Chat now with support
Chat with Support

InTrust 11.6 - Self-Auditing in InTrust

Self-Auditing in InTrust

InTrust provides self-auditing capabilities, which help you monitor the health of your InTrust deployment and meet regulations compliance requirements. Self-auditing is configured differently for InTrust servers and agents. For details, see the following topics:

InTrust Server Self-Auditing

InTrust Server self-auditing covers requests for InTrust services by external client applications (such as InTrust Deployment Manager and Repository Viewer) and InTrust-specific inter-service communication that occurs locally on the InTrust server. For details about the events that are logged, see InTrust Self-Audit Events.

By default, self-auditing of InTrust servers is disabled. To turn it on and off or change the auditing level on a particular InTrust server, use the
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Aelita\ADC\RpcServer\RpcAuditLevel registry value on that server. The following values are accepted:

  • 0
    Self-audit disabled
  • 1
    Remote Access: External calls to InTrust Server are audited; RPC calls from InTrust services on the same server are not audited
  • 2
    Everything : All calls (both external and local) are audited

InTrust Agent Self-Auditing

Agent-related self-auditing provides information about how agents run real-time monitoring rules. This data gives you insights into the following types of activity, all of which are based on real-time rules:

  • Real-time monitoring
  • Real-time event collection
  • Agent-side log backup

For details about the audited events, see InTrust Self-Audit Events.

To enable or disable agent self-auditing globally in your InTrust organization, set the ITRT_SelfAuditLevel organization parameter to 1 or 0, respectively. For details about modifying InTrust organization parameters, see Organization Parameter Editor.

NOTE: You can override the enabled or disabled state of agent self-auditing on a per-server basis. However, this is not recommended, because there is no direct control over which agents respond to which InTrust server.

Using Self-Audit Events

InTrust lets you use its tools to collect and analyze its own self-audit events.

The following basic set of configuration objects is provided for this:

  • "InTrust Self-Audit Log" data source
  • "InTrust Self-Audit" search folder in Repository Viewer, containing the following searches:
    • Agent-side log backup configuration changes

    • All InTrust self-audit events

    • Connections to InTrust servers

    • Real-time collection configuration changes

    • Real-time monitoring configuration changes

Depending on which workflow you prefer, you can set up self-audit log management in InTrust Deployment Manager with collections or InTrust Manager with gathering jobs.

IMPORTANT: When you gather from InTrust servers, it is recommended that each InTrust server gather from itself. This helps avoid situations where two InTrust servers gather from one another, which causes errors due to internal limitations. For this reason, more configuration objects need to be created than would be necessary for auditing computers that are not InTrust servers.

Gathering with Collections

To set up InTrust self-audit log gathering in InTrust Deployment Manager, you need some collections that get the "InTrust Self-Audit Log" data source from your InTrust servers. For each of your InTrust servers, create a dedicated Windows collection and configure it as follows:

  • Include the InTrust server that the collection is for. Specify the same server as the one that processes the collection, in the Select InTrust Server field.
  • Select "InTrust Self-Audit" as the data source.
  • Specify the repository you need as the data store. Use a single repository for all self-audit data.

For details about the particular procedures, see Managing Collections and, generally, Getting Started with InTrust.

Gathering with Jobs

To set up InTrust self-audit log gathering in InTrust Manager, configure the following set of objects:

  • For each of your InTrust servers, create a dedicated site and include the server in it. Specify the same server as the one that processes the site, in the InTrust Server field. For details, see Creating Sites.
  • Create a gathering policy and select "InTrust Self-Audit" as its only data source. For details, see Understanding Policies.
  • Create a dedicated task for gathering self-audit events and provide a suitable schedule for it. For details, see Understanding Jobs and Tasks.
  • Within this task, create one gathering job for each of your new sites (see Gathering Job for details) and configure it as follows:
    • Bind your new policy to the site that the job is for.
    • Specify the repository you need as the data store. Use a single repository for all self-audit data.
  • Apply your changes by clicking the Commit button in the toolbar.

For general information about task-based gathering workflows, see the Auditing Guide.

Analyzing Self-Audit Data in Repository Viewer

To view self-audit events collected to a repository, open it in Repository Viewer and use the predefined searches in the "InTrust Self-Audit" search folder. For details, see Running Searches and, generally, Searching for Events in Repository Viewer.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating