InTrust provides two toolsets for auditing:
This set of topics describes the scheduled task-based method. For details on the newer toolset, see the Collecting Events in Real Time topic.
Note the following important specifics of the two gathering methods:
For more details about tasks and jobs, see Understanding Jobs and Tasks.
InTrust offers you a smooth, automated audit data gathering workflow based on scheduled tasks, which are sequences of jobs. Jobs process audit data, perform notification, or run applications. A task not only provides a container for jobs, but also ensures automated job execution—on schedule and in the specified order. InTrust’s predefined tasks are available in InTrust Manager under Workflow | Tasks.
To collect event data from site computers into a repository and/or database using a gathering job, do the following:
When a data collection session is over, the collection stops automatically.
Generally, audit data is collected into a repository, and then an import job places it into the audit database, applying import policies which prescribe what portions of data must be imported. Then a reporting job is launched to generate the necessary reports on collected data.
|
Note: InTrust gathers audit trails from heterogeneous environments while keeping the workflow uniform. For example, gathering Syslog on Linux is no different from gathering Windows event logs in InTrust. However, in the case of Linux, you need to take a few extra steps to prepare for auditing. See the Gathering Job topic for details about using agents. |
Jobs that work with audit data (meaning gathering, consolidation, and import jobs) involve the following:
Sites are discussed in the InTrust Sites topic.
The recommended auditing and reporting workflow is to gather audit data to a repository for storage, import only the necessary bits to the audit database for reporting, and clean up the audit database when the data is no longer needed.
To create, delete and modify audit databases and repositories, use the Configuration | Data Stores node in the InTrust Manager treeview.
|
Notes:
|
A task consists of one or more jobs. Jobs in a task can be configured to run simultaneously or one after another.
To create a task
To create a job within a task
Note that the job account must have access permissions on the repository and/or audit database.
If an account that will be used to work with the repository and/or database is specified in the repository/database properties, make sure it has been granted sufficient permissions for connection.
For details on required permissions, refer to System Requirements.
|
Note: Before a newly–created (or modified) task or job can start, you must commit the changes. |
To reduce clutter in the treeview and group your tasks logically, you can put them in containers like files in folders. Task folders are created under the Workflow | Tasks node and can be nested.
To create a task folder, right-click Workflow | Tasks or an existing task folder and select New Folder. You can paste cut or copied tasks from other task folders if necessary.
IMPORTANT: Be careful when you organize tasks that contain audit database cleanup jobs. These jobs can conflict with other jobs that write to the same audit database:
Consider the following precautions:
|
To run a task or a job, right–click this task or job and select Run.
To stop a running task or job, double-click Workflow | Sessions, right–click the task or job session and select Stop.
To instruct InTrust task execute one job after another, you need to create a job sequence by linking these jobs. You can do it graphically or using the Dependencies dialog box:
You can select a job from the list of available ones; to run it after your job, put it in the Child jobs list; to run it before your job, put it in Parents. If necessary, specify a deadline (see the Tuning Jobs topic for details).
In terms of InTrust, gathering audit data means applying a policy to InTrust sites. You bind a policy to a site by creating and scheduling a task that contains corresponding jobs.
A policy is a collection of settings that defines what audit data to process, specifying data sources and filters:
So, you can configure a policy intended for collecting System logs from all domain controllers, or for collecting Security logs from the IIS servers, or any other policy you need.
Using policies spares you the effort of specifying logs and events every time you prepare for an audit data collection. Policies enable you to create a selection for a particular purpose once and for all, and to use it with all related jobs. Policies are easily editable, so you can copy any of them and make any necessary changes to the duplicate.
As described above, the gathering mechanism is used when InTrust does the following:
For each of these operations there is a separate type of policy:
These types are very similar functionally, and they are configured uniformly. The examples below involve gathering policies; you can work with other policies in a similar way.
Policies are created separately for each network environment (for example, Microsoft Windows Network).
