Getting Started with Repository Viewer
|
|
Notes:
|
To open a repository, click Repositories | Open in the main menu. You are prompted to select what kind of repository to connect to: idle repository or production repository. These options mean the following:
- Production repository
This ensures that the InTrust server you specify handles the communication between Repository Viewer and the repository. Always use this option if the repository you need is managed by an InTrust server and is available for gathering, consolidation and other operations. This method does not lock down the repository index, and multiple instances of Repository Viewer can use its index simultaneously. - Idle repository
This makes Repository Viewer read data directly from the repository without any intermediary components. Use this option only when the repository you need is not attached to any InTrust server. For example, it can be a backup copy of a production repository or an idle repository with historical data. Note that using direct connection locks the index of a repository so that only the first-connected instance of Repository Viewer can use the advantages of indexing.
Production repositories can be grouped together to form repository groups. A repository group acts as a single unit: you can run searches on it and create reports as if it were a regular repository. For details about repository group membership, see Managing Repository Groups.
|
|
NOTE: Repository Viewer works with repository groups concurrently, but multi-repository searching is not completely overhead-free. |
Repository groups are stored in InTrust configuration, and they are available to every instance of Repository Viewer connected to the InTrust organization.
To open a production repository or repository group
- Select whether you want to connect by specifying an InTrust organization or a specific InTrust server.
- Select the organization or server.
- Select whether you want to open individual repositories or a repository group.
The following happens for individual repositories:- If you select a single repository, it will open in a temporary group. If there is still one repository in the group by the time you finish the session, the group is not saved in InTrust configuration.
- If you select multiple individual repositories or repository groups, a new group will be created for them, and the group will open. It will include all members in your selection.
If you select a repository group, that group will open.
You should always use the index if it is available and up to date. The index makes Repository Viewer operation interactive.
|
|
Notes:
|
To open an idle repository
- Specify the local or network path to the repository root folder.
- To use the index of the repository, in the Index location group of options select Repository folder or supply a path in the This location text box. To continue without an index, select No index.
|
|
Note: For access to an idle repository, Repository Viewer must be running under an account with at least Read permissions on the share that contains the repository. |
Once you have opened a repository or repository group, the left pane shows the following:
- A navigation tree with the repository structure
The tree represents the repository structure using multiple levels, such as environment (Microsoft Windows or Unix), domain (for Windows only) and computer. - Predefined searches with search condition presets
These are essentially built-in interactive reports. For details, see Predefined Searches. - Custom searches
These are searches that you create yourself, either based on existing ones or from scratch. For details, see Custom Searches.
The right pane contains search tools.
|
|
Note: Any tab can be detached and docked freely in the right pane. To detach a tab, drag it away from where it is docked. To dock a pane, drag it onto any of the areas of the view compass that appears. To make it a tab again, right-click its caption and select Tabbed Document. |
Running Searches
To run a search, click Go. The context of your search depends on the following:
- Where in the navigation tree you are
Selecting a node in the navigation tree means that your searches will include only the events available at that node's level. For example, to look in the entire repository group, select the repository group node; to get events only from a particular repository or computer, select that repository or computer's node. - Whether you are using any parameter filters
Running the search without any parameters will show you all events at your current navigation tree level. If you add any filters, they are applied during the search. If you have selected any search in the left pane, you are already using the filter set configured for that search.
By default, the number of search results that can be displayed at once is capped at 5000. If you reach this limit, consider specifying better filtering conditions. You can also change the search result limit on the Search Filter tab.
|
|
Notes:
|
Predefined Searches
Repository Viewer provides an extensive set of preconfigured searches out of the box. They will likely cover most of your event analysis needs; consider trying these searches before you begin creating your own. To view and use the searches included by default, expand the Predefined Search Folders node. Predefined searches are available only when you are working with production repositories.
|
|
Notes:
|
You can freely modify these searches in the Search Filter tab (see Filter Parameters for details). However, any changes you make are applied only for the current session. The next time you open Repository Viewer, predefined searches will be in their default state. If you want to save your changes permanently, make a copy of the modified search using the Copy To button in the toolbar of the Search Filter tab . A predefined search can be a convenient starting point for creating your own search.
|
|
Note: The Copy To button is available only when an existing search is selected. When the filter parameters are configured from scratch, the button is labeled Save As. |
In addition to the search filter configuration, the saved search includes the event list layout. If you have configured grouping and sorting for the search (see Configuring the Result Layout for details), these settings are preserved.
After you have saved your own search, all subsequent changes to it are applied immediately and permanently. See also the Custom Searches topic.
