InTrust 11.4.2 - Release Notes

Resolved Issue	Issue ID
Event ID 104 in the InTrust Server log can contain an incorrect time range for deleted repository files. Such events are invalid and occur when cleanup of repository files in accordance with the retention policy deletes data that hasn't been forwarded yet.	IN-4478
During InTrust setup and upgrade, some unneeded triggers are left behind in the InTrust configuration database, which adversely affects InTrust Server performance.	IN-12727
Real-time event collection and task-based gathering use different ways to get the name of the computer, so the letter case in the computer name may vary. If events with different letter cases in the same computer name go into the same repository, then import of that computer's most recent event data into an audit database doesn't work. This situation persists until the next repository merge operation, which happens every 24 hours by default.	IN-13385
If InTrust runs out of memory or disk space, its component database may become corrupted. This is a very serious situation that makes the affected InTrust server or agent unrecoverable and halts all activity associated with that server or agent.	IN-13592
When events are forwarded in JSON format, the "record key" field is missing from them.	IN-14312

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: Installation known issues

Known Issue	Issue ID
Prerequisites are not checked correctly by the installers of InTrust Knowledge Packs for the following systems: VMware Recovery Manager for Active Directory Active Roles If you try to install one of these Knowledge Packs on a computer that is not an InTrust server, setup does not prevent this as it should. When the installation fails, you get the following cryptic error message: "Data source name not found and no default driver specified"	IN-7234
Some administrative PowerShell activity such as Remote Desktop Web Services installation could be considered as suspicious and, as a result, can trigger some actions defined by suspicious activity rules. Workaround: Quest recommends adding the accounts that will run such installations as trusted users (in the Whitelist parameter of the suspicious activity rule). To add a user account to the whitelist, navigate to InTrust Manager \| Real-Time Monitoring \| Rules \| Advanced Threat Protection \| Windows/AD Suspicious Activity \| PowerShell \| Suspicious PowerShell activity, open rule properties and change the user whitelist parameter on the Matching tab. Provide the account data in the following format: <domain name>\<user name>.	—
If you are installing InTrust on a SQL server and updating SQL Server Native Client through the InTrust setup suite in the process, this causes the locally installed SQL Server service to restart automatically. To avoid this, update the client to the required version before you set up InTrust.	733727
You will have to log off and log on again once you have installed InTrust Manager to a location other than default. Otherwise, the InTrust Manager shortcut will not work.	0112449
If you have used the Add/Remove Programs dialog to uninstall InTrust, you will get the Modify/Repair/Remove dialog next time you launch InTrust setup from the CD. Click Remove and wait until setup finishes, then run setup again.	0112184
You may get the following error while trying to install InTrust: Cannot grant the following privileges: Back up files and directories Log on as a service to <account_name> Your Group Policy settings may be preventing setup from granting the privileges specified. There must exist a Group Policy that controls the assignment of the specified privilege(s) in your environment. InTrust setup can neither override it nor check if the account inherits the required privilege(s) from a security group the policy applies to. Make sure the policy grants the specified privilege(s) to InTrust service account, either directly or through its membership in a security group, and click the Ignore button in the error dialog to proceed with the installation.	0112303, 0112218
InTrust Monitoring Console and Quest Knowledge Portal cannot be installed into a Virtual Directory with special characters (like !#$%^&()_+\|][}{;,-=`~) in the name.	0117312
If you receive the following error while upgrading an InTrust Server: Error Code: 1603 Fatal error during installation. First of all, check if all of the InTrust Server services have been stopped. Most often, it is Quest InTrust Real-Time Monitoring Server service that takes long to stop and causes the setup to fail with this error. If this is the case, quit the setup, make sure all of the Quest InTrust services have stopped and run the setup again.	0122748
If you receive the following error at InTrust setup: Cannot configure default Audit Database. Error code: 0x80004005. Property value is invalid. Make sure the value is typed correctly. Unspecified error Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. Property value is invalid. Make sure the value is typed correctly. Check if you have specified a database with a name that starts with a numeric character (0-9) as either Audit or Alert database. The names of all InTrust Audit and Alert databases must start with an alphabetic character (a-z, A-Z).	0122347, 54080
On the Select Features step, InTrust setup wizard displays the required disk space only for the features you select in the tree. There are, however, some features required by those listed in the tree but not shown there because they are not user-selectable. Those 'hidden' features affect disk space requirements too. Click the Disk Cost button to see the more accurate numbers for required disk space calculated with regards to the features not displayed in the tree.	0112182, 0112212
When InTrust installation fails and is rolled back, some registry keys it has created are not removed. This is controlled by the Microsoft Installer and cannot be handled from the InTrust setup code.	0112227
When you are running the configdb.sql SQL script on a pre-created InTrust configuration database to provide for not giving InTrust service account the database owner right for it, you may receive warnings like the following: Cannot add rows to sysdepends for the current stored procedure because it depends on the missing object 'dbo.ITRTProcessingRule_change'. These warnings may be ignored since they do not indicate of any problems that may affect the future InTrust operation.	0152107
Don't specify any existing Quest Active Roles Server database as the InTrust configuration database, since these two products have incompatible requirements to the system configurations of their databases.	0153990
Components and configuration objects added to an existing InTrust installation by installing an individual Knowledge Pack cannot be consistently removed from InTrust by deselecting the related nodes on the 'Select Features' step of the Installation Wizard.	0153504
When you install InTrust or upgrade it from an earlier version, you may receive the following error message: Error 1335. The cabinet file <cab_file_name> required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package. If this happens, try making a local copy of your InTrust distribution on the computer where you are performing the installation and starting setup from there.	0156239
If you have individual InTrust components installed on a computer to a non-default path, be sure to not use the InTrust Suite setup to add other InTrust components to that machine. Install additional InTrust components by running their individual setup (.MSI) packages from the product DVD instead. This will let you avoid problems at both installation and uninstallation of those components in the future.	0184325
When you change the installation path for the InTrust Server node of the feature tree (on the Select Features step of the Quest InTrust Setup wizard), installation paths for features down the tree is changed accordingly so that individual InTrust components are installed to subfolders of the folder you specify for InTrust Server. Note that this, however, does not apply to Quest Knowledge Portal, which does not inherit its installation path from the InTrust Server component and requires that you explicitly change the installation path if you need that.	0190311
It is recommended that you install the same set of InTrust components on all InTrust Servers in an InTrust Organization. Otherwise, you may have problems, for example, when switching the server that runs a task.	0149166
When you install a report pack and the SQL Server hosting its target database does not have SQL Server Agent running, you may receive the following warning, sometimes followed by an error dialog with the same text: Cannot upload report pack: For Temporary Tables Clean-Up job schedule to be applied, make sure that: 1. Authentication method for database access uses the explicitly specified credentials which are stored in the data source (either SQL Server authentication, or Windows authentication). If Integrated Windows authentication i... When you click OK in this dialog, another error message may be displayed asking you if you want to continue with the setup. Click No and wait for the setup application to prompt you with the options to Retry, Ignore or Abort the installation. When prompted, select Retry. From this point on, the installation of the report pack is expected to run smoothly.	41900
You may receive the following error messages when you install the Knowledge Pack for Microsoft Audit Collection Services (ACS KP) from the command line: Error: 0x80040154. Cannot install ACI packages. Reason: Class not registered. Error: 0x80070005. Cannot install ADC predefined objects. Reason: Error while performing the following action: Enumerating collection. Reason: Access is denied. This is not expected to happen again if you click OK in each error dialog window, let the installation process exit and run the knowledge pack installation command one more time.	60118
You may receive the following misleading error message when installing an additional Knowledge Pack into an existing InTrust organization: Error: 0x80004005. Cannot configure default Audit Database. Reason: Data source name not found and no default driver specified. This error is not expected to cause any real problem with a Knowledge Pack installation. If you see it, click OK in the error message and let the installation finish. No troubleshooting is required unless you see more errors during the installation or find the Knowledge Pack not working properly when installation is finished.	72729
InTrust suite installation program cannot automatically discover an Exchange Server in domain trusted by the domain the InTrust Server computer is a part of.	81962
When you use the default InTrust setup, the installation program does not prompt you for the Communication Port number. If you use the extended InTrust setup to complement a default deployment, you are prompted for the Communication Port value but the setting you make is not applied to the InTrust installation. In this installation scenario, edit this registry value to change the Communication port number after InTrust is installed, if needed: [HKEY_LOCAL_MACHINE]\SOFTWARE\Aelita\ADC\RpcServer\Endpoints\1 or [HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Aelita\ADC\RpcServer\Endpoints\1 STRING: Endpoint="8340"	83259
It is not recommended to create InTrust configuration database with "." symbol in its name (for example: InTrust_10.6_ConfigDB), though it will be created, such database is unusable and you will receive the error like: Invalid database name supplied.	83628
Sometimes uninstalling an InTrust component can cause miscellaneous problems for another InTrust component on the same computer. If this happens, open the Programs and Features facility in the Control Panel and perform a Repair operation for the component that is not working properly.	85489, 85552
The "InTrust Monitoring Console" feature cannot be installed if the ASP record is corrupted. If this happens, reinstall the ASP Windows feature (Internet Information Services \| World Wide Web Services \| Application Development Features \| ASP in the Windows Features facility) by removing it and adding it again.	85694

Table 4: Upgrade known issues

Known Issue	Issue ID
If you have customized the default alerting profile in Monitoring Console, then upgrading InTrust deletes the profile.	IN-8597
In some rare situations, if InTrust fails to apply a real-time monitoring policy, this creates an invalid configuration, and other real-time monitoring policies cannot be applied anymore. As a result, real-time monitoring and real-time collection stop working, but there are no error messages to indicate it. This can occur in InTrust organizations where some servers have been upgraded and some haven't, and an upgraded server makes configuration changes that are not recognized by the older servers. If it happens, try the following steps: Note down the settings of all real-time monitoring policies, then delete the policies and commit the change. Note down the settings of all real-time collections in InTrust Deployment Manager and delete the collections. Recreate the real-time monitoring policies with the settings from before. Recreate the collections in InTrust Deployment Manager with the settings from before.	IN-11597, IN-11588
If you have performed an upgrade from version 11.3.1 or earlier without deleting the "Redhat Linux Syslog" data source (as recommended in the Upgrade Guide), then you will still have the old version of this data source after the upgrade. To update the data source in this situation, take the following steps: In InTrust Manager, make a backup copy of the "Redhat Linux Syslog" data source. Delete the original data source. Apply your changes by clicking the Commit button. Close InTrust Manager. Locate the Linux Knowledge Pack setup package *LINUX_KP.....msi* in the InTrust\Server folder in your InTrust distribution and launch it and select Repair mode. After the installation, the up-to-date version of the data source will be available.	IN-3264
If any job in an InTrust task completes with a status other than success, then notification task jobs in the same task may send messages where the job list contains items with invalid job type designations. These are broken duplicates of valid items in the same list, and you can safely ignore them. This problem was fixed in InTrust 11.4 and doesn't occur in fresh installs of version 11.4 and later. However, upgrades from prior versions don't correct this, because the InTrust upgrade policy is not to overwrite any existing configuration objects.	IN-8603
In the course of an upgrade, you may get the following error messages during repository indexing and searching: Unknown field <field_name> referenced in log knowledge base as source of value. This is caused by differences in log knowledge base definitions between the old and new InTrust versions. The problem should go away as soon as all InTrust components have been upgraded—not just InTrust Server, but also Repository Viewer and others.	—
When you upgrade an existing installation of InTrust under an account that doesn't have DBO access rights to the InTrust configuration database, you may receive the following error message: Cannot uninstall CI packages. Error code: 0x80004005. Cannot parse ADCClassInventory query. Error of opening file. Click OK and continue. This error does not affect the results of the upgrade.	0156311
At an upgrade of an InTrust Server in a multiserver InTrust organization, you may receive a misleading error message: You are about to remove an InTrust server from an InTrust organization. Any jobs configured to run on this server must be manually transferred to another live server in the same organization. It is safe to ignore this error. Click OK and continue upgrading.	55161
You may receive the following error when you attempt to upgrade Quest Knowledge Portal (QKP) as a part of your InTrust upgrade process: The installer has insufficient privileges to access this directory: C:\Program Files\Quest Software\Knowledge Portal. The installation cannot continue. Log on as administrator or contact your system administrator. To work around this error, click OK in the error message box, let the upgrade run to the end and repeat the upgrade of QKP.	70709

Table 5: General known issues

Known Issue	Issue ID
If you get a lot of events with event ID 13650 in the InTrust Server log, this may mean that an attacker is trying to scan the open ports on the InTrust server. Consider blacklisting the IP addresses that occur in such series of events. The event description contains the phrase "The system cannot find the file specified", which in this case is misleading and should be interpreted as the system being unable to connect to a socket.	IN-13155
In some data sources, particularly in the newer ones, named event fields are not associated with the original event fields as you might expect. Improvement of event definitions is an ongoing process, and relevant mapping may be added for the events you need in future InTrust versions. To stay abreast of the event field mapping changes, check the Changes to Event Fields topic.	IN-8039
When you open SQL scripts from the InTrust distribution (for example, configdb.sql) in SQL Server Management Studio, you get an "Inconsistent Line Endings" message. This message can be safely ignored.	IN-10257
You may get the following warning during gathering from VMware ESXi and vCenter servers: Cannot find the specified position in the event log. If this happens, consider gathering more frequently. This warning means events that came after the last gathered event were lost.	IN-10053
Some Windows Security log events with identical event IDs have variants with different layouts, where specific fields are added or reordered. The differences exist both among Windows versions and within the same Windows version. InTrust provides event field aliases for indexing and convenient searching, and this functionality relies on field ordering. InTrust has not always accommodated the event layout differences, and searching by affected fields may give you incorrect results. At this time, InTrust potentially has this issue with the following event IDs: In Windows Server 2008 R2: 4616, 4654, 4656, 4688, 5140, 5451, 5452, 5632, 6272, 6273 In Windows Server 2012 R2: 4616, 4624, 4654, 4656, 4661, 4663, 4688, 5125, 5140, 5451, 5452, 5632, 6272, 6273 In Windows Server 2016: 4616, 4624, 4654, 4656, 4661, 4663, 4688, 4728, 4732, 4746, 4751, 4756, 4761, 4785, 5125, 5140, 5451, 5452, 5632, 6272, 6273, 6274, 6275, 6416 In Windows Server 2019 and Windows 10: 4616, 4624, 4654, 4656, 4661, 4663, 4688, 4728, 4732, 4746, 4751, 4756, 4761, 4785, 5125, 5140, 5451, 5452, 5632, 6272, 6273, 6274, 6275, 6416, 5058, 5059, 5376, 5377	IN-7007
The InTrust agent does not require Microsoft .NET Framework for most of its functionality and can be installed on a computer without .NET. However, some agent features, such as PowerShell script-based response actions, will not work on those computers.	IN-7255
Event forwarding configuration and repository indexing configuration are mistakenly coupled during failover activity. If either a forwarding server or an indexing server fails, then the failover rule will switch both the forwarding server and the indexing server, even if one of the servers is OK.	IN-4816
An InTrust server performs self-auditing correctly only if UAC is enabled on that server. Otherwise, some InTrust activity may not be audited.	IN-4170
When you create a repository, specifying a local path for it is not prevented, even though InTrust does not support locally-hosted repositories.	616837
Two InTrust servers cannot concurrently process each other using agents.	0115565
You may not be able to log on interactively to a computer where InTrust server is installed, if the InTrust configuration database went offline while restarting the computer. Wait until the database goes back online or for about 5 minutes, then try logging on again.	0115564
Don't delete the Default configuration objects (Default databases, repositories, operators, etc.) even if you never use them in InTrust sites, policies etc. Other predefined objects may have references to the Default objects by default, which may result in hard-to-find errors if referenced objects no longer exist in your InTrust configuration database. Note that the deleted predefined configuration objects are not recreated at InTrust upgrades or reinstallations, some of them causing errors at the setup phase if missing from the configuration database. The recommended practice is to keep default configuration objects as templates for the custom ones you create for the routine use.	0122083, 0122368
If two operator records with the same computer name exist in the InTrust configuration and both are specified as operators to notify, then two NET SEND notifications are sent to that one computer.	0112241
When you restart InTrust services on an InTrust Server serving a large number of agents, real-time monitoring and gathering may require a few minutes to start working again after the services are started.	0114831
If notification is configured so that email is sent to an operator that represents a group and sending fails for one of the group members (for example, due to an invalid email address), then it also fails for all other members of the group. This issue does not occur if all selected operators represent individual users; in this case, sending failure for an operator does not affect other operators.	0151967
When the system time is set back on an InTrust Server computer or on a computer with InTrust agent running, InTrust agent-server operation may become unstable or even broken. It is recommended to restart InTrust services (either Quest InTrust Server or Quest InTrust Agent) on the computer after setting the system time back on it. Automatic time adjustment for daylight savings does not produce this effect on InTrust and does not require restarting any InTrust services.	0145993
The following error message logged to the session results of an InTrust task may indicate of a frequent changes in the system time on the InTrust Server computer: Error: 0x80040e2f Cannot initialize the required component. Cannot initialize session. Sessions Error- The statement has been terminated. Sql State: 01000 Native Error Code: 3621 Violation of PRIMARY KEY constraint 'PK_ITGSessionsInfo'. Cannot insert duplicate key in object 'dbo.ITGSessionInfo'. Sql State: 23000 Native Error Code: 2627 , !! IDispatch error #3119 This may be happening because of some problems with hardware or operating system, frequent time synchronizations with multiple hosts on the network or some other reason.	0155892
If an InTrust site includes an AD site that has subnets misconfigured, InTrust may try processing, when monitoring or gathering from this InTrust site, a lot of unrelated computers or even all computers in the Domain(s) that the AD site spans.	0130865
You may be confused with events you may find in the InTrust event log on the InTrust Server computer stating that a job has completed with error and providing an error code without any error description. These events don't signal of any problem and may be ignored. They are logged to the InTrust event log in order to have process exit codes for InTrust jobs saved for the purpose of possible troubleshooting.	0155885
When you edit filters in data sources for IIS logs, ISAS logs, DHCP logs and Exchange events, and you want to use filtering by empty string value, specify empty strings. To do it, leave the text box in the Add/Edit String dialog box empty and click OK.	0146236
If you see a notification job failing consistently with the following error: Object Name: (InTrust Server) Data Source: Notification Description: Cannot notify the 'Default Notification Operator' operator using the 'mail' notification type. An error has occurred during sending the mail. Error text: An established connection was aborted by the software in your host machine. Function 'recv' failed. Verify that the SMTP server handling notification messages from InTrust does not require sender authentication.	80101
If you are using Windows 2012 running on an ESXi 5.0, 5.1, or 5.5 host, DO NOT USE e1000e default network adapter. This may lead data corruption may occur when copying data over the network and therefore cause problems with repository indexing. You may see the following errors in the log: Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Unspecified error, error code 0x8adc1005' Indexing of recent items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: Field stream is invalid, error code 0x80004005' Indexing of long-term items for repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" failed. Reason: Operation failed on agent localhost. Reason: 'ADC Error: Error: ADC Error: ADC Error: ADC Error: One or more segments of incoming index data (\\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{7F}, \\y12r2\RepsG\20140321_CalcE5310_Corruption\IndexingRoot$\indexes\{00000000-0000-0000-0000-000000000000}\index\{AE}) could not be merged with the repository index, error code 0x8adc1005' The indexing queue of recent events in repository "\\y12r2\RepsG\20140321_CalcE5310_Corruption" exceeded the size limit. Please check the InTrust Server event log for errors, and consider collecting less audit data to this repository and adding more indexing servers. For more information see the article "Possible data corruption after a Windows 2012 virtual machine network transfer (2058692)": http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2058692	84428
When the InTrust server is switched during a failover operation, you get the following error in InTrust Deployment Manager and in the InTrust Server event log: Some required components for working with the data source could not be installed This message is about the user session tracking component of the InTrust agents. The agents may temporarily stop reporting user session events.	85392
Filtering of site objects by registry value works only with the 32-bit registry view on 64-bit systems.	85545
Automatic cleanup is not implemented for the %ALLUSERSPROFILE%\Application Data\Quest Software and %ALLUSERSPROFILE%\Application Data\Quest folders. If these folders grow too large, you can safely clear their contents manually.	85686
User session tracking events contain extended information, including the IP address of the agent computer. However, the IP address can vary from event to event as network interfaces are added and removed dynamically. Keep this in mind if you rely on IP addresses when you search for events; otherwise, you may miss important events.	85661

