Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Gathering Audit Collection Services Data

Pre-Processing Data

In order for event records to be stored in the ACS database, native Windows event format is converted according to transformation rules defined in the EventSchema.xml file stored on Operations Manager server. Writing these events into the InTrust Audit database requires reverse transformation, and therefore authorized InTrust components must have access to the transformation rules (that is, to EventSchema.xml). For details, see the Gathering with and without Agents topic.

In addition, to comply with in the InTrust audit database format, the records obtained from the ACS database need to be supplemented with the computer type, time zone parameters, and Windows build number.

To summarize, in order for event data to be stored in an InTrust repository and/or audit database, the following information is required:

  1. EventSchema.xml and ACS database connection parameters. This data can be obtained directly from the Operations Manager server.
  2. Time zone parameters. This information is obtained from the following sources:
    • Operations Manager server; its parameters are obtained directly from that server.
    • Each network computer whose events are stored in ACS database; this information is obtained using a specially designed Management Pack (see the Gathering with and without Agents topic).
  1. Computer type and OS (Windows) build number. This information is retrieved by the Operations Manager server from network computers after the server is forced by the Management Pack to collect this data.

So, for ACS data to be processed correctly, you have to deploy Quest InTrust for ACS Management Pack. The installation procedure is described in the Step 1. Install the InTrust Knowledge Pack for ACS topic.

ACS Data Gathering and Reporting With InTrust

This topic explains the steps you need to take in order to enable ACS data gathering and reporting with InTrust:

  1. Install the InTrust Knowledge Pack for ACS feature from the InTrust suite setup.
  2. Configure an InTrust site using automatic or manual resource discovery procedure, and deploy the Quest InTrust for ACS Management Pack (as prescribed by the corresponding procedure).
    If needed, configure specific access rights required for processing.
  3. Install agents, if necessary.
  4. Configure the InTrust policies, tasks, and jobs you need.
  5. Install the Report Pack for the Operations Manager console; run the InTrust task and use the Operations Manager console to view reports on the collected data.

Each step is described in detail in the related topics.

Caution: For reports on collected data to work properly, it is strongly recommended that you use a dedicated InTrust Audit database to collect only event data provided by ACS. If you also want to collect Windows event data in the standard way (that is, directly from the audit trails, using the InTrust workflow) from the same computers (Operations Manager servers), configure a separate Audit database.

Step 1. Install the InTrust Knowledge Pack for ACS

The InTrust Knowledge Pack for ACS brings in several predefined objects required for the InTrust auditing workflow.

To install the Knowledge Pack, launch the InTrust suite setup, and from the list of features to install, select Knowledge Pack for ACS.

After the setup is complete, the following predefined objects become available in InTrust Manager (for a detailed list with descriptions, see Predefined Objects for ACS Data Collection and Reporting):

  • All OpsMgr ACS Servers in the domain—An InTrust site used to arrange your Operations Manager servers with Audit Collection Services installed.
  • Microsoft OpsMgr ACS—A predefined data source of Microsoft ACS Events type that represents Windows security log events stored in the Microsoft Audit Collections Services database.
  • Gathering, consolidation, and import policies—InTrust policies defining the events to be collected, consolidated, or imported.
  • OpsMgr ACS events collection—A task containing gathering and notification jobs.
  • OpsMgr ACS events collection—A gathering job.

Step 2. Configure an InTrust Site

To arrange your Operations Manager servers with Audit Collection Services installed into the InTrust site, perform the following steps:

  1. Deploy the Quest InTrust for ACS Management Pack on the Operations Manager servers, as described in the related topics. Keep a record of the Operations Manager servers where the Management Pack is installed.
  2. In InTrust Manager, create a new site. Populate it with the computers from the list created on the previous step.

Note: It is recommended that you arrange Operations Manager servers into sites considering their location and/or administrative boundaries.

To install agents on the site computers, refer to the Gathering with and without Agents topic.

Related Documents