To create a policy
To edit a policy
|
Note: After you create or modify a policy, commit the changes. |
Data sources enable you to precisely select events that you need to process. Some data sources are used by gathering and monitoring processes, some provide data only for gathering, and others are monitoring-only. To see all available data sources, select Configuration | Data Sources. Right–click a data source to view its properties, including:
You can create a new data source by selecting the corresponding command from the Data Sources node’s shortcut menu. Follow the wizard to specify the data source properties.
There is an important set of options specific to the data sources of the Microsoft Windows Events type: you can select what libraries to use when retrieving standard descriptions for Windows events. The descriptions can be taken from libraries that exist locally on processed computers or from remote computers.
|
Caution: This setting works only if you gather events without agents. If you gather with agents, the local libraries of the processed computer are always used. |
To select which libraries to use
Windows Vista and later Windows versions support event logs with a hierarchical structure. In Event Viewer, these logs are available in the Application and Services Logs container. The Microsoft Windows Events data source type in InTrust works with event logs located at any level of the Event Viewer hierarchy.
|
Caution: If you want to gather such logs using a Windows Server 2003 or 2003 R2-based InTrust server, you need to gather with InTrust agents. Agentless gathering will not work in this case, because Windows Server 2003 and 2003 R2 predate this type of log. If the InTrust server that does the gathering is running Windows Server 2008 or later, then both agent-based and agentless gathering of such logs will work. |
To enable InTrust to work with such a log, create a data source of the Microsoft Windows Events type. On the Windows Events Settings page of the New Data Source Wizard, specify the exact full name as the log name.
To look up and copy the full name of the log, run Event Viewer on a computer where the log is available, locate the log you need, and open its properties. Look in the Full Name text box.
For details about working with custom text logs, see Auditing Custom Logs with InTrust.
The External Events data source type is not represented by any predefined data sources. It is different from other data source types in that it generates event records with fields that you define and hands them over to the InTrust agent to process.
Data sources of this type are represented by a command-line utility on the agent side and an InTrust data source object on the InTrust server side.
For example, you can use the utility if your application does not have its own log. The External Events data source simulates event records that can be processed by InTrust agents.
The External Events data source type relies on the cross-platform ExtEvtProviderCmd command-line utility that forces special events on the InTrust agent running on the same computer. The agent stores the events in its backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.
On each platform, the utility is implemented as two files: an executable program and a shared library. On Windows, these files are ExtEvtProviderCmd.exe and ExtEvtProviderApi.dll. On Unix-like systems, the files are ExtEvtProviderCmd and ExtEvtProviderApi.so.
Binary files for all supported platforms are located in <InTrust_installation_folder>\Server\ADC\SupportTools.
You can use the utility in either of two ways: copy the binaries to the target computers manually or deploy them as distributable files.
To deploy the utility as distributable files
By default, the utility components are automatically installed to the following locations:
This utility is designed to be automated with scripts. Such scripts should launch the utility in situations when intervention is necessary. The scripts must construct and execute a command with the following syntax:
The -e parameter means that an empty event record is sent.
The <field_name> parameter specifies the name of a field in the EventsStrings table of the InTrust audit database. The <field_value> parameter specifies the value that is written to this field.
The utility can fill in only a subset of the fields in audit database tables. The following table shows which fields of which tables can be used by a data source of this type:
Target Table Name in audit database |
Value Name used as command parameter |
Target Field Name |
---|---|---|
Events | Computer |
Computer |
UserName |
UserName | |
UserDomain |
UserDomain | |
EventType |
EventType | |
Source |
Source | |
EventID |
EventID | |
StringCategory | Category | |
EventsDescriptions | Description |
Description |
EventsStrings | String<N> (You can use fields that have the format String1 String2 ... String<N>) |
StringValue (the StringIndex field is also filled in; the StringIndex value equals the insertion string index (<N>)) |
Any name not listed elsewhere in the table |
StringValue (the StringIndex field is also filled in; the StringIndex value is greater than the maximum predefined insertion string index) |
To make InTrust aware of external events, create a data source of the External Events type in InTrust Manager.
To create an External Events data source
Now, if you include this data source in a policy and use the policy in a gathering job, InTrust will listen for external events from the site that the gathering job spans.
|
Important: The processing of a single event generated by a data source of this type can take several seconds. Therefore, you should not generate frequent external events. |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center