|
Notes:
|
To open a repository, click Repositories | Open in the main menu. You are prompted to select what kind of repository to connect to: idle repository or production repository. These options mean the following:
Production repositories can be grouped together to form repository groups. A repository group acts as a single unit: you can run searches on it and create reports as if it were a regular repository. For details about repository group membership, see Managing Repository Groups.
|
NOTE: Repository Viewer works with repository groups concurrently, but multi-repository searching is not completely overhead-free. |
Repository groups are stored in InTrust configuration, and they are available to every instance of Repository Viewer connected to the InTrust organization.
To open a production repository or repository group
If you select a repository group, that group will open.
You should always use the index if it is available and up to date. The index makes Repository Viewer operation interactive.
|
Notes:
|
To open an idle repository
|
Note: For access to an idle repository, Repository Viewer must be running under an account with at least Read permissions on the share that contains the repository. |
Once you have opened a repository or repository group, the left pane shows the following:
The right pane contains search tools.
|
Note: Any tab can be detached and docked freely in the right pane. To detach a tab, drag it away from where it is docked. To dock a pane, drag it onto any of the areas of the view compass that appears. To make it a tab again, right-click its caption and select Tabbed Document. |
To run a search, click Go. The context of your search depends on the following:
By default, the number of search results that can be displayed at once is capped at 5000. If you reach this limit, consider specifying better filtering conditions. You can also change the search result limit on the Search Filter tab.
|
Notes:
|
Repository Viewer provides an extensive set of preconfigured searches out of the box. They will likely cover most of your event analysis needs; consider trying these searches before you begin creating your own. To view and use the searches included by default, expand the Predefined Search Folders node. Predefined searches are available only when you are working with production repositories.
|
Notes:
|
You can freely modify these searches in the Search Filter tab (see Filter Parameters for details). However, any changes you make are applied only for the current session. The next time you open Repository Viewer, predefined searches will be in their default state. If you want to save your changes permanently, make a copy of the modified search using the Copy To button in the toolbar of the Search Filter tab . A predefined search can be a convenient starting point for creating your own search.
|
Note: The Copy To button is available only when an existing search is selected. When the filter parameters are configured from scratch, the button is labeled Save As. |
In addition to the search filter configuration, the saved search includes the event list layout. If you have configured grouping and sorting for the search (see Configuring the Result Layout for details), these settings are preserved.
After you have saved your own search, all subsequent changes to it are applied immediately and permanently. See also the Custom Searches topic.
The set of fields in events stored in the InTrust repository has been expanded from version to version. Predefined searches in Repository Viewer have kept up with those changes and incorporated the newly-added fields. As a result, predefined searches may not always work as expected on event data that was collected by older versions of InTrust. This topic lists the added fields by InTrust version.
If your search unexpectedly turns up too little old data, you may want to modify the search to exclude recently implemented fields.
New fields for rule match event (event ID 17408) in InTrust Server log:
Field Name | Field Display Name |
---|---|
Alert |
Alert |
Alert_Code |
Alert Code |
Alert_Generation_Time_Local |
Alert Generation Time Local |
Alert_Generation_Time_UTC |
Alert Generation Time UTC |
Alert_Severity |
Alert Severity |
Rule_ID |
Rule ID |
Severity_Code |
Severity Code |
New fields for Security log events that have Active Directory attributes in their descriptions:
Field Name | Field Display Name |
---|---|
DNS_Host_Name |
DNS Host Name |
Domain_Behavior_Version |
Domain Behavior Version |
Force_Logoff |
Force Logoff |
Lockout_Duration |
Lockout Duration |
Lockout_Observation_Window |