Table 6: InTrust Deployment Manager known issues

Known Issue	Issue ID
In InTrust versions prior to 11.4.1 Update 1, it was a known issue that multiple repository cleanup schedules could be created for the same repository if multiple instances of InTrust Deployment Manager were editing the repository at once. This was resolved in InTrust 11.4.1 Update 1, but it can still happen if an old instance of InTrust Deployment Manager is editing a repository simultaneously with an up-to-date instance. If you experience this issue, simply set the cleanup schedule again in an up-to-date instance.	IN-11532
If event forwarding is enabled for a repository managed by InTrust Server 11.4.1 or later, then earlier versions of InTrust Deployment Manager show meaningless collection-wide errors for collections that use the repository. These errors can be safely ignored; they are actually incorrectly interpreted data from the forwarding engine's performance counters.	IN-7910
If any indexing errors occur for a repository, they are displayed in the error details dialog box for that repository until the repository-managing InTrust server clears them. However, if the server is removed from the organization before it can clear them, they stay indefinitely. Before you decommission an InTrust server, make sure you switch all indexing activity to another server that you plan to keep using.	IN-3989
Caution: When a previous-version InTrust Deployment Manager works with a repository managed by a current-version InTrust server, you should never modify the configuration of such a repository. Doing so may invalidate the repository configuration. The version of InTrust Deployment Manager must match or exceed the version of InTrust Server if you want to edit configuration.	IN-5782
In the Computers not in a collection search folder, the type of some non-Windows computers (such as VMware ESXi servers) is erroneously shown as "Workstation".	85403
In InTrust Deployment Manager, if you add objects to a collection through an LDAP query, you may get an object named "<data />" or "<data></data>". This happens if the returned object doesn't have the attribute that you specified in the LDAP query. To work around the issue, try using an attribute that your expected object is guaranteed to have.	IN-4914
If InTrust Deployment Manager is running on Windows 8.1, the "Next session start" field in repository cleanup options shows the scheduled time in the InTrust server's timezone instead of the local timezone.	IN-4901

Table 7: Event forwarding known issues

Known Issue	Issue ID
Event forwarding fails for repositories whose names are longer than 127 characters.	IN-14353
When you set up forwarding in InTrust Deployment Manager, sometimes the port text box may not recognize a valid value and may give you an incorrect prompt that the port cannot be empty. If this happens, just delete the value an retype it.	IN-10177
When you forward events with long insertion string values (such as encrypted PowerShell logs) using the UDP transport, forwarding may stop for the repository with those events, and you may get error messages like the following in InTrust Deployment Manager: A message sent on a datagram socket was larger than the internal message buffer. This problem doesn't occur if you use TCP to forward such events.	IN-4600
If the adcrpcs service is restarted on an InTrust server that forwards events, it may resend duplicates of recent messages.	85436
When the forwarding queue is cleared due to enforcement of retention policy, in rare cases InTrust may log invalid timestamps in events about deleted data. This happens in situations where special-purpose files are deleted. These files are used internally and don't contain audit data. You can safely ignore such events.	IN-3912

Table 8: InTrust Manager known issues

Known Issue	Issue ID
During rule response action creation in InTrust Manager, unnecessary white space is added by the field picker control. This causes response actions to behave incorrectly, because the specified strings don't match anything due to the white space.	IN-8598
Computers added to an InTrust site by their NetBIOS names may be listed under the Agents node in InTrust Manager by their NetBIOS names, not by their FQDNs as might be expected.	0111184
The lists of available InTrust Servers in an organization may differ depending on whether or not InTrust Manager is installed on the same computer as InTrust Server. The RPC Locator service should be enabled on the InTrust Manager computer where InTrust Server is not installed for correct results. A specific InTrust Server may be also not visible as available for connection with InTrust Manager if it fails to publish itself in Active Directory (AD). This may happen if the Quest InTrust Server service does not have sufficient rights (see the System Requirements document for details) to create a Service Connection Point (SCP) in AD. Check events logs, starting with the InTrust log, on the InTrust Manager and InTrust Server machines for events looking related to possible problem with the RPC Locator service and creating an SCP in AD, respectively. Besides, if you know that a specific InTrust Server is available, you can connect to it by specifying it manually, whether or not it is on the list.	0144041
If an InTrust task has the starting date in its schedule set to some day before the date when the system switches to the daylight-saving time, it will begin starting one hour later than the start time specified in its schedule when the system switches to DST. A task with its starting date in the DST period starts one hour earlier than specified in the properties of its schedule when the system switches to the standard time. When the time is adjusted back, the actual local time the task starts at will match its start time specified in its schedule again.	0154835
You may receive the following error: Internet Explorer Script Error: 'm_idBaloon.style' is null or not an object when you have the Quick Start node selected in the left pane and click the right pane. You must be clicking there too early. Wait for the content of the right pane to be fully loaded before you click it.	0185734
Quick Start will fail to generate reports you specify if InTrust is configured to use SRS running on a computer different than SQL Server machine hosting the InTrust database(s) you are trying to report on, and Windows authentication is used to connect to Reporting Services. The following error message will be received: Login failed for NT AUTHORITY\Anonymous Logon.	0177740
When you edit settings of an existing consolidation job and change the source repository, InTrust Manager doesn't prompt you for a new set of repository objects to be copied. Make sure to review the objects selected for processing in the new repository.	41513
When InTrust is running in the Object Level security mode, the InTrust Manager snap-in may crash at an attempt to run Quick Start wizard under an account that does not have the Modify permission on either the Sites or Gathering node, or neither.	48615

Table 9: Workflow and session known issues

Known Issue	Issue ID
The If the task is still running, stop it at this time option in the task's Advanced Schedule Options dialog box does not work. Instead, use the Stop the task if it runs for option.	0112061, IN-8674
At least 5 minutes must pass between committing a change made to a task and its scheduled start. For example, if you modify a task and commit the configuration at 8:40, then schedule the task to begin no sooner than 8:45. Otherwise, the task will fail to start.	0112041
Tasks with identical names may fail. Avoid creating such tasks.	0112240
The Application job may seem to be not responding while the application it launches is running. Wait until the application is completed.	0112045
Do not use UPN-style account names (testuser@test.abc.com).	0112049
If InTrust Servers in an Organization are concurrently running too many tasks, you may receive the following error in results of some sessions: "Components Manager: Failed to find Storage Accessors. Error=0x80004005: Timeout expired. Unspecified error." This happens because each task accesses InTrust Configuration database, and some of them fail to do that because of query timeout expiration. If you cannot reduce the number of task that run concurrently, consider increasing the value of the timeout setting on the SQL Server level using the sp_configure stored procedure.	0111825
When you create an Application job, clicking the Browse button for Working Directory may not work and result in an error message. If this happens, type in the full path to the working directory instead of browsing for it.	0120361
A session for an InTrust job of the Windows Scheduled Task type configured to run a scheduled task that fails to start will be logged as successful if the job has the 'Synchronous operation' option disabled.	0149467
If a job finishes with an error, its session information may contain the error code without an error description.	0155885
An InTrust job of the Windows Scheduled Task type can be configured to run a task only if the task meets both of the following requirements: The task is set up with the Windows Server 2003, Windows XP, Windows 2000 compatibility option enabled (in the Configure for drop-down list in the scheduled task properties). This is available only if you use the Create Task action, not the Create Basic Task action. The task is located in the Task Scheduler Library, and not in its subfolder. If either condition is not met for a scheduled task on the computer where you are looking for it, you will not see it in the Select Windows Scheduled Task dialog when you run the New Job Wizard in InTrust Manager.	52816, IN-3561

Table 10: Agent known issues

Known Issue	Issue ID
The agent.ini file, which contains the configuration of the InTrust agent, uses the UTF-8 encoding on Windows. Editing this file manually on Windows is strongly discouraged, because it is easy to change the encoding and make the agent configuration invalid.	IN-12999
If an agent consistently fails to start on a Windows machine, and you find the following error in the local Application event log: InTrust agent stopped unexpectedly. Error occurred: An attempt was made to access a socket in a way forbidden by its access permissions. (Win32 error: 10013). or the following error from the agent process is written to syslog on the Unix machine hosting an InTrust agent: InTrust agent stopped unexpectedly. Address already in use (CRuntime error: 98). Сheck if any other active process (application, service, daemon) is configured to listen on the port you are going to use as the InTrust agent communication port on this machine (TCP port 900 by default). If you find some, reconfigure either the agent or the other application/service/daemon to use a different port. To change the communication port setting for InTrust agent, edit the agent.ini file located in the agent folder.	55548
If an agent has been installed manually, then uninstallation should also be performed manually rather than from InTrust Manager.	0111578
You may have to uninstall the agents manually, if the InTrust Server to which the agents belonged is uninstalled. To avoid this, uninstall the agents from InTrust Manager prior to removing the server.	102815
When agents are used to gather audit data, the following error may occur: Agent has not yet established connection to the InTrust Server (0x8adc2c09). This situation may occur due to network problems, or when InTrust services have just been restarted, and agents have not communicated to the InTrust Server yet.	0111596
You may get several agent errors, if there's no free disk space on the computer where the InTrust agent is installed. For example: ADC Error: User not found (0x8adc3207), (0x8adc2c05)	0111560
An attempt to manually register an agent on an InTrust server may fail with the following error message: 'Cannot register agent on the InTrust server <...> No connection could be made because the target server actively refused it. <Win32 Error 10061>.' Check if the Quest InTrust Agent service is running and not stopped on the InTrust server. If the service is stopped, start it and try registering the agent again. Also note that this error is possible if port 900 is closed by a firewall between the agent and the server.	0117194
Installation of an agent on a computer under an account from a trusted domain may fail with an error message stating that the 'Logon as a service' right cannot be granted to the agent account. This happens if the specific account has never logged on to that computer before. To prevent the problem, log on to the target computer under that account before installing the agent.	0114825
When you are installing an InTrust agent by running the agent installation package (adc_agent*.msi), a Command Prompt window pops up. This window neither requires any input nor indicates of any problem with the agent installation.	0135636
If you install an agent on a computer using the .MSI package, then manually uninstall it with the adcscm.nt_intel.exe -uninstall command and try to install it later using the .MSI package again, the agent setup prompts you to repair or remove the agent as if it was still installed. Select the option to Remove the agent, let the setup run to the end, and then run it again to have the agent installed.	0135745
InTrust agents do not support the ja_JP.SJIS locale on Linux.	0148319
If you use InTrust Manager to unregister an InTrust agent residing on a computer that has no connection to the InTrust Server, then you may get errors trying to register the agent again with InTrust Manager after the connection is restored. If this happens, use the agent command with the -add parameter on the target computer.	0149798
If agent recovery takes place on a site for which the Prohibit automatic agent deployment on site computers option is enabled, the InTrust Server log may contain incorrect messages stating that the recovery was successful.	0114462
When you are uninstalling an InTrust agent by running the agent installation package (adc_agent.msi), the File In Use* dialog may pop up stating that the Quest InTrust Agent process currently uses the files that require update, and prompting you to either Exit or Ignore or Retry. Agent uninstallation is expected to finish successfully if you select the Ignore option.	54666
When you select a shortcut menu command to uninstall an agent running on a machine in a different AD forest than that the InTrust Server machine belongs to, the agent service may be not uninstalled from its local machine even if you enter proper account credentials when prompted and the agent is no longer listed as installed and running in InTrust Manager. You may have to check the presence of the Quest InTrust Agent, Quest InTrust Agent Installer and Quest InTrust User Session Monitoring services on the machine you attempted to uninstall the agent from, and remove the services manually.	83400
You may experience delays with successful agent installation for a collection or site that includes a large number of computers that are unavailable at the time of this operation.	83399