Changes to Event Fields
The set of fields in events stored in the InTrust repository has been expanded from version to version. Predefined searches in Repository Viewer have kept up with those changes and incorporated the newly-added fields. As a result, predefined searches may not always work as expected on event data that was collected by older versions of InTrust. This topic lists the added fields by InTrust version.
If your search unexpectedly turns up too little old data, you may want to modify the search to exclude recently implemented fields.
Added in Version 11.4.1 Update 1
New fields for rule match event (event ID 17408) in InTrust Server log:
| Field Name | Field Display Name |
|---|---|
|
Alert |
Alert |
|
Alert_Code |
Alert Code |
|
Alert_Generation_Time_Local |
Alert Generation Time Local |
|
Alert_Generation_Time_UTC |
Alert Generation Time UTC |
|
Alert_Severity |
Alert Severity |
|
Rule_ID |
Rule ID |
|
Severity_Code |
Severity Code |
Added in Version 11.4.1
New fields for Security log events that have Active Directory attributes in their descriptions:
| Field Name | Field Display Name |
|---|---|
|
DNS_Host_Name |
DNS Host Name |
|
Domain_Behavior_Version |
Domain Behavior Version |
|
Force_Logoff |
Force Logoff |
|
Lockout_Duration |
Lockout Duration |
|
Lockout_Observation_Window |
Lockout Observation Window |
|
Lockout_Threshold |
Lockout Threshold |
|
Machine_Account_Quota |
Machine Account Quota |
|
Max_Password_Age |
Max Password Age |
|
Min_Password_Age |
Min Password Age |
|
Min_Password_Length |
Min Password Length |
|
Mixed_Domain_Mode |
Mixed Domain Mode |
|
OEM_Information |
OEM Information |
|
Password_History_Length |
Password History Length |
|
Password_Properties |
Password Properties |
|
Service_Principal_Names |
Service Principal Names |
New fields for InTrust Server log events:
| Field Name | Field Display Name |
|---|---|
|
Alert_Code |
Alert Code |
|
Alert_Severity |
Alert Severity |
|
Port |
Port |
|
License |
License |
|
Data_Source_Type |
Data Source Type |
|
Server |
Server |
|
Timezone |
Timezone |
|
UTC_offset |
UTC offset |
|
Permission |
Permission |
Removed in Version 11.4.1
These fields were never used and have been superseded:
| Field Name | Field Display Name |
|---|---|
|
DS_Name |
DS Name |
|
DS_Type |
DS Type |
Added in Version 11.4
New fields for InTrust Self-Audit log events:
| Field Name | Field Display Name |
|---|---|
|
Audit_Level |
Audit Level |
|
Extension |
Extension |
|
Interface |
Interface |
|
Interface_ID |
Interface ID |
|
UTC |
UTC |
|
Log_Name |
Log_Name |
|
End_Date |
End Date |
|
Job |
Job |
New fields for PowerShell log events:
| Field Name | Field Display Name |
|---|---|
|
Context |
Context |
|
User_Data |
User Data |
|
Payload |
Payload |
|
Scriptblock |
Scriptblock |
|
Scriptblock_ID |
Scriptblock ID |
New fields for Windows Security log event 4738:
| Field Name | Field Display Name |
|---|---|
|
Account_Expires |
Account Expires |
|
AllowedToDelegateTo |
Allowed To Delegate To |
|
Home_Directory |
Home Directory |
|
Home_Drive |
Home Drive |
|
Logon_Hours |
Logon Hours |
|
Password_Last_Set |
Password Last Set |
|
Primary_Group_ID |
Primary Group ID |
|
Profile_Path |
Profile Path |
|
Script_Path |
Script Path |
|
SID_History |
SID History |
|
User_Account_Control |
User Account Control |
|
User_Parameters |
User Parameters |
|
User_Workstations |
User Workstations |
Added and Changed in Version 11.3.2
New field for Windows Security log events:
|
Field Name |
Field Display Name |
|---|---|
|
Failure_Code |
Failure Code |
Repurposed field for Windows Security log events, changed to contain textual descriptions instead of failure codes:
|
Field Name |
Field Display Name |
|---|---|
|
Failure_Reason |
Failure Reason |
New fields for the Agent Management and Real-Time Service sources in InTrust Sever log events:
|
Field Name |
Field Display Name |
|---|---|
|
Agent |
Agent |
|
AgentID |
Agent ID |
|
Data_Source |
Data Source |
|
Data_Source_ID |
Data Source ID |
|
Error_Text |
Error Text |
|
Not_Responding_Minutes |
Not Responding Minutes |
|
Not_Responding_Seconds |
Not Responding Seconds |
|
Percent |
Percent |
| Repository |
Repository |
|
Rule |
Rule |
|
Size |
Size |
Added and Changed in Version 11.3.1
| Field Name | Field Display Name |
|---|---|
|
DS_Name |
DS Name |
|
DS_Type |
DS Type |
|
Property |
Property |
|
Schema |
Schema |
|
Status |
Status |
|
Value |
Value |
Added and Changed in Version 11.3
These changes mostly concern the ARS log and also, to a minor extent, Windows Security log.
