InTrust provides self-auditing capabilities, which help you monitor the health of your InTrust deployment and meet regulations compliance requirements. Self-auditing is configured differently for InTrust servers and agents. For details, see the following topics:
InTrust Server self-auditing covers requests for InTrust services by external client applications (such as InTrust Deployment Manager and Repository Viewer) and InTrust-specific inter-service communication that occurs locally on the InTrust server. For details about the events that are logged, see InTrust Self-Audit Events.
By default, self-auditing of InTrust servers is disabled. To turn it on and off or change the auditing level on a particular InTrust server, use the
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Aelita\ADC\RpcServer\RpcAuditLevel registry value on that server. The following values are accepted:
Agent-related self-auditing provides information about how agents run real-time monitoring rules. This data gives you insights into the following types of activity, all of which are based on real-time rules:
For details about the audited events, see InTrust Self-Audit Events.
To enable or disable agent self-auditing globally in your InTrust organization, set the ITRT_SelfAuditLevel organization parameter to 1 or 0, respectively. For details about modifying InTrust organization parameters, see Organization Parameter Editor.
NOTE: You can override the enabled or disabled state of agent self-auditing on a per-server basis. However, this is not recommended, because there is no direct control over which agents respond to which InTrust server.
InTrust lets you use its tools to collect and analyze its own self-audit events.
The following basic set of configuration objects is provided for this:
Agent-side log backup configuration changes
All InTrust self-audit events
Connections to InTrust servers
Real-time collection configuration changes
Real-time monitoring configuration changes
Depending on which workflow you prefer, you can set up self-audit log management in InTrust Deployment Manager with collections or InTrust Manager with gathering jobs.
IMPORTANT: When you gather from InTrust servers, it is recommended that each InTrust server gather from itself. This helps avoid situations where two InTrust servers gather from one another, which causes errors due to internal limitations. For this reason, more configuration objects need to be created than would be necessary for auditing computers that are not InTrust servers.
To set up InTrust self-audit log gathering in InTrust Deployment Manager, you need some collections that get the "InTrust Self-Audit Log" data source from your InTrust servers. For each of your InTrust servers, create a dedicated Windows collection and configure it as follows:
To set up InTrust self-audit log gathering in InTrust Manager, configure the following set of objects:
For general information about task-based gathering workflows, see the Auditing Guide.
To view self-audit events collected to a repository, open it in Repository Viewer and use the predefined searches in the "InTrust Self-Audit" search folder. For details, see Running Searches and, generally, Searching for Events in Repository Viewer.