Table 11: Networking known issues

Known Issue	Issue ID
InTrust does not support NetBIOS computer aliases.

Table 12: Real-time event log gathering known issues

Known Issue	Issue ID
If a repository becomes unavailable during real-time collection, the InTrust server that manages this repository may put duplicate events in the other repositories that it manages. This happens because the server re-submits everything that was in the event queue at the moment the repository became unavailable.	IN-2456
When you create a collection in InTrust Deployment Manager, only events logged after the start of real-time gathering will be collected to the target repository of that collection. If you need events logged before that moment to be collected into the same repository, consider using InTrust Manager to collect those events into another repository and run a consolidation job to move those events to the repository you need this data in.	83446
In InTrust Deployment Manager, you may see some computers listed with the "Not installed" status that never changes. If you see this, check if your DNS server has multiple computer name entries for IP addresses matching those of computers with the sticky "Not installed" status, and clean up stale DNS records.	82991
If you delete a data source associated with any collection, the number of computers in every collection will be displayed as "0" until InTrust services are restarted on the InTrust Server machine. Computer counters in InTrust Deployment Manager is the only implication of the effect, no other aspect of InTrust operation is affected.	83414
If, in a multi-server InTrust organization, you uninstall an agent with no error, but its status is still displayed as "Installed" and further attempts to uninstall it keep failing with the "Cannot uninstall agent" problem, this agent must be a part of collection that is assigned to another InTrust Server (not the server that installed the agent on its computer).	83485
If you change the communication port number from its default value during the InTrust installation, InTrust Deployment Manager cannot automatically connect to the local InTrust Server. Use the Connect to menu command to manually select the local server as the one to work with.	83413
If you work with InTrust Deployment Manager connected to one InTrust Server in a multi-server InTrust organization and another InTrust Server goes down, collections handled by the failed server will continue looking 'green' to you.	83508
Using the same repository for real-time event collection and task-based workflow is discouraged. One of the possible consequences of using it for both methods is that after you start real-time collection from a computer for the first time, no data from that computer will be available to InTrust import and consolidation jobs for the first 24 hours, even though the data will be available in Repository Viewer. There are other implications as well. Specialize your repositories by type of auditing method.	84430
If you have multiple collections performing real-time event gathering of the same log from the same computer, then you will have duplicate events in the repository and in reports created by Repository Viewer.	85448
If a real-time collection is populated by LDAP query, the resulting set of computers can be different from the set returned by Windows native tools. This is because InTrust and Windows use different attributes for identifying computers by name.	682176

Table 13: Task-based gathering known issues

Known Issue	Issue ID
In the properties of the "VMware ESX and ESXi events" and "VMware vCenter events" data sources, the Clear log after gathering option has no effect.	IN-10946
Suppose you have a gathering job that collects custom text logs to either a repository or an audit database, but not both at once. If you change the job settings so that it collects both to a repository and to an audit database, then you may experience the following issues during the next gathering session after this change: You may get duplicate events, or some events may be lost, even though you will not get any error or warning messages. The gathering can be slow and take hours or even days if there are a lot of matching files to collect from. These problems don't occur if the specified repository and audit database are new and haven't been used.	IN-9820, IN-9632
When you gather IIS logs, you may get the following error message in the Sessions view: The specified log doesn't exist. In cases where the necessary logs clearly exist, this misleading message is shown if the IIS 6 Metabase Compatibility role service is not installed on the IIS server. Install the service to fix the problem.	IN-6616
When you monitor IIS servers, you may get an error like the following in the InTrust Server log: Cannot install package IISRT. This cryptic error may mean that the IIS 6 Metabase Compatibility role service is not installed on the IIS server. Install the service to fix the problem.	IN-6978
If changing IndexManager Server or path to an index of the indexed repository, gathering into this repository may fail with an error like: Failed to insert event to repository. ADC Error: The repository at "\\?\C:\Repository\" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically.	83596
Events logged for renaming an account in Active Directory collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with the old account name specified instead of its new name. This happens because, due to the current implementation of operations with AD accounts and event logging in Microsoft Windows, this data is not yet available at the moment when the event is written to the agent-side cache.	57888
If at the moment you attempt to gather Microsoft Proxy Server log this log contains event data in different formats, then gathering process will not work correctly.	0117156
If you gather IIS/ISA Server text logs with the Time data field disabled for logging, some events may be lost. To avoid event losses, don't disable the Time field in the logging options on IIS/ISA Servers you are going to collect logs from.	0117109
Some successful InTrust activities, such as event forwarding and running jobs, can cause error messages if the system time is not synchronized between the InTrust Server and the SQL Server that hosts the InTrust configuration database. This is the case in the following situations: Task sessions in InTrust Manager show an error message like this: "The session terminated unexpectedly", while the job sessions in the tasks are marked as successful An irrelevant collection-wide error message about repository file processing is shown InTrust Deployment Manager; this is really related to event forwarding You should keep the system time synchronized between the two servers.	0152716, IN-4853
Time stamp for events collected with a Data Source of the Custom Text Log type may be displayed incorrectly in InTrust Repository Viewer if these events were logged before the system time adjustment for daylight savings but collected after the time switch. In the Audit database, event time is saved correctly and this problem does not affect in InTrust reports.	0154507
When events from the IIS log are collected with the Ignore events older than / before option enabled, a warning about some events having been ignored is not logged to the results of the gathering job session as it is for gathering jobs that collect events from other logs with this option enabled.	0155889
If an InTrust Server is included in a site with automatic agent deployment disabled, a message about skipped agent installation is generated for the InTrust Server computer, and no gathering or monitoring policies that apply to the site are applied to it. As a workaround, consider including the InTrust Server computer into a site with automatic agent deployment enabled and running some gathering job for that site at least once. Then you may move it back to the original InTrust site since the policies will work for it as expected.	0114233
Events on a Group Policy creation collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with the GPO display names unresolved. This happens because, due to the current implementation of GPO creation and event logging in Microsoft Wi2ndows, this data is not yet available at the moment when the event is written to the agent-side cache.	27221
On domain controllers that are really busy with processing Active Directory requests, Events on operations with newly created accounts collected with a gathering policy based on a data source with the Create agent-side audit log backup option enabled may be stored to the target repository or/and database with SIDs not resolved to account names. This happens because, due to the current implementation of account creation and event logging in Microsoft Windows, this data is not yet available at the moment when the event on account creation is written to the agent-side cache. Account resolution for events following an account creation event is done based on the account data stored in the agent SID cache, causing account SIDs being collected for these events instead of account names until the account is cleared form the cache.	71273
When you change the location of an event log file on a computer running Windows Server 2008 or later, InTrust may be unable to collect events from that log even after you reboot the server and it starts writing new events into the log at its new location. Like Windows native Event Viewer running on a remote pre-Windows 2008 machine, InTrust will be unable to use the log after you move it until you reboot the collected server again.	54042
InTrust cannot resolve event descriptions for events collected from Windows Server 2008 or later if the EventMessageFile or CategoryMessageFile value is not defined in the registry for the corresponding event Source on the collected computer.	65584, 65585
InTrust does not automatically process Application and Services event logs auto-archived by the operating system.	81852
If a warning occurs during gathering, InTrust loses information about the number of gathered events and doesn’t show the number in the session summary.	695430