| Field Name | Field Display Name |
|---|---|
|
Access_Mask |
Access Mask |
|
Accesses |
Accesses |
|
Account_Domain |
Account Domain |
|
Activity |
Activity |
|
Activity_Operation_GUID |
Activity Operation GUID |
|
Activity_Operation_ID |
Activity Operation ID |
|
Activity_Type |
Activity Type |
|
Admin_Account |
Service Account |
|
Advanced_Options |
Advanced Options |
|
Approver |
Approver |
|
Assembly |
Assembly |
|
Attachment_file_name |
Attachment file name |
|
Attestor |
Attestor |
|
Attribute |
Attribute |
|
Attribute_name |
Attribute name |
|
Authentication_Package |
Authentication Package |
|
Body |
Body |
|
Branch |
Branch |
|
CAP |
CAP |
|
CAPs_Added |
CAPs Added |
|
CAPs_Deleted |
CAPs Deleted |
|
CAPs_Modified |
CAPs Modified |
|
Certificate_Issuer_Name |
Certificate Issuer Name |
|
Certificate_Serial_Number |
Certificate Serial Number |
|
Certificate_Thumbprint |
Certificate Thumbprint |
|
Class_ID |
Class ID |
|
Class_Name |
Class Name |
|
Collection |
Collection |
|
Command |
Command |
|
Compatible_IDs |
Compatible IDs |
|
Configuration |
Configuration |
|
Configuration_Group |
Configuration Group |
|
Configured_Names |
Configured Names |
|
Container |
Container |
|
Database |
Database |
|
DC |
DC |
|
Destination |
Destination |
|
Details |
Details |
|
Details2 |
Details 2 |
|
Details3 |
Details 3 |
|
Device_Claims |
Device Claims |
|
Device_ID |
Device ID |
|
Device_Name |
Device Name |
|
Direction |
Direction |
|
Disable_Integrity_Checks |
Disable Integrity Checks |
|
Disabled_Privileges |
Disabled Privileges |
|
Enabled_Privileges |
Enabled Privileges |
|
EncapMethod |
EncapMethod |
|
Error_Code |
Error Code |
|
EtherType |
EtherType |
|
Event_in_Sequence |
Event in Sequence |
|
Expiration |
Expiration |
|
Failed |
Failed |
|
File_Name |
File Name |
|
Filter |
Filter |
|
Filter_ID |
Filter ID |
|
Flight_Signing |
Flight Signing |
|
Forest |
Forest |
|
Function |
Function |
|
GC |
GC |
|
GC_Site |
GC Site |
|
Group_Membership |
Group Membership |
|
Group_Type |
Group Type |
|
Handle_ID |
Handle ID |
|
Handler |
Handler |
|
Hardware |
Hardware |
|
Header |
Header |
|
HyperVisor_Debugging |
HyperVisor Debugging |
|
HyperVisor_Launch_Type |
HyperVisor Launch Type |
|
HyperVisor_Load_Options |
HyperVisor Load Options |
|
Instance |
Instance |
|
Interval |
Interval |
|
IP_Address |
IP Address |
|
Kernel_Debugging |
Kernel Debugging |
|
Layer_ID |
Layer ID |
|
Layer_Name |
Layer Name |
|
Load_Options |
Load Options |
|
Location |
Location |
|
Logon_ID |
Logon ID |
|
Master |
Master |
|
Maximum_Allowed |
Maximum Allowed |
|
Module |
Module |
|
Module_GUID |
Module GUID |
|
Nested_Group |
Nested Group |
|
New_Accesses |
New Accesses |
|
New_MaxUsers |
New MaxUsers |
|
New_Name |
New Name |
|
New_Remark |
New Remark |
|
New_SD |
New SD |
|
New_Share_Flags |
New Share Flags |
|
Object_ID |
Object ID |
|
Old_MaxUsers |
Old MaxUsers |
|
Old_Remark |
Old Remark |
|
Old_Share_Flags |
Old Share Flags |
|
Operation |
Operation |
|
Operation_GUID |
Operation GUID |
|
Operation_ID |
Operation ID |
|
Ownership_Type |
Ownership Type |
|
Packets_Discarded |
Packets Discarded |
|
Parameters |
Parameters |
|
Partition |
Partition |
|
Policy_Category |
Policy Category |
|
Policy_Change |
Policy Change |
|
Policy_ID |
Policy ID |
|
Policy_Subcategory |
Policy Subcategory |
|
Pre_Authentication_Type |
Pre-Authentication Type |
|
