InTrust provides two general-purpose data source types for situations in which you need to gather event logs for which no predefined data source exists. When creating such a data source, you specify how to process the log, what information is stored and how it is ordered.
InTrust supports the following two types of user-defined event logs:
To create a new database log data source
For details about custom database log settings, see the Database Events Data Sources topic.
To create a new text log data source
For details about custom database log settings, see the Custom Text Log Data Sources topic.
To edit an existing database or text log data source, right-click the data source you need in the right pane and select Properties.
User-defined text log data sources can be configured in any of three modes:
Processing of log information is powered by regular expressions. In Basic mode, you are not exposed to regular expressions (however, you can use them when specifying the path to the log file). In Advanced mode, you specify them as needed to configure the handling of log data. In Raw mode, you use regular expressions in scripts of your own.
Whichever mode you select, the end result is a script that InTrust runs. You can edit the resulting scripts to meet your specific purposes. For example, you can complete the Basic mode wizard to rough out a data source and later edit the script in Raw mode.
You can do the editing directly in a text editor provided by the wizard. If you run the wizard to edit a Basic data source, you can select to convert it to an Advanced or Raw data source. Note that you cannot convert an Advanced or Raw data source to a Basic one, nor can you convert a Raw data source to an Advanced one.
However, in some cases using an Advanced data source in the first place is preferable. This is true when the structure of the resulting regular expressions in the Basic data source is completely different from the type of expression you need eventually.
In general, recommendations for the choice of mode are as follows:
|The log has a number of articulated fields. These fields can be distinguished based on delimiters between them or the fixed width of each field. This kind of log can be represented by a table without rearranging or modifying data.||
One or both of the following are true:
There are mixed-format entries in the log, so the log does not fit in a simple table without rearranging fields.
The log includes comments and other data that could break the simple row-and-column-style representation.
|You feel more comfortable with a script editor user interface than with the wizard's Advanced mode settings.|