Table 14: Real-time monitoring known issues

Known Issue	Issue ID
Alert suppression has the expected effect, but doesn't affect the logging of rule matches. Rule match events are always written to the InTrust Server log, whether alerts were raised or suppressed.	IN-7907
If you run Event Viewer and view the InTrust Server log before there are any events with event ID 17408 in the log, and such events arrive later, then the Task Category field will show "(1)" for the events. The value of Task Category should be "Rule match".	IN-11517
It may take the InTrust Real-Time Monitoring Server service a long time to stop if the Alert Database is overloaded with alerts and slow to respond.	0111672, 0115603
Do not use wildcards in rule parameter values that define authorized/administrative/target/etc. groups in rules that require group membership resolution for user accounts. Most of these are rules with words 'by unauthorized personnel', 'administrative account', 'administrative rights' in their names.	0112159, 0112161
Community names with non-Latin characters are sent incorrectly when you select sending an SNMP trap as a response action for a real-time monitoring rule.	0115387
After the Quest InTrust Real-Time Monitoring Server service is restarted, real-time monitoring may temporarily stop working for a computer that is included in multiple InTrust sites under different names if those InTrust sites are configured for real-time monitoring with the same monitoring policy. Monitoring will be resumed for each affected InTrust site when it is enumerated the next time, as defined in the site properties.	0115566
The RemoveGroup script does not remove Distribution groups from Active Directory.	0115585
When a new Alerting Profile associated to a different InTrust Server is created in any installation of Monitoring Console in the InTrust Organization, clickable links in alert notification emails stop working for any alerts in the old Alerting Profiles.	0152503
If you experience a degrade in the Alert Database performance, try increasing values of the two InTrust configuration parameters that control the buffer and queue sizes for the connection InTrust makes to the Alert Database. Running the following SQL query on the InTrust configuration database will increase both sizes from the default value of 800KB (819200 bytes) to 10MB (10485760 bytes): UPDATE ADCOrganizationParameter SET [Value] = '10485760' WHERE (Name = 'ITRT_CommMaxSizePerConnection') OR (Name = 'ITRT_CommQueueSize')	0153944
After disabling a real-time monitoring policy configured to monitor an MS IIS Server and removing the InTrust Agent from a monitored IIS computer you will have to restart IIS on that computer in order to restore its Web connectivity.	0149865
If a script-based real-time monitoring rule fails on some of the monitored computers, the agent installed on that computer does not inform InTrust Server about the failure and no error entry is reported in the InTrust Server log.	0151859
When real-time monitoring rules are matched, event field names that consist only of digits are treated as integers. This causes errors, because string values are expected.	0135658
When two or more InTrust Servers have real-time monitoring policies with WMI-based rules in them applied to the same computer, alerts triggered by rules handled by different InTrust Servers may be saved to an Alerts database of a wrong InTrust Server.	0184711
You must be a member of the Administrators group on the InTrust Monitoring Console machine to make changes to Database settings of an alerting profile if this profile has SQL Authentication selected for its connection to the Alert database.	41049
You may receive the following error at an attempt to import an exported user settings in InTrust Monitoring Console: Cannot import user. Enhanced error information. Number: 0x80004005 Description: 007~ASP 0104~Operation not Allowed~ This is most likely to be caused by the settings of MS IIS hosting InTrust Monitoring Console. A solution that works for this issue is proposed in the Microsoft article HTTP Error 404.13 - CONTENT_LENGTH_TOO_LARGE when you visit a web site that is hosted on a server that is running IIS 7.0.	41636
An attempt to export a large number (around 10,000 or more) of alerts from InTrust Monitoring Console to a Microsoft Excel spreadsheet may fail with the following error: Cannot show alerts. Enhanced error information. Number: 0x80004005 Description:&nbsp006~ASP 0251~Response Buffer Limit Exceeded~Execution of the ASP page caused the Response Buffer to exceed its configured limit. This is most likely to be caused by the problem with Microsoft IIS described in Microsoft KB article 944886 "Error message when you use the Response.BinaryWrite method in IIS 6 and in IIS 7".	41622

Table 15: Repository Viewer known issues

Known Issue	Issue ID
A Repository Viewer search that is locked for editing can still be modified in some non-straightforward ways.	IN-14325
If you create a search and it becomes selected as a forwarding filter during the same Repository Viewer session, that search does not become locked for editing in that same session. The next time you open Repository Viewer, the search is locked as it should be.	IN-14361
If a search is used as an event forwarding filter, the tooltip for that search lists the repositories that use it for filtering. The tooltip is all one line, and it may not fit on the screen if the list is long.	IN-14380
In PDF reports created by Repository Viewer, international characters (for example, Japanese, Chinese or Korean) are rendered incorrectly if the Arial Unicode MS font is not installed on the report-making InTrust server. As a workaround, set a valid international font for reports, as described in Quest Support knowledge base article 318235.	85225, IN-8504
When Repository Viewer shows the details for a parsed Syslog event that has named insertion strings whose names start with an underscore (for example, _Address), such strings are always hidden. You can see the values of such fields only in the description, which contains the entire original message.	IN-4535
Repository Viewer opens a repository under the same account that you are using to run it, no matter what access credentials are specified in the properties of that repository. One workaround is to use the runas command to explicitly make Repository Viewer use the account that is allowed access to the repository. For example, if mycorp\intrust_admin is such a user account, then start Repository Viewer as follows: runas /netonly /user:mycorp\intrust_admin new_RV.exe As a result, Repository Viewer runs under your current account, but uses the mycorp\intrust_admin account for network operations.	—
Repository Viewer doesn't start on a computer where the original .NET 4.0 is installed but updates for it are not.	610576
The Delete and Backspace keys don't work as expected in filter boxes using the "Last" keyword.	595938
Custom values cannot be specified in the Environment and Type data fields. Сustom-made events written through the InTrust API may have any value in this field, but they cannot be matched by those fields in Repository Viewer.	595593
Under certain circumstances, you may be receiving recurring "Out of memory" errors at attempts to run an event search. To stop receiving these errors, restart Repository Viewer.	82048
Search filters for the StartTime and EndTime data fields in user session events cannot be set for search folders where these columns are displayed in the grid. Those two are data fields of the Text type and not DateTime. You can search by those fields, entering search criteria as text, but not filter by a time interval.	82391
If you search for events where a specific insertion string or resolved insertion string has a particular value or is blank, then the results can include events where there is no such string at all.	595932, 597587
Searches by the "Whom" field are slow.	597242
Searches by "Any field" are slow.	597613
Searches by some resolved insertion strings don't work.	598012
It is not recommended that you increase the limit on the number of items displayed in the event grid. The higher the limit, the more memory Repository Viewer will consume. Changing the limit carelessly may cause your computer to run out of memory.	593857

Table 16: SSRS reporting known issues

Known Issue	Issue ID
Don't use the Update Database option for any data source in Knowledge Portal since it proved to run an outdated SQL script on Audit databases. This command is intended to update a structure of an Audit database created by InTrust of version earlier than 9.0. If you use Audit database(s) created with later versions of InTrust, you don't need to update the Audit database structure.	0190753
Don't add too many reports to one reporting job. Doing so may make the whole Tasks node not responding to your attempts to browse it, with the following error message displayed: Enumerating collection failed. Reason: Not enough storage is available to complete this operation. If you are absolutely sure you need hundreds of reports to be processed with one reporting job, consider installing additional memory on the SQL Server computer that hosts InTrust configuration database.	0181130
If you modify a model of a report that is already included in some reporting jobs, for example, add or remove a filter, reporting job(s) configured to compile this report will fail with the following error: Object reference not set to an instance of an object. After you modify a report model, you will have to remove it from any reporting jobs that use it and add them to those jobs again.	0180458
A report with query based parameters or filters cannot be added to a reporting job if a data source specified for this report is configured with invalid settings. An attempt to add such a report to a job fails with the following error: Cannot create a connection to data source 'MainDataSource'. If you receive this error, edit the properties of the related data source to make sure it lets the report access a valid InTrust Audit database.	0183629
An event logged to the InTrust log for a completion of a reporting job that failed states the job has completed successfully. Under the Sessions node, the status of the job is displayed correctly.	0184386
The unclear error message: Report "<report_name>" failed to process: An error has occurred during report processing. An error has occurred during report processing. An error has occurred during report processing. Query execution failed for data set 'MainDataSet'. is logged to the session results for each report in a reporting job that is configured to use a Data Storage that is not accessible when the job starts.	0184587
If InTrust reporting is configured to access MS SQL Reporting Services over an HTTPS connection, and the InTrust Server computer does not have a certificate installed for the specified MS SRS server, an attempt to access Reporting Services results in the following error: Error 0x00004659: Internal error occurred. Reason: 0x80131509: The underlying connection was closed: Could not establish trust relationship with remote server. To install a required certificate, you can use Internet Explorer to open the URL of MS SRS specified in the properties of the Reports node in InTrust Manager as 'MS SQL Reporting Services path'. When prompted for certificate installation, accept it. When the certificate is installed, you will be able to perform any operations with reports and reporting jobs in InTrust Manager.	0185153
If a reporting job fails to notify an operator specified on the Notification tab, it neither sends generated report(s) by e-mail to recipients specified on the Delivery tab even if all the settings on that tab are correct and the e-mail can be sent.	0186899
A reporting job may fail with the following error: The job was finished, but no entry was created for it in the task session because of an error. If this happens, check whether the account under which the job starts has the Read access permission to the Windows folder on the InTrust Server computer.	0187676
If a reporting job fails with the following error: The remote server returned an error: (500) Internal Server Error. check the reports in the job for incorrect filter settings. This error may be logged to the session results, for example, when some report has a filter that requires a non-empty value specified, and that filter is disabled.	0188342
When you manually stop a reporting job that is running, temporary objects related to reports the job has generated before termination may be not always automatically removed from MS SQL Reporting Services server and you may have to clean them up later.	0186374
Some subreports are cached. If you configure filters in the parent report, the subreport is not regenerated with these filters. Instead, the subreport's version is loaded from the cache. To compile a subreport with filters, press Ctrl+F5 to refresh the subreport page.	0145121
For very large reports, the Print Preview page may not open and the report may not print.	0139691
Page breaks in the online version of a report may not correspond to the page breaks in the printed version.	0139480
If the Microsoft SQL Server Reporting Services and Microsoft SQL Server used to generate a report are installed on different computers, then the report cannot be compiled using the Windows Authentication of the user currently logged on to Knowledge Portal.	0145326
Search results for the search through report descriptions may not include all keywords actually existing if description is longer than 512 characters.	0168949
If browsing for SRS local user/group accounts when configuring report (folder) security settings, in case of remote installation (Knowledge Portal installed on different computer from SRS), similar account found on Knowledge Portal computer will be selected.	0181349
If password was changed for the user account you planned to use for browsing Active Directory (specified during the setup), then error will occur when you try to browse for this account when assigning security roles in Knowledge Portal.	0173578
When storing the Solaris events, Quest InTrust may add spaces to the beginning and end of the event fields. To prevent problems at filtration, specify these fields with percent signs: '%username%', but not 'username'.	0137465
If you select the Create the Reporting Server snap-shot option on the Delivery tab of a reporting task properties, the settings of InTrust Data Sources used by reports in the job are overwritten with the values specific to this job.	0191127
InTrust does not clean up all of the temporary tables and views reports create in the databases. Depending on the version of SQL Server hosting the database you need to clean up, use the TempCleaner_2000.sql or TempCleaner_2005.sql script from the product distribution (in InTrust\Tools\Database CleanUp) to remove the temporary objects from databases. The script can be scheduled by means of MS SQL Server to be run on a regular basis and configured to delete temporary database objects older than a specified number of days.	0191293
You may receive the following confusing error: "Query execution failed for data set 'MainDataSet'." during an attempt to open a subreport of a report generated by a reporting job. If this happens, check if the subreport uses a different data source than the main report included into the job, and if that data source is configured with valid settings (server, database, access credentials).	0191339
You may be unable to compile subreports of the Multiple failed account logons report if a reporting job configured to compile it accesses the SQL Server under an account that does not have the db_owner role for the InTrust Audit database.	0188067
If you select the Use SRS data source associated with each report option for a reporting job, make sure no report included into the job has an associated data source with the Credentials supplied by the user running the report option selected in its properties.	31276
When you configure a reporting job with the Import objects from the following repository option enabled, and set it up to include reports configured to use event local time, as opposed to GMT, make sure to provide time values matching local time on the event originating computers in time-related filters of the reports.	36881
When you configure filters in a report and enable the NULL checkbox for either the Date/time from or Date/time to filter, values you specify in these filters will be ignored and data in the report will be filtered based on the value specified in the Interval filter.	41084
When a report with a cover page enabled is exported to a file in the Excel format, the resulting Microsoft Excel document does not include data column captions.	40615
The su command usage report may produce incorrect output if it is generated on the audit trail that includes entries in languages other than English.	26561
A reporting job configured to import required data from a repository may sometimes fail with the following error logged to the session results (RDDI Import node): Description: Cannot initialize the required component. Cannot create one of the InTrust components.Cannot open repository. The system cannot find the path specified. or Description: Cannot import data from the repository.Cannot enumerate the repository objects. If this happens, check if there is a database or some other object under Data Stores node in the configuration with a name identical to that of the source repository for the job. Rename one of the objects to make names of all objects under the Data Stores node unique.	42803
You cannot specify a name of a text file listing parameter values in the input field on a report parameter tab in the reporting job configured to import required data from a repository. If you do so, the reporting job will fail with the error message looking like: Internal error: Cannot initialize required component.ADC Error0x8add2102: Failed to initialize DataFilters.	54632
If a reporting job configured to import required data from a repository fails with the following error: Preparing for data import has finished with errors. check that a semicolon (";") is the last character of a connection string specified in the data source of every report included into the job.	54667
Report driven data import (RDDI) does not work for reports from the Quest InTrust Report Pack for VMWare vCenter and ESX/ESXi. You need to collect or import events for these reports into an audit database with a gathering or import job before you generate a report output.	73519
When you configure a report to use filter values from a file, on a 64-bit Microsoft SQL Server 2008 the report will fail with an error message stating: OLE DB provider 'Microsoft.Jet.OLEDB.4.0' cannot be used for distributed queries because the provider is configured to run in single-threaded apartment mode. Follow these steps to work around this problem: Download the report from your Microsoft SQL Reporting Services Server as an .RDL file, edit this file to replace the 'Microsoft.Jet.OLEDB.4.0' text with 'Microsoft.ACE.OLEDB.12.0' and upload the updated file back to the SSRS. Execute the following batch on your 64-bit Microsoft SQL Server: USE [master] GO EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'AllowInProcess', 1 GO EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'DynamicParameters', 1	80378

