Chat now with support
Chat with Support

InTrust 11.6 - Getting Started with InTrust

Analyzing Collections

When a collection is selected, the right pane shows a table with information about the collection members. The table supports multi-level grouping of collection computers, so that you can organize the computers in tree-like views using any criteria. For example, you can group computers by status, then by domain, then by type.

To use multi-level grouping, drag table column names from the computer list to the area above the list. The computer list changes accordingly.

Note: The difference between the “Not Installed” and “Failed” computer statuses is as follows:

  • “Not Installed” means agent installation has never been tried for this computer.
  • “Failed” means agent installation has been tried but failed

To hide the computers you are not interested in, you can use view filtering. To configure a view filter, use the controls underneath the table column names: click the operator icon to select the operator, and specify the value to filter by.

The same grouping and view filtering techniques are available in the views with search folder results.

Exporting Collection Information

You can save information about the currently selected collection to a CSV file for comparison, bookkeeping or analysis. For that, click Export list to CSV in the toolbar above the collection view. Alternatively, right-click a collection in the left pane and select Export List to CSV. Note that the exported information is not necessarily the same as in the collection view; the specifics are as follows:

  • No grouping or sorting from the collection view is applied to the CSV output.
  • The set of exported table fields is always the same in the CSV output. The choice and order of fields in the collection view don't affect it.
  • If the collection members are filtered, the same filter is applied to the CSV output.

The data fields in CSV are made independent of the collection view by design. This way the data layout stays the same and is easier to handle with the tools you use for working with CSV.

Advanced Analysis

If you need to troubleshoot your collections or examine your real-time gathering workflow in the greatest possible detail, you can use the RealTimeCollectionStatus.ps1 script, which outputs raw information about your collections to a CSV file. For details, see Tracking Real-Time Event Collection State.

Managing Repositories

You can add, delete and edit repositories at any time. To work with repositories, go to the Storage view of InTrust Deployment Manager.

In this view, the left-hand pane lists the available repositories, and the right-hand pane shows the properties of the selected repository.

To create and delete repositories, use the New and Delete buttons. To edit the properties of a repository, select it and click the Edit link for the group of settings you want.

IMPORTANT: The defining property of a repository is the path to the network share that contains the collected data. When you specify the path, use a UNC name. This makes the repository available to client applications in the network, such as Repository Viewer and IT Security Search. It will also make it easier to integrate the repository into an extended InTrust deployment if you decide to perform it.

You can also create a repository when you create a new collection or edit an existing collection (see Managing Collections), on the Data Sources and Repository step of the wizard.

Where to Keep Repositories

Repositories should not be located on the InTrust server. Admittedly, the default repository is automatically created on the server, but this is only a fallback choice. For day-to-day real-time event collection purposes, create repositories in network shares on separate computers to which client applications, such as Repository Viewer and IT Security Search, have fast network connections.

Setting Up Daily Cleanup

You can configure a repository to keep only recent data and automatically discard data that is too old. For that, edit the Daily Cleanup settings in the repository properties in the Storage view. Specify how old data can get before it is considered too old and at what time daily cleanup should start.

Gathering a Third-Party Application or Service Log

Applications and Services Logs

To gather a third-party Windows event log that is available in the Applications and Services Logs subtree in Windows Event Viewer, you need to create a data source for it. This is done in the wizard used for creating and editing collections, on the Data Sources and Repository step.

Proceed to that step, and then do the following:

  1. Click Add. The New Data Source dialog box opens.
  2. Specify a meaningful name for the new data source. Optionally, provide a description.
  3. In the text box below, specify the exact log name.

Note: If you don't know the name, look it up in Event Viewer, as follows:

  1. Run Event Viewer on a computer where the log is available, and locate the log you need.
  2. Open the properties of the log. The name is in the Full Name text box.
  1. Click OK to save the new data source, and select the check box next to it in the data source list.
  2. Complete the wizard.

Forwarded Events

One of the available Windows log types is Forwarded Events. If subscription-based logging of these events is enabled, InTrust can collect them just like other events. It is possible to configure the gathering using the procedure above; the exact log name in step 3 is ForwardedEvents in this case.

However, due to the limitations of this forwarding technology, data in the forwarded events is mostly meaningless. You can gather it to a repository, but you cannot search in it or build reports on it. Therefore, collecting this data is not recommended. Instead, use InTrust to gather the original events from the sender computers.

Load Balancing

The metrics and suggestions in this section are based on tests performed by quality control.

InTrust agents send events to InTrust servers in batches. By default, the event submission rates are as follows:

  • On Windows servers, including domain controllers, a batch file is sent every minute.
  • On workstations, a batch file is sent every seven minutes.

There are two primary limits to consider when estimating if an InTrust server can cope with its load. On the one hand, an InTrust server can gather from no more than 10,000 computers (servers or workstations) at a time. On the other hand, an InTrust server should not receive more than 60,000 events per second in a steady stream. The rate of events from a computer depends very much on the number of data sources that are processed on that computer.

For example, a collection of about 3000 computers with 5 data sources each, 4 events per second per data source, produces a combined stream of 60,000 events per second. This is a load that a 16-core InTrust server with SSD storage and 16GB of memory should handle without problems.

Tips on avoiding excessive workload on a server:

  • Keep track of how many computers there are per InTrust server.
  • Add InTrust servers if necessary.
  • Assign different servers to different collections.
  • Distribute the computers among your collections evenly.

Caution: When adding an InTrust server to your existing organization, you should run InTrust setup under an account that can manage the InTrust configuration. The account used for installing the first InTrust server automatically has these privileges. To add InTrust organization administrators, in InTrust Deployment Manager click Manage | Configure Access. Of course, to add organization administrators, you must be an organization administrator yourself.


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating