Data Archiving and Analysis
This scenario represents the regular practice of gathering and archiving audit data, and then analyzing it. This is not a course of action for emergency situations.
InTrust provides you with long-term storage for Active Roles-related audit data. Keeping all the data in databases is impractical, so you use InTrust repositories for long-term storage.
You gather the audit data to InTrust repositories and import recent portions of it to audit databases to build reports. You are interested in data related to Active Directory object management.
To implement this scenario
- Create a separate InTrust audit database for this purpose. You should not use your regular database in this case, because only one task should depend on it.
- Create a new InTrust task and schedule it to run as often as you need it to.
- In the new task, create a cleanup job than clears all data from the special audit database you have created. This job ensures that the database is emptied before any new data arrives in it.
- Create a successor import job that imports data you are going to analyze. This job must import only Active Roles Administration log data.
- Create a successor notification job to inform you of task completion.
- When you get notified that the data has becomes available, see the “Active Roles all server events” report in Quest Knowledge Portal.
Using report filters, you can easily determine which events need attention and analyze them in depth.
Knowledge Pack Objects
Site
Notification Group
Rules
- Administration Services
- Active Roles Service: General response
- Active Roles Service: Physical memory usage
- Active Roles Service: Reserved virtual memory
- Active Roles: License system failure
- Active Roles: Administration Service internal error
- Active Roles: Critical error on startup
- Active Roles: Event with Error severity
- Active Roles: Event with Warning severity
- Active Roles: Multiple failure audit
- Active Roles: Policy compliance check
- Active Roles: Replication monitoring
Data Sources
- Active Roles Administration Log
- Active Roles Service: General Response - Script
- Active Roles Service: Physical memory usage - Script
- Active Roles Service: Reserved virtual memory - Script
- Active Roles: Change Auditor for AD log
- Active Roles: Policy compliance check - Script
- Active Roles: Replication monitoring - Script
Real-Time Monitoring Policy
- Active Roles: Administration Service Policy
Gathering Policies
- Active Roles: All Administration Service log events
- Active Roles: Change Auditorfor AD log events
- Active Roles: Security log events
Import Policy
Tasks
- Active Roles: Daily events collection
- Active Roles: Weekly reporting
Repository Viewer Searches
- Active Roles
- All events produced by Active Roles
- All operations and operation requests
- Operation requests for computers
- Operation requests for groups
- Operation requests for miscellaneous objects
- Operation requests for users
- Operations on computers
- Operations on groups
- Operations on miscellaneous objects
- Operations on users
Reports
Known Issues in Knowledge Pack
The following is a list of issues known to exist at the time of the InTrust 11.4.2 Knowledge Pack for Active Roles release.
| The AR Server WI: Availability real-time monitoring rule is matched if the Web Interface site uses any TCP port different from the default one (80), as if the Web Interface were not available. |
B113361 |
| The AR Server WI: Availability real-time monitoring rule does not work with Active Roles Server of versions prior to 6.0.3. |
ST43222 |
