Working with Azure virtual machine collections is similar to working with regular Windows collections, except that an Azure collection has additional settings for communication between Azure and the on-premises InTrust server.
In InTrust Deployment Manager, go to the Collections tab, click New and select Azure Collection.
On the Azure Virtual Machine Settings step, supply the Azure-specific configuration options:
If you don't know where to get any of these items, see Providing Access to Your Azure Environment.
TIP: It is recommended that you create a dedicated application and resource group in your Azure subscription specifically for auditing purposes. This will give you better scalability and ensure problem-free coexistence with other Azure services. You will also be able to track and troubleshoot resource usage in a more precise way. |
The remaining steps are the same as for regular Windows collections.
Azure log (Event Hub) collections let you gather events that Azure objects direct to event hubs, including diagnostic events, activity logs and metrics.
To stream Activity log events to an event hub
To create an Azure log (Event Hub) collection
In InTrust Deployment Manager, go to the Collections tab, click New and select Azure log (Event Hub) Collection.
On the Specify Azure Subscriptions step, click Add and specify the event hub that you need. Supply the following options:
If you don't know where to get any of these items, see Providing Access to Your Azure Environment above.
TIP: It is recommended that you create a dedicated event hub and consumer group in your Azure subscription specifically for auditing purposes. This will give you better scalability and ensure problem-free coexistence with other Azure services. You will also be able to track and troubleshoot resource usage in a more precise way. |
The remaining steps are the same as for regular Windows collections.
After you have made sure that InTrust collects data from Azure, use InTrust Repository Viewer to connect to the repository that stores the events and view them.
Events from Windows virtual machines in Azure are no different from on-premises Windows events, and all of your familiar Repository Viewer searches are compatible with them.
For events that originate in Azure rather than on Azure-hosted virtual machines, the Azure Knowledge Pack provides the following predefined Repository Viewer searches:
Use these searches directly or make customized copies of them to suit your needs.
The following issues are known at the time of the Azure Knowledge Pack technical preview for InTrust 11.4.1.
Table 1: Azure Knowledge Pack installation known issues
Known Issue |
Issue ID |
---|---|
The Azure Knowledge Pack technical preview is compatible only with the released version of InTrust 11.4.1 and incompatible with Update 1 for this version. You should be aware of the following related caveats:
|
IN-11509, |
After you uninstall the Azure Knowledge Pack technical preview, some folders related to it may be left behind on disk. |
IN-9995 |
During Azure Knowledge Pack technical preview installation, you may be taken to the Files in Use step, where the list of applications contains items you don't expect to interfere with the installation. |
IN-10408 |
Table 2: Azure Knowledge Pack general known issues
Known Issue |
Issue ID |
---|---|
The Azure Knowledge Pack technical preview supports only configurations with one resource group and one storage account per deployment. If you want to audit multiple resource groups, you need multiple deployments, each with its own resource group and storage account. |
IN-8943 |
After you uninstall the InTrust agent from an Azure VM that is in a collection, InTrust Deployment Manager still shows the VM in the collection. |
IN-9073 |
If you delete a VM from an Azure resource group that an Azure VM collection is associated with, you may get a temporary error message like the following in InTrust Deployment Manager: Object reference not set to an instance of an object. The error message goes away after a few minutes. |
IN-10514 |
InTrust Deployment Manager versions released before the Azure Knowledge Pack don't hide Azure VM collections and don't disallow editing them. However, if you modify an Azure VM collection in an old InTrust Deployment Manager console, this causes the InTrust configuration to become invalid. If you use the Azure Knowledge Pack, make sure all instances of InTrust Deployment Manager are upgraded to a version that fully supports Azure VM collections. |
IN-10404 |
InTrust Deployment Manager shows Azure VMs in collections even after agents have been uninstalled from the VMs. |
IN-8681 |
InTrust Manager doesn't show agents that are deployed on Azure VMs, which are available in InTrust Deployment Manager. |
IN-10471 |
Agent installation fails for Azure VMs whose names contain non-ASCII characters, preventing real-time collection from such VMs. |
IN-10011 |
When the agent is installed on an Azure VM, the AgentInstallDateTime VM tag specifies the wrong timezone. The tags says GMT instead of the local timezone. |
IN-9377 |
After you delete an Azure VM collection, the configuration folder related to this collection is not deleted on the local file systems of the VMs from that collection. |
IN-10330 |
When you manually uninstall the InTrust agent from an Azure VM, the accompanying Azure Proxy service is not automatically stopped and uninstalled. |
IN-10231 |
InTrust fault-tolerance features are not supported for the Azure Knowledge Pack. The failover scenario doesn't work correctly for Azure VM collections audited by the Azure Knowledge Pack. |
IN-10410 |
Changing the destination repository for a collection of Azure VMs causes the reconfiguration of the Azure Proxy service on the VMs. Events that occur during the reconfiguration are not collected. |
IN-10449 |
Organization parameters are applied on agents on Azure VMs only after the reconfiguration of the Azure Proxy service, which happens after a collection is modified in InTrust Deployment Manager. On regular computers, they are applied almost immediately. |
IN-10450 |
In some situations, an Azure VM in a collection may report a "Collecting" state even though the InTrust agent has stopped working on that VM. To check if the agent is functioning properly, see the last gathering time for it. |
IN-10453 |
When you create an Azure collection, the items are configured one by one. Depending on the number of VMs, the collection configuration may take a long time. |
IN-10478 |
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center