Table 17: Agent-side audit log backup known issues

Known Issue	Issue ID
The option to resolve IP addresses at gathering IIS logs does not work with the 'Create agent-side audit log backup' option enabled.	0154160
When you process a non-Windows audit trail, avoid gathering the same event data to the same Audit database with and then without the 'Agent-side audit log backup' option enabled on the agents, since this may result in duplicate event records in the Audit database. For event data collect from Windows event logs, duplicate records never appear in an Audit Database.	0154165
Events collected from IIS Server log with the 'Agent-side audit log backup' option enabled are stored with empty site description fields.	0154362
An attempt to change location of an audit log backup on the agent engaged in real-time monitoring of a Microsoft IIS WWW log or gathering of that log with the 'Create agent-side audit log backup' option enabled fails with the following error popping up in InTrust Manager: Error 0x00004659: Internal error occurred. Reason: 0x00004659: <ComputerName>: The process cannot access the file because it is being used by another process.	40556

Table 18: Switching Wizard known issues

Known Issue	Issue ID
All agents in an InTrust Site lose the Limit CPU usage to setting when the site is moved to another InTrust Server with Switching Wizard.	0141795
Don't use the AdcFailover.exe from the Support Tools folder on the InTrust Server to start the InTrust Server failover process. In the current version of InTrust, use the Switching Wizard that can be run from InTrust Manager, or the Switch server response action that runs when the InTrust server is down predefined rule is matched.	0115054
If an InTrust site with Unix computer has been re-assigned for processing to a different InTrust Server during a failover procedure, you must manually register every Unix agent in the site on the new InTrust Server.	0139189

Table 19: Repository management known issues

Known Issue	Issue ID
If you convert the same .EVT file to the same repository using Evt2Repository.exe tool more than once, data from that .EVT file will be duplicated.	0117160
When a repository cleanup job starts under an account that has insufficient rights for deleting data from the target repository, the job fails with an error message that does not mention the reason for the failure: Cannot clean up obsolete data from one or more data stores. Cannot remove one or more files.	0155534
When you create a new repository of the EMC Centera type and select the 'Use custom connection string:' option, make sure to not save a new line character at the end of the connection string you type in there. A connection string with trailing line feed characters will look as a valid one but will cause InTrust fail to authenticate when it connects to EMC Centera.
Be careful to not specify a path to a file system based EMC Centera repository index when you configure a file system based repository, or to specify a path to a file system based repository when you configure a repository on EMC Centera. Either mistake may result in corrupted or lost data in a repository.
Repository Viewer does not correctly display insertion strings longer than 260 characters in events stored in a repository. Characters starting from position 261 are not displayed.
The Use this InTrust server to manage the repository setting in the properties of a consolidation job cannot be used with InTrust repositories based on EMC Centera.	54022
You may receive the following misleading error message in Repository Viewer when you open an indexed repository through an InTrust Server: Could not open repository. Error details: Repository is not ready for index-based search. Select a different repository. In InTrust Manager, go to /Configuration/Data Stores/Repositories, open the Properties dialog for the affected repository and verify that the path to it is specified in the InTrust configuration as a UNC and not as a local path that is valid for only one InTrust Server machine in the organization.	67171
If you specify a special account for repository indexing in the Properties of a repository and plan to run IndexingTool.exe locally on the repository machine, provide that the account has the Log on as a batch job user right on that machine.	67189
Indexing a repository located on a local disk of an InTrust Server computer that manages indexing of this repository may fail with the following error message in the InTrust Server log (Event ID 14128 in the InTrust event log): Indexing of repository "<repository_name>" failed. Details: Indexing on agent localhost failed, reason 'ADC Error: ADC Error0x80004005: Cannot create temp directory Unspecified error (Win32 error: 0x80004005), error code 0x80004005 '. This happens if a specific account is specified in the properties of an InTrust Server local repository to be used for access to it, and this account does not have sufficient access rights to the %TEMP% folder of the Quest InTrust Server service account. Consider either changing the account used to access the repository or giving it rights to write to and read from that folder.	67203
Repository Viewer does not notify a user if a connection to the open repository or its index is broken, for example, because of a networking issue or change in security settings. If you fins that the number of events displayed in Repository Viewer becomes unexpectedly small, try reopening the repository. If this operation fails, act upon the error message you receive. If you receive no error but reopened Repository Viewer shows no events for any node in the repository except the root node, this means that the connection is lost with index only.	67298
You may get the following non-informative error message in the InTrust Server log: Indexing of repository "<repository_name>" failed. Details: Indexing on agent <agent_name> failed, reason 'ADC Error 0x80070643'. It usually means that an agent has failed to install IndexingTool.exe on its local machine (for example, because system requirements were not met or user privileges were insufficient).	67252
When you run Repository Viewer using an account with no administrative rights on the local machine, and specify a wrong path to the repository you want to open, a message box that pops up to notify you of this error may display no text.	67270
An attempt of an agent to install IndexingTool.exe on its local machine may cause a system restart if the machine has Repository Viewer installed.	67297
If you open a repository in Repository Viewer installed on an InTrust Server computer where the port number for InTrust Manager connection has been changed from the default value (8340), and you select the option to open a Production repository on Local computer, you will receive the following error message: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) To avoid this, change your choice on the Select InTrust Server wizard step from Local computer to This InTrust server, and select the name of the local computer from the list.	67303
You may receive confusing error messages when you try to open a repository as an indexed one, but the indexing of this repository has not started yet.	67309
If you see repository indexing on an agent failing with the following non-informative error: ADC Error: , error code 0x8adc1006 check if the agent account specified in the Properties of the InTrust site differs from the account specified in the Properties of the repository for indexing. If the accounts are different, it is likely that the repository indexing account does not have access to the Local Settings subfolder in the profile of the agent account on the agent machine. Consider changing this setup to have an agent service account specified either in the site Properties OR in the repository indexing settings, or giving the indexing account Read and Modify access permissions to the profile of the agent account.	68167
You may see repository indexing on an agent failing with the following error: A required privilege is not held by the client This is likely to mean that you have one and the same account explicitly specified as the agent account in the Properties of the InTrust site and the account specified for indexing in the Properties of the repository. If this is the case, verify that the account has the following user rights on the agent machine: Replace a process level token Log on as service Log on as batch job Adjust memory quotas for a process	68121
If you open a repository that has not been indexed yet, then close Repository Viewer and open it again when indexing of this repository is done, the status of the repository in Repository Viewer will be still displayed as 'Not indexed'. This happens because Repository Viewer does not refresh repository indexing statuses at its startup, and has no negative effect on viewing repositories and searching events.	70451
Repository indexing on a remote machine may fail to start with the following error message registered in the Application event log: Event ID: 14128 Type: Error Source: Indexing Launcher Operation: Indexing Computer: Description: Indexing of repository "Default InTrust Audit Repository" failed. Details: Indexing on agent localhost failed, reason 'ADC Error0x80070643'. This is likely to happen if the %TEMP% folder for the local system on the agent machine is missing. The automatic installation of Quest InTrust Indexing Tool (IndexingTool.msi) is being run under the local system account and fails with this error if it cannot access the temporary folder (normally %SYSTEMROOT%\Temp). Make sure the folder exists and the installation process can access it.	73272
If you see the following error message in the Application event log: Event ID: 14128 Type: Error Source: Indexing Launcher Operation: Indexing Computer: Description: Indexing of repository "Default InTrust Audit Repository" failed on agent <computername>. Reason: 'ADC error: ADC Error0x80070006: The handle is invalid. The handle is invalid. (Win32 error: 6), error code 0x80070006.. this may be a result of the computer hosting the repository being too busy and slow to respond at the time of indexing. Try reducing the load on the repository machine or re-indexing the repository later.	68653
If you find that the Quest InTrust Server service process (adcrpcs.exe) terminates unexpectedly, this may be a result of repository indexing on the local computer running out of disk space. Resolve the disk space problem and restart the Quest InTrust Server service.	61874
Repository Viewer may fail to display events from a repository with the following error message that may be confusing: The process cannot access the file because it is being use by another process. This error is likely to mean one of the following: The idle repository you are trying to view is opened with another instance of Repository Viewer. You try to view an idle repository that is currently being indexed. You select the Open Idle Repository option in Repository Viewer to open a repository that should be accessed through an InTrust Server.	62851
If you create a new repository object with a non-default path that is also used by another repository, you will get duplicate indexes, gathering will stop working and the InTrust log will contain errors like the following: Operation failed on agent localhost. Reason: 'ADC Error: The repository at "DEAUDI00 InTrust Audit Repository" has multiple indexes, which is an unsupported configuration. The extra indexes could not be cleared automatically. Please delete irrelevant indexes to make sure the repository has only one index. For details, see the Working with Repositories document from the InTrust documentation set., error code 0x8adc1005'	592988

