisioning of User Accounts
    • Active Roles Directory object management
    • Active Roles Directory object management summary by Initiator
    • Active Roles Group Management by Initiator
    • Active Roles Group Membership Management by Initiator
    • Active Roles User Accounts Management
    • Active Roles User attribute management
  • Active Roles\Active Roles Events
    • Active Roles all Server events
    • Active Roles event statistics by Computer
    • Active Roles events by eventID
    • Active Roles startup failures

Known Issues in Knowledge Pack

The following is a list of issues known to exist at the time of the InTrust 11.4.1 Knowledge Pack for Active Roles release.

Known Issue Issue ID
The AR Server WI: Availability real-time monitoring rule is matched if the Web Interface site uses any TCP port different from the default one (80), as if the Web Interface were not available. B113361
The AR Server WI: Availability real-time monitoring rule does not work with Active Roles Server of versions prior to 6.0.3. ST43222
Related Documents