Process_ID |
Process ID |
|
Protocol |
Protocol |
|
Reason |
Reason |
|
Result |
Result |
|
Result_Code |
Result Code |
|
Run_As |
Run As |
|
Schema_Builtin_Version |
Schema Builtin Version |
|
Schema_Info |
Schema Info |
|
Schema_Virtual_Version |
Schema Virtual Version |
|
SCP |
SCP |
|
SD |
SD |
|
Sequence_Length |
Sequence Length |
|
Server_Name |
Server Name |
|
Service_ID |
Service ID |
|
Service_Name |
Service Name |
|
Shadow |
Shadow |
|
Share_Name |
Share Name |
|
Share_Path |
Share Path |
|
Silo_Name |
Silo Name |
|
Site |
Site |
|
SnapControl |
SnapControl |
|
SnapOui |
SnapOui |
|
Source_Details |
Source Details |
|
Source_Network_Address |
Source Address |
|
SPN_Name |
SPN Name |
|
Start_Date |
Start Date |
|
Succeed |
Succeed |
|
System_Event_Logging |
System Event Logging |
|
Target_Address |
Target Address |
|
Target_Port |
Target Port |
|
Task |
Task |
|
Test_Signing |
Test Signing |
|
TGT_Lifetime |
TGT Lifetime |
|
Ticket_Encryption_Type |
Ticket Encryption Type |
|
Ticket_Options |
Ticket Options |
|
Total |
Total |
|
TPAM_Failed |
TPAM: Failed |
|
TPAM_Operation |
TPAM: Operation |
|
TPAM_Role |
TPAM: Role |
|
TPAM_Target |
TPAM: Target |
|
Transited_Services |
Transited Services |
|
UNIX_Result |
UNIX: Result |
|
User_Claims |
User Claims |
|
User_Name |
User_Name |
|
VlanTag |
VlanTag |
|
VSM_Launch_Type |
VSM Launch Type |
|
vSwitch_ID |
vSwitch ID |
|
Workflow |
Workflow |
|
Workflow_GUID |
Workflow GUID |
Added in Version 11.1
| Field Name | Field Display Name |
|---|---|
|
Facility |
Facility |
|
Object_New_DN |
Object New DN |
|
Object_Old_DN |
Object Old DN |
|
Severity |
Severity |
Added in Version 11.0
| Field Name | Field Display Name |
|---|---|
|
UNIX_AUDIT_NAME |
Audit Event |
|
UNIX_AUDIT_CLASS |
Audit Class |
|
UNIX_AUDIT_CALL |
Audit Call |
|
UNIX_AUDIT_TRAIL |
Audit Trail |
|
UNIX_AUDIT_COMMAND |
Audit Command |
Added in Version 10.7
|
Field Name |
Field Display Name |
|---|---|
|
Filer |
Filer |
|
New_path |
New path |
|
Scope |
Scope |
|
Number_of_results |
Number of results |
|
Query_filter |
Query filter |
|
Attribute_name |
Attribute name |
|
Elapsed |
Elapsed |
|
Query_type |
Query type |
|
TPAM_Operation |
Operation |
|
TPAM_Role |
Role |
|
TPAM_Target |
Target |
|
TPAM_Failed |
Failed |
|
UNIX_Result |
Result |
|
UNIX_OS |
OS |
|
QPMU_Service |
Service |
|
QPMU_Master_host |
Master host |
|
QPMU_Submit_host |
Submit host |
|
QPMU_Submit_user |
Submit user |
|
QPMU_Run_host |
Run host |
|
QPMU_Run_user |
Run user |
|
QPMU_Command_line |
Command line |
|
Permissions_Changed |
Permissions Changed |
|
Original_Owner |
Original Owner |
|
New_Owner |
New Owner |
|
Data_Written |
Data Written |
|
Permission_level_name |
Permission level name |
|
Permission_level_allow_mask |
Permission level allow mask |
|
Permission_level_deny_mask |
Permission level deny mask |
|
Site_URL |
Site URL |
|
List_URL |
List URL |
|
List_relative_URL |
List relative URL |
|
User_Logon_Name |
User Logon Name |
|
Applied_to |
Applied to |
|
Inherited_from |
Inherited from |
|
Version |
Version |
|
Grantee_user_name |
Grantee user name |
|
Grantee_group_name |
Grantee group name |
|
Field_Name |
Field Name |
|
Old_value |
Old value |
|
New_value |
New value |
|
Attachment_file_name |
Attachment file name |
Added in Version 10.6
|
Field Name |
Field Display Name |
|---|---|
|
Affected_Group |
Affected Group |