Table 20: Solaris data processing known issues

Known Issue	Issue ID
On a SPARC machine, a successfully installed agent may fail to start with the following error message logged to syslog: "ADC error: 8adc1006 host/server name not known". If this happens, use the 'hostname' command to restore the host name.	0111618
During an attempt to uninstall an InTrust agent on a Solaris system, the file adcscm.solaris_sparc may be removed before the agent process is stopped. In that case, uninstallation of the agent fails, and no further attempt to uninstall the agent can succeed until you create a new file with the name 'adcscm.solaris_sparc' that the uninstallation process is able to remove.	0114822
When you are gathering BSM log events from a Solaris host that does not have access to a DNS server and has an entry for itself in the hosts file only by a FQDN and not by its short name, gathering fails with the following error: 'ADC Error: Failed to collect from network object. (Internal error: Failed to enumerate event logs. (host/servername not known (CRuntime error: 8)))'. Edit the hosts file on the Solaris host to include an entry for the short name of that host.	0151318
When InTrust collects syslog events from a Linux machine, events logged on a Solaris machine and redirected to a Linux machine are stored with the Linux PlatformID (630) instead of the Solaris PlatformID (610). When InTrust collects a redirected Linux syslog trail from a Solaris host, all events are saved with the Solaris PlatformID.	0152540
The following reports from the InTrust for Solaris report pack work only for events collected from Solaris 8 and 9: Forensic Analysis / Solaris Syslog Events Normal User Activity / Logins / Failed logins Normal User Activity / Logins / Successful logins Normal User Activity / Privileged User Logins / Failed logins of privileged users Normal User Activity / Privileged User Logins / Successful logins of privileged users	0154230
When you collect data from a BSM log, you may receive a warning that InTrust is unable to find the last gathering position in the log file to start gathering from. InTrust is unable to identify a last gathered event in the BSM log file if any process keeps the log file open at the time of gathering. When this happens, all data in such a log file is gathered starting from the first record in it. To avoid collection of duplicate data, consider forcing the Solaris system to start writing a new BSM log file shortly before the gathering is started.
When you change the adc_temp_path parameter for an agent running on a SPARC Solaris machine, you may receive the "Connection is closed" error in InTrust Manager. If this happens, the target agent loses connection(s) to InTrust server(s) and may crash with a core dump. After a restart, the agent will reconnect to InTrust server(s) it is registered with. Sometimes it is required that the agent is restarted more than once before it is able to successfully restore the connection(s).	47168

Table 21: Linux data processing known issues

Known Issue	Issue ID
On Linux systems with Novell AppArmor enabled, InTrust cannot gather or monitor data with the Syslog data source out-of-the-box and requires ad-hoc tuning of AppArmor configuration.	56955
The 'Text file modified' real-time monitoring rule doesn't work for files with space characters in the names.	0185158
Alert generated by predefined rules from the Account Management group may display inconsistent user names if a user is not only created or only deleted but created AND deleted between the consequent runs of the rule script (at 1 minute intervals by default).	0116004

Table 22: HP-UX data processing known issues

Known Issue	Issue ID
The ADC Error: System resources exceeded (0x8adc100b) error received at log gathering from an HP-UX system is most likely to mean that the value of the max_thread_proc Kernel Parameter in the collected system should be increased (see http://docs.hp.com/en/939/KCParms/KCparam.MaxThreadsPerProcess.html for details). This error is most expected at gathering from HP-UX 11.11 systems where this parameter is set to 64 by default.	54690

Known Issue

Issue ID

The ADC Error: System resources exceeded (0x8adc100b) error received at log gathering from an HP-UX system is most likely to mean that the value of the max_thread_proc Kernel Parameter in the collected system should be increased (see http://docs.hp.com/en/939/KCParms/KCparam.MaxThreadsPerProcess.html for details). This error is most expected at gathering from HP-UX 11.11 systems where this parameter is set to 64 by default.

54690

Table 23: Syslog processing known issues

Known Issue	Issue ID
When syslog events are collected from a computer to which syslog is redirected and not from original host that generate them, event time values in local time will be calculated based on the time zone of the computer InTrust collects them from. If you choose to treat timestamps in syslog events as local time, consider redirecting syslog for gathering it with InTrust to a computer in the same time zone as the hosts you redirect it from.	0146199
InTrust agent makes a backup copy of *syslog.conf files when it starts, and restores the files from that backup when it shuts down. Changes you make to syslog.conf* while InTrust agent is running are lost when you shut down the agent process. Consider keeping track of the changes you make since you may need to reapply them after shutting down the agent.	60463

Known Issue

Issue ID

When syslog events are collected from a computer to which syslog is redirected and not from original host that generate them, event time values in local time will be calculated based on the time zone of the computer InTrust collects them from. If you choose to treat timestamps in syslog events as local time, consider redirecting syslog for gathering it with InTrust to a computer in the same time zone as the hosts you redirect it from.

0146199

InTrust agent makes a backup copy of syslog*.conf files when it starts, and restores the files from that backup when it shuts down. Changes you make to syslog*.conf while InTrust agent is running are lost when you shut down the agent process. Consider keeping track of the changes you make since you may need to reapply them after shutting down the agent.

60463

Table 24: Microsoft IIS log processing known issues

Known Issue	Issue ID
Microsoft IIS FTP log monitoring in cached mode does not work with IIS 6.0.	0145807
InTrust cannot resolve the %event_1.cs_cookee% parameter in alerts and notifications generated by real-time monitoring of the Microsoft IIS WWW log.	25411
During real-time monitoring or gathering of IIS 7.0 WWW logs with the agent-side audit log backup enabled, the values of some data fields (time_taken, cs_bytes, sc_bytes) in generated alerts or collected events are set to 0.	51758
Gathering of WWW logs in UTF-8 format does not work if logging on the IIS is configured with the Do not create new log files option enabled (a size of a single log file is not limited).	53804
Real-time monitoring and gathering of IIS 7.0 FTP logs with the agent-side audit log backup enabled doesn't work.	52601

Table 25: Microsoft ISAS log processing known issues

Known Issue	Issue ID
The following reports in the current version of InTrust do not return events collected from MS ISAS 2004: ISA Firewall: Cannot Assign Requested Address ISA Firewall: Connection Refused ISA Firewall: Connection Timed Out ISA Firewall: Host not Found ISA Firewall: Network is Unreachable ISA Firewall: Total Statistics ISA Firewall: User Connection Statistics by Agent/Platform ISA Firewall: Received Kbytes by Date (chart) ISA Firewall: Requests by Date (chart) ISA Firewall: Sent Kbytes by Date (chart) InTrust for ISAS / MSProxy / Security / Events Statistics / Raw Data Analysis (form) InTrust for ISAS / MSProxy / Security / Events Statistics / Events Statistics InTrust for ISAS / MSProxy / Security / Advanced Forensic Analysis / Anomalies Analysis / Anomalies Analysis	0154104

Known Issue

Issue ID

The following reports in the current version of InTrust do not return events collected from MS ISAS 2004:

ISA Firewall: Cannot Assign Requested Address
ISA Firewall: Connection Refused
ISA Firewall: Connection Timed Out
ISA Firewall: Host not Found
ISA Firewall: Network is Unreachable
ISA Firewall: Total Statistics
ISA Firewall: User Connection Statistics by Agent/Platform
ISA Firewall: Received Kbytes by Date (chart)
ISA Firewall: Requests by Date (chart)
ISA Firewall: Sent Kbytes by Date (chart)
InTrust for ISAS / MSProxy / Security / Events Statistics / Raw Data Analysis (form)
InTrust for ISAS / MSProxy / Security / Events Statistics / Events Statistics
InTrust for ISAS / MSProxy / Security / Advanced Forensic Analysis / Anomalies Analysis / Anomalies Analysis

0154104

Table 26: Microsoft ACS data processing known issues

Known Issue	Issue ID
If a gathering job configured to collect event data from ACS keeps failing with the following error logged to its session results: Data Source: Microsoft OpsManager ACS events Description: Errors encountered at data collection. ADC Error: Failed to collect from network object. (Internal error: Failed to enumerate event logs. (Cannot enumerate event log instances. (The requested operation timed out.The requested operation timed out.))) check if the Microsoft SCOM console installed on the InTrust agent (or InTrust Server, in case of agentless gathering) machine is of a version compatible with that of the collected ACS server.	55892

Known Issue

Issue ID

If a gathering job configured to collect event data from ACS keeps failing with the following error logged to its session results:

Data Source: Microsoft OpsManager ACS events Description: Errors encountered at data collection. ADC Error: Failed to collect from network object. (Internal error: Failed to enumerate event logs. (Cannot enumerate event log instances. (The requested operation timed out.The requested operation timed out.)))

check if the Microsoft SCOM console installed on the InTrust agent (or InTrust Server, in case of agentless gathering) machine is of a version compatible with that of the collected ACS server.

