立即与支持人员聊天
与支持团队交流

InTrust 11.5.1 - Auditing Microsoft Azure

Collecting Events from Azure Virtual Machines

Working with Azure virtual