InTrust provides an additional option to create a custom data source using the Script Event Provider.
This functionality allows to create a script that starts with pre-set frequency. Under some conditions that are specified in this script, events are generated and then passed to the InTrust agent. Events are stored in the agent's backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.
You can specify the following in the script: what information is stored and how it is ordered in certain events, what conditions are required for event generation.
To create a custom data source with Script Event Provider
HP-UX auditing, reporting, and real-time monitoring is similar to working with any other system supported by InTrust.
There is only one important difference that refers to active scheduling of the InTrust tasks. For information see the warning note below.
Caution: An active schedule is required to make the agent cache events. If the schedule is disabled, no events are stored. All data sources described above except "HP-UX Audit Log" use event caching, so it is recommended that you use at least one task for the cache-enabled data sources that run regularly.
If you want to gather data only on demand, you must still enable the schedule for your task or tasks, but set it to a point in the future or in the past.
Caching is not used for the "HP-UX Audit Log" data source, so you do not need an active schedule just to gather audit log data.
The other HP-UX auditing, reporting and real-time monitoring operations do not have special requirements, and you can perform them as described in the
The following are typical situations in a production environment, and InTrust helps handle them:
For information about specific procedures, such as creating tasks and jobs or activating rules, see the
Suppose you use a finely-tuned Syslog audit policy in your environment. Your audit configuration has proven efficient and reliable, and you do not want anyone but a few trusted administrators to be able to change it. Even so, you want to know immediately if the audit policy is modified in any way.
Use InTrust real-time monitoring capabilities to enable immediate notification. Syslog audit configuration is defined in the syslog.conf file, so the solution in this case is to monitor this file with InTrust and send an alert whenever the file is modified.
Enable the “Syslog.conf file modified” rule and supply the appropriate file paths as the rule's parameter.