55892

Table 27: Custom text logs processing known issues

Known Issue	Issue ID
When you create a custom text log data source, you can supply a regular expression with a number of groups defined. If you reference a field index that is out of range of those groups, you get the following script error: "val has no properties". Instead of an error, this should be a warning.	IN-9347
Some log files of formats that suppose log data to be rewritten and not always appended to the end of the file, may be collected incorrectly and some events may be lost. If this happens, the 'Invalid record' warning is logged to the gathering session results.	0118101
InTrust agent running on a Unix machine may crash if you specify a wildcard as a part of a name for a directory immediately under the root, like '/tm', in the path to the collected log. However, for directories down the file system tree in log paths, like '/home/user', wildcards are safe to use.	0123466
When you collect an audit trail data with a Custom Text Log Events type data source, every event will be collected with values of Version Major and Version Minor data fields set to those of the last collected event.	0165698
The Description data field of events collected with a Custom Text Log Events type data source is not saved to an InTrust audit database.	0184224
In the New Data Source Wizard, on the Date/Time step, clicking on the Test Formatting button will display a correctly parsed date/time fields even if you don't specify field delimiters between field numbers in the 'Log fields' field of the dialog page. However, when you later collect data with the data source created in this way, gathering sessions will fail with error messages stating that some lines in the log cannot be parsed. For example, if the format of date and time data in the log is space delimited, like "Mar 23 12:13:10" and, in the 'Log fields', you specify "<1><2><3>" and not "<1> <2> <3>", the Test Formatting button will recognize date and time correctly but the gathering module will not. Make sure to always accurately specify field delimiters in the 'Log fields' input field on the Date/Time step of New Data Source Wizard.	0183396

Table 28: DB-based logs processing known issues

Known Issue	Issue ID
In the DB-based log provider query, data fields of type(s) TEXT or/and NTEXT must be either come last in the SELECT statement or be explicitly converted to the NVARCHAR data type. Otherwise the following error will be received at gathering: [Microsoft][ODBC SQL Server Driver]Invalid Descriptor Index.	0119477
If the Oracle DB-based log is being collected from a machine with no Oracle driver installed, Microsoft ODBC Driver for Oracle pops up an error message about the absence of the required Oracle driver on the collected machine. For collections that don't use agents, this message box pops up on the InTrust Server machine, while for agent-enabled collections the error message pops up on the agent side. There is no way for InTrust to suppress this error message box because of the specifics of Microsoft ODBC Driver for Oracle implementation.	0121853
Attempting to select an SQL server from the list in the New Database log template wizard may result in InTrust Manager crashing. This is caused by Microsoft ODBC driver behavior and cannot be controlled from the InTrust Manager snap-in code.	0111355

Known Issue

Issue ID

In the DB-based log provider query, data fields of type(s) TEXT or/and NTEXT must be either come last in the SELECT statement or be explicitly converted to the NVARCHAR data type. Otherwise the following error will be received at gathering:

[Microsoft][ODBC SQL Server Driver]Invalid Descriptor Index.

0119477

If the Oracle DB-based log is being collected from a machine with no Oracle driver installed, Microsoft ODBC Driver for Oracle pops up an error message about the absence of the required Oracle driver on the collected machine. For collections that don't use agents, this message box pops up on the InTrust Server machine, while for agent-enabled collections the error message pops up on the agent side. There is no way for InTrust to suppress this error message box because of the specifics of Microsoft ODBC Driver for Oracle implementation.

0121853

Attempting to select an SQL server from the list in the New Database log template wizard may result in InTrust Manager crashing. This is caused by Microsoft ODBC driver behavior and cannot be controlled from the InTrust Manager snap-in code.

0111355

Table 29: Command line tool known issues

Known Issue	Issue ID
If you run the Evt2Repository.exe tool on a Windows 2008 machine to import events from an event log saved to an .evt file on a pre-Windows 2008 computer, the tool fails with an error message saying the event log file is corrupted. To work around this problem, you can do one of the following: Process the file with Evt2Repository.exe on a computer running Windows Server 2003 or earlier. Open the .evt file with Windows 2008 Event Viewer and save it in the .evtx format. Then run Evt2Repository.exe again to import events from the saved .evtx file.	57215
Don't use the AdcChangePath tool from the InTrust Support Tools folder.	0153635
When the AdcSrvAcc.exe tool is started with the -restart switch on the command line, the Quest InTrust Server, Quest InTrust Real-Time Monitoring Server and Quest InTrust Agent services are not restarted as expected but just stopped and have to be started manually. If the services are not running when the AdcSrvAcc.exe is run with the -restart switch, only the Quest InTrust Server service starts, while the Quest InTrust Real-Time Monitoring Server and Quest InTrust Agent services still have to be started manually. It is recommended that you don't rely on AdcSrvAcc.exe in restarting these three InTrust services but run it without the -restart switch on the command line and use the Services snap-in, net stop/net start commands or some other tool of your choice to have the services restarted.	0153996
Use the Evt2Repository.exe tool to import events only from event log files saved in the .EVT format with Event Viewer. If you try to point it to a raw .EVT file the system is writing events to, or the copy of such a file created outside Event Viewer, Evt2Repository.exe will fail to import events from this file with the following error: Cannot convert file. The event log file is corrupted. (Win32 error: 1500)	0155535

Table 30: Platform-specific known issues

Known Issue	Issue ID
If you collect event logs from computers running Windows Vista or later without agents, and InTrust Server is running on a Windows 2003 machine, then the values of some data fields in collected events will not be resolved. Agentless gathering from machines running these operating systems should be done by InTrust Servers running on computers running Windows Server 2008 or later.	53708
InTrust agent for HP-UX does not support the following code pages: arab8 : HP-Arabic8 arabe : Arabic EBCDIC chinse: Simplified Chinese (China) EBCDIC chinte: Traditional Chinese (Taiwan) EBCDIC cp037 : Code Page 037, american, c-french, dutch, portuguese EBCDIC cp277 : Code Page 277, danish, norwegian EBCDIC cp500 : Code Page 500, new swiss-french, swiss-german, belgian EBCDIC cp870 : Code Page 870, EBCDIC code for East European languages, eg, cp875 : Code Page 875, Greek EBCDIC incl. Euro (= greee) cp880 : Code Page 880, bulgarian, russian EBCDIC cp924 : Code Page 924, Latin9 EBCDIC incl. Euro cp930 : Code Page 930, Japanese EBCDIC, contains 16-bit characters cp939 : Code Page 939, Japanese EBCDIC, contains 16-bit characters engle : English EBCDIC finne : Finnish EBCDIC frene : French EBCDIC germe : German EBCDIC gree8 : HP-Greek8 hebr8 : HP-Hebrew8 hebre : Hebrew EBCDIC icele : Icelandic EBCDIC itale : Italian EBCDIC japae : Japanese EBCDIC jis : JIS (JIS X0201, JIS X208-1990, JIS X212-1990 Japanese) katae : Katakana EBCDIC koree : Korean EBCDIC sjishi: Shift-JIS (JIS X0208-1990 + UDC, VDC for Mainframe user) sjispc: Shift-JIS (JIS X0208-1990 + UDC, VDC for PC user) spane : Spanish EBCDIC • swede : Swedish EBCDIC thaie : Thai EBCDIC turk8 : HP-Turkish8 turke jefc jefk jefc9p jefk9p kana8 keis7k keis8k keis7c keis8c jipsj jipsec jipsek eucJPp sjisp	49820

Known Issue

Issue ID

If you collect event logs from computers running Windows Vista or later without agents, and InTrust Server is running on a Windows 2003 machine, then the values of some data fields in collected events will not be resolved. Agentless gathering from machines running these operating systems should be done by InTrust Servers running on computers running Windows Server 2008 or later.

53708

InTrust agent for HP-UX does not support the following code pages:

arab8 : HP-Arabic8
arabe : Arabic EBCDIC
chinse: Simplified Chinese (China) EBCDIC
chinte: Traditional Chinese (Taiwan) EBCDIC
cp037 : Code Page 037, american, c-french, dutch, portuguese EBCDIC
cp277 : Code Page 277, danish, norwegian EBCDIC
cp500 : Code Page 500, new swiss-french, swiss-german, belgian EBCDIC
cp870 : Code Page 870, EBCDIC code for East European languages, eg,
cp875 : Code Page 875, Greek EBCDIC incl. Euro (= greee)
cp880 : Code Page 880, bulgarian, russian EBCDIC
cp924 : Code Page 924, Latin9 EBCDIC incl. Euro
cp930 : Code Page 930, Japanese EBCDIC, contains 16-bit characters
cp939 : Code Page 939, Japanese EBCDIC, contains 16-bit characters
engle : English EBCDIC
finne : Finnish EBCDIC
frene : French EBCDIC
germe : German EBCDIC
gree8 : HP-Greek8
hebr8 : HP-Hebrew8
hebre : Hebrew EBCDIC
icele : Icelandic EBCDIC
itale : Italian EBCDIC
japae : Japanese EBCDIC
jis : JIS (JIS X0201, JIS X208-1990, JIS X212-1990 Japanese)
katae : Katakana EBCDIC
koree : Korean EBCDIC
sjishi: Shift-JIS (JIS X0208-1990 + UDC, VDC for Mainframe user)
sjispc: Shift-JIS (JIS X0208-1990 + UDC, VDC for PC user)
spane : Spanish EBCDIC • swede : Swedish EBCDIC
thaie : Thai EBCDIC
turk8 : HP-Turkish8
turke
jefc
jefk
jefc9p
jefk9p
kana8
keis7k
keis8k
keis7c
keis8c
jipsj
jipsec
jipsek
eucJPp
sjisp

49820

InTrust 11.4.2 - Release Notes

Resolved issues

Known issues

System requirements

Product licensing

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案

InTrust 11.4.2 - Release Notes

Resolved issues

Known issues

System requirements

Product licensing