Lockout Observation Window |
Lockout_Threshold |
Lockout Threshold |
Machine_Account_Quota |
Machine Account Quota |
Max_Password_Age |
Max Password Age |
Min_Password_Age |
Min Password Age |
Min_Password_Length |
Min Password Length |
Mixed_Domain_Mode |
Mixed Domain Mode |
OEM_Information |
OEM Information |
Password_History_Length |
Password History Length |
Password_Properties |
Password Properties |
Service_Principal_Names |
Service Principal Names |
New fields for InTrust Server log events:
Field Name | Field Display Name |
---|---|
Alert_Code |
Alert Code |
Alert_Severity |
Alert Severity |
Port |
Port |
License |
License |
Data_Source_Type |
Data Source Type |
Server |
Server |
Timezone |
Timezone |
UTC_offset |
UTC offset |
Permission |
Permission |
These fields were never used and have been superseded:
Field Name | Field Display Name |
---|---|
DS_Name |
DS Name |
DS_Type |
DS Type |
New fields for InTrust Self-Audit log events:
Field Name | Field Display Name |
---|---|
Audit_Level |
Audit Level |
Extension |
Extension |
Interface |
Interface |
Interface_ID |
Interface ID |
UTC |
UTC |
Log_Name |
Log_Name |
End_Date |
End Date |
Job |
Job |
New fields for PowerShell log events:
Field Name | Field Display Name |
---|---|
Context |
Context |
User_Data |
User Data |
Payload |
Payload |
Scriptblock |
Scriptblock |
Scriptblock_ID |
Scriptblock ID |
New fields for Windows Security log event 4738:
Field Name | Field Display Name |
---|---|
Account_Expires |
Account Expires |
AllowedToDelegateTo |
Allowed To Delegate To |
Home_Directory |
Home Directory |
Home_Drive |
Home Drive |
Logon_Hours |
Logon Hours |
Password_Last_Set |
Password Last Set |
Primary_Group_ID |
Primary Group ID |
Profile_Path |
Profile Path |
Script_Path |
Script Path |
SID_History |
SID History |
User_Account_Control |
User Account Control |
User_Parameters |
User Parameters |
User_Workstations |
User Workstations |
New field for Windows Security log events:
Field Name |
Field Display Name |
---|---|
Failure_Code |
Failure Code |
Repurposed field for Windows Security log events, changed to contain textual descriptions instead of failure codes:
Field Name |
Field Display Name |
---|---|
Failure_Reason |
Failure Reason |
New fields for the Agent Management and Real-Time Service sources in InTrust Sever log events:
Field Name |
Field Display Name |
---|---|
Agent |
Agent |
AgentID |
Agent ID |
Data_Source |
Data Source |
Data_Source_ID |
Data Source ID |
Error_Text |
Error Text |
Not_Responding_Minutes |
Not Responding Minutes |
Not_Responding_Seconds |
Not Responding Seconds |
Percent |
Percent |
Repository |
Repository |
Rule |
Rule |
Size |
Size |
Field Name | Field Display Name |
---|---|
DS_Name |
DS Name |
DS_Type |
DS Type |
Property |
Property |
Schema |
Schema |
Status |
Status |
Value |
Value |
These changes mostly concern the ARS log and also, to a minor extent, Windows Security log.
Field Name | Field Display Name |
---|---|
Access_Mask |
Access Mask |
Accesses |
Accesses |
Account_Domain |
Account Domain |
Activity |
Activity |
Activity_Operation_GUID |
Activity Operation GUID |
Activity_Operation_ID |
Activity Operation ID |
Activity_Type |
Activity Type |
Admin_Account |
Service Account |
Advanced_Options |
Advanced Options |
Approver |
Approver |
Assembly |
Assembly |
Attachment_file_name |
Attachment file name |
Attestor |
Attestor |
Attribute |
Attribute |
Attribute_name |
Attribute name |
Authentication_Package |
Authentication Package |
Body |
Body |
Branch |
Branch |
CAP |
CAP |
CAPs_Added |
CAPs Added |
CAPs_Deleted |
CAPs Deleted |
CAPs_Modified |
CAPs Modified |
Certificate_Issuer_Name |
Certificate Issuer Name |
Certificate_Serial_Number |
Certificate Serial Number |
Certificate_Thumbprint |
Certificate Thumbprint |
Class_ID |
Class ID |
Class_Name |
Class Name |
Collection |
Collection |
Command |
Command |
Compatible_IDs |
Compatible IDs |
Configuration |
Configuration |
Configuration_Group |
Configuration Group |
Configured_Names |
Configured Names |
Container |
Container |
Database |
Database |
DC |
DC |
Destination |
Destination |
Details |
Details |
Details2 |
Details 2 |
Details3 |
Details 3 |
Device_Claims |
Device Claims |
Device_ID |
Device ID |
Device_Name |
Device Name |
Direction |
Direction |
Disable_Integrity_Checks |
Disable Integrity Checks |
Disabled_Privileges |
Disabled Privileges |
Enabled_Privileges |
Enabled Privileges |
EncapMethod |
EncapMethod |
Error_Code |
Error Code |
EtherType |
EtherType |
Event_in_Sequence |
Event in Sequence |
Expiration |
Expiration |
Failed |
Failed |
File_Name |
File Name |
