Chat now with support
Chat with Support

InTrust 11.4.1 - Understanding InTrust Repositories

Restoring Events in Native Format

If you need to view audit trails in their native format, use the ITEventExtractor.exe command-line utility shipped with InTrust.

Note: Events that were filtered out when data was gathered to a repository will not be present in the extracted log files.

To use the ITEventExtractor.exe utility

  1. Start the command prompt.
  2. Use the cd command to specify the directory containing ITEventExtractor.exe as the working directory. The utility resides in %ProgramFiles%\Common Files\Quest\InTrust (on 64-bit systems, in %ProgramFiles(x86)%\Common Files\Quest\InTrust).
  3. Type ITEventExtractor.exe <parameters>.
  4. Press ENTER.

The syntax depends on the environment to which the required audit trails are related.

Microsoft Windows:

ITEventExtractor /REPPATH:<Path> /LOGNAME:<Name> /COMPUTER:<Computer> /FILE:<FileName> /DOMAIN:<Domain> [/SRVPORT:protocol:server[port]] [/DATEFROM:<Date>] [/DATETO:<Date>]

PARAMETER DESCRIPTION
/REPPATH: UNC path to the repository from which to extract the events.
/LOGNAME:

Specifies the logs that contained the events you need.

/COMPUTER:

The computers from which the events you need were retrieved. When specifying several computer names, separate them with white spaces.

/FILE:

The path to the file to which the utility writes information.

/DOMAIN:

The name of the domain or domains that include computers from which the events you need were retrieved.

/SRVPORT:

The communication port and protocol, and the server that processed the events you need.

/DATEFROM:

Date in MM/dd/YY or MM/dd/YYYY:HH:mm format; events recorded before this date are ignored. If you omit this parameter, events are extracted starting with the earliest.

/DATETO:

Date in MM/DD/YY or MM/dd/YYYY:HH:mm format; events recorded after this date are ignored. If you omit this parameter, events up to the latest are extracted.

Unix:

ITEventExtractor /REPPATH:<Path> /LOGNAME:<Name> /HOST:<Object> /FILE:<:FileName> [/SRVPORT:protocol:server[port]] [/DATEFROM:<Date>] [/DATETO:<Date>]

PARAMETER DESCRIPTION
/REPPATH: UNC path to the repository from which to extract the events.
/LOGNAME:

Specifies the logs that contained the events you need.

/HOST:

The hosts from which the audit trails you need were retrieved. When specifying several hosts, separate them with white spaces.

/FILE:

The path to the file to which the utility writes information.

/SRVPORT:

The communication port and protocol, and the server that processed the events you need.

/DATEFROM:

Date in MM/dd/YY or MM/dd/YYYY:HH:mm format; events recorded before this date are ignored. If you omit this parameter, events are extracted starting with the earliest.

/DATETO:

Date in MM/DD/YY or MM/dd/YYYY:HH:mm format; events recorded after this date are ignored. If you omit this parameter, events up to the latest are extracted.

NoteS:

  • Do not type spaces between a parameter's variable and invariable parts (/REPPATH: \\Server01\InTrustRepository\Default is incorrect).
  • If the variable part of a parameter contains spaces, put quotation marks around it (/COMPUTER:Stone Wilson is incorrect; /COMPUTER:"Stone Wilson" is correct).

Restoring Centera-Specific References

The ServiceFolderRestorer command-line utility recreates the contents of the service folder used by a Centera-based InTrust repository. The service folder is used for referencing Centera clips created within the time range you specify, without checking whether those clips are referenced from anywhere else. You can use this to restore damaged service folders.

The utility is located in <InTrust_installation_path>\InTrust\Server\InTrust. Use the following syntax:

ServiceFolderRestorer.exe <path> <pool> ["<start time>"] ["<end time>"] [/y]

PARAMETER

DESCRIPTION

<path>

The path to the service folder of the Centera-based repository; the supporting file structure is created automatically.

<pool>

The Centera connection string (for example, 212.3.248.12:3128?c:\mercom.pea)

<start_time>
and
<end_time>

Optional parameters that specify the time range of the Centera clips you are interested in. These times must be in YYYY.MM.DD hh:mm:ss format.

Mind that these times reflect when the clip was created in the Centera storage, not when the gathered events occurred.

/y

Optional parameter that enables silent mode.

Related Documents