Chat now with support
Chat with Support

InTrust 11.4.1 - Understanding InTrust Repositories

Cloning Repositories

If you need to make a copy of an existing production repository (for example, an idle repository for auditors' use or for Quest Support), do not use conventional file copying or regular file managers. These methods may fail, because the hierarchical file structure in InTrust repositories uses very long names. Instead, use specialized replication software such as Microsoft Robocopy, which has been shipped with Windows since Vista and was available as part of the Windows Resource Kit before Vista.

If the repository you want to clone is indexed, take the following steps:

  1. On the InTrust server that processes the repository, stop the InTrust Server service.
  2. Make a copy of the repository using replication software.
  3. Start the InTrust Server service again.

Alternatively, if you are retiring a production repository and want to relocate it, you can do the following:

  1. In InTrust Manager, delete the repository.
  2. Make a copy of the repository using replication software.

If you want to convert the idle clone into a production repository, create a new repository in InTrust, and in the New Repository wizard, specify the location of the cloned repository.

Repository Tools

The following command-line utilities provide additional capabilities when working with repositories:

Converting EVT Files to Repository Format

This tool places events from an event log file to a repository without actually gathering data. Run the tool on a computer with InTrust Server installed.

Evt2Repository.exe is located in <InTrust_installation_folder>\Server\InTrust.

The following table lists the required parameters.

OPTION DESCRIPTION
/FILE Full path to the source EVT file. UNC paths are accepted.
/DOMAIN NetBIOS name of the domain that contains the computer to which the events in the EVT file are related.
/COMPUTER NetBIOS name of the computer from which the EVT file is retrieved.
/LOGNAME Name of the Windows event log that the EVT file contains.
/REPOSITORY UNC path to the InTrust repository where the events must be stored.

Example:

Evt2repository.exe /file=\\SERVER\TEMP\security01.evt /domain=RND /computer=SERVER /logname=Security /repository=\\Server01\InTrustRepository\Default

The following table lists optional parameters.

OPTION

DESCRIPTION

/VERSIONMAJOR Major OS version for the computer from which the EVT file is retrieved.
/VERSIONMINOR

Minor OS version for the computer from which the EVT file is retrieved.

/COMPUTERTYPE

Type of the computer from which the EVT file is retrieved, as returned by LAN Manager. Only numeric values are accepted.

/TIMEZONE

Positive or negative difference in minutes between GMT and the local time of the computer from which the EVT file is retrieved. For example, “/timezone=-180” will return the GMT-3 time zone.

/PROPERTIESFROM

If some of the optional parameters are not specified, this key defines in what order to retrieve these parameters. The following sources are available:

  • REPOSITORY—If there are any events in the InTrust repository from the computer from which the EVT file was saved, all necessary information is taken from the repository.
  • ORIGINALCOMPUTER—NetBIOS name of the computer from which the EVT file was saved (specified in the /COMPUTER parameter).
  • CURRENTCOMPUTER—Computer on which the EVT file is located.

Example:

Evt2repository.exe /propertiesfrom=repository,originalcomputer

If this parameter is not specified, the “repository, currentcomputer” sequence is assumed.

/RESOLVEDESCRIPTIONS

Specifies whether to resolve event descriptions and where to take the information. Possible values are as follows:

  • LOCALONLY
    Descriptions are resolved using the current computer’s libraries.
  • REMOTEONLY
    Descriptions are resolved using libraries from the computer specified in the /COMPUTER parameter.
  • REMOTEFIRST
    Descriptions are resolved using libraries from the computer specified in the /COMPUTER parameter as long as they are available. Otherwise, the current computer’s libraries are used.
  • LOCALFIRST
    Descriptions are resolved using the current computer’s libraries. Otherwise, libraries from the computer specified in the /COMPUTER parameter are used.

The Category field is resolved for events only if you use the /RESOLVEDESCRIPTIONS option.

/RESOLVESTRINGS

Specifies whether to resolve GUIDs found in event insertion strings into object names (user names, GPO names and so on).

Removing Repositories (ITRepositoryRemover.exe)

If you need to delete a repository physically, use the specially designed ITRepositoryRemover.exe command-line utility shipped with InTrust. (Windows tools do not let you delete a repository easily.) The utility resides in <InTrust_installation_folder>\Server\InTrust.

Before you run the repository removal utility, remove the repository from the InTrust configuration. For that, delete it in InTrust Manager or InTrust Deployment Manager. You may have to wait until the repository services to stop working with the repository and unlock all the locked files in it. How long you need to wait depends on the repository size and how many other repositories there are.

Note:

  • To confirm that the repository contents can be safely deleted, look in the InTrust Server log for the latest events from this repository. If there have been no indexing or merging events for this repository for two minutes, then you can proceed with the deletion.
  • The utility removes only the audit data in the repository. The repository folder is not deleted. If the repository is indexed, the index also remains intact. You can safely remove the index and the folder with regular Windows tools.

Next, launch the utility:

  1. Start the command prompt.
  2. Use the cd command to specify the directory containing ITRepositoryRemover.exe as the working directory.
  3. Run the command, supplying your repository path as a parameter and optionally /y, if you want to confirm the deletion without a prompt. For example:
    ITRepositoryRemover.exe d:\Repositories\Repository2012 /y
  4. Press ENTER.

If you start ITRepositoryRemover.exe without any parameters, it will display information about the correct usage of the utility.

 

Related Documents