Filter |
Filter |
Filter_ID |
Filter ID |
Flight_Signing |
Flight Signing |
Forest |
Forest |
Function |
Function |
GC |
GC |
GC_Site |
GC Site |
Group_Membership |
Group Membership |
Group_Type |
Group Type |
Handle_ID |
Handle ID |
Handler |
Handler |
Hardware |
Hardware |
Header |
Header |
HyperVisor_Debugging |
HyperVisor Debugging |
HyperVisor_Launch_Type |
HyperVisor Launch Type |
HyperVisor_Load_Options |
HyperVisor Load Options |
Instance |
Instance |
Interval |
Interval |
IP_Address |
IP Address |
Kernel_Debugging |
Kernel Debugging |
Layer_ID |
Layer ID |
Layer_Name |
Layer Name |
Load_Options |
Load Options |
Location |
Location |
Logon_ID |
Logon ID |
Master |
Master |
Maximum_Allowed |
Maximum Allowed |
Module |
Module |
Module_GUID |
Module GUID |
Nested_Group |
Nested Group |
New_Accesses |
New Accesses |
New_MaxUsers |
New MaxUsers |
New_Name |
New Name |
New_Remark |
New Remark |
New_SD |
New SD |
New_Share_Flags |
New Share Flags |
Object_ID |
Object ID |
Old_MaxUsers |
Old MaxUsers |
Old_Remark |
Old Remark |
Old_Share_Flags |
Old Share Flags |
Operation |
Operation |
Operation_GUID |
Operation GUID |
Operation_ID |
Operation ID |
Ownership_Type |
Ownership Type |
Packets_Discarded |
Packets Discarded |
Parameters |
Parameters |
Partition |
Partition |
Policy_Category |
Policy Category |
Policy_Change |
Policy Change |
Policy_ID |
Policy ID |
Policy_Subcategory |
Policy Subcategory |
Pre_Authentication_Type |
Pre-Authentication Type |
Process_ID |
Process ID |
Protocol |
Protocol |
Reason |
Reason |
Result |
Result |
Result_Code |
Result Code |
Run_As |
Run As |
Schema_Builtin_Version |
Schema Builtin Version |
Schema_Info |
Schema Info |
Schema_Virtual_Version |
Schema Virtual Version |
SCP |
SCP |
SD |
SD |
Sequence_Length |
Sequence Length |
Server_Name |
Server Name |
Service_ID |
Service ID |
Service_Name |
Service Name |
Shadow |
Shadow |
Share_Name |
Share Name |
Share_Path |
Share Path |
Silo_Name |
Silo Name |
Site |
Site |
SnapControl |
SnapControl |
SnapOui |
SnapOui |
Source_Details |
Source Details |
Source_Network_Address |
Source Address |
SPN_Name |
SPN Name |
Start_Date |
Start Date |
Succeed |
Succeed |
System_Event_Logging |
System Event Logging |
Target_Address |
Target Address |
Target_Port |
Target Port |
Task |
Task |
Test_Signing |
Test Signing |
TGT_Lifetime |
TGT Lifetime |
Ticket_Encryption_Type |
Ticket Encryption Type |
Ticket_Options |
Ticket Options |
Total |
Total |
TPAM_Failed |
TPAM: Failed |
TPAM_Operation |
TPAM: Operation |
TPAM_Role |
TPAM: Role |
TPAM_Target |
TPAM: Target |
Transited_Services |
Transited Services |
UNIX_Result |
UNIX: Result |
User_Claims |
User Claims |
User_Name |
User_Name |
VlanTag |
VlanTag |
VSM_Launch_Type |
VSM Launch Type |
vSwitch_ID |
vSwitch ID |
Workflow |
Workflow |
Workflow_GUID |
Workflow GUID |
Field Name | Field Display Name |
---|---|
Facility |
Facility |
Object_New_DN |
Object New DN |
Object_Old_DN |
Object Old DN |
Severity |
Severity |
Field Name | Field Display Name |
---|---|
UNIX_AUDIT_NAME |
Audit Event |
UNIX_AUDIT_CLASS |
Audit Class |
UNIX_AUDIT_CALL |
Audit Call |
UNIX_AUDIT_TRAIL |
Audit Trail |
UNIX_AUDIT_COMMAND |
Audit Command |
Field Name |
Field Display Name |
---|---|
Filer |
Filer |
New_path |
New path |
Scope |
Scope |
Number_of_results |
Number of results |
Query_filter |
Query filter |
Attribute_name |
Attribute name |
Elapsed |
Elapsed |
Query_type |
Query type |
TPAM_Operation |
Operation |
TPAM_Role |
Role |
TPAM_Target |
Target |
TPAM_Failed |
Failed |
UNIX_Result |
Result |
UNIX_OS |
OS |
QPMU_Service |
Service |
QPMU_Master_host |
Master host |
QPMU_Submit_host |
Submit host |
QPMU_Submit_user |
Submit user |
QPMU_Run_host |
Run host |
QPMU_Run_user |
Run user |
QPMU_Command_line |
Command line |
Permissions_Changed |
Permissions Changed |
Original_Owner |
Original Owner |
New_Owner |
New Owner |
Data_Written |
Data Written |
Permission_level_name |
Permission level name |
Permission_level_allow_mask |
Permission level allow mask |
Permission_level_deny_mask |
Permission level deny mask |
Site_URL |
Site URL |
List_URL |
List URL |
List_relative_URL |
List relative URL |
User_Logon_Name |
User Logon Name |
Applied_to |
Applied to |
Inherited_from |
Inherited from |
Version |
Version |
Grantee_user_name |
Grantee user name |
Grantee_group_name |
Grantee group name |
Field_Name |
Field Name |
Old_value |
Old value |
New_value |
New value |
Attachment_file_name |
Attachment file name |
Field Name |
Field Display Name |
---|---|
Affected_Group |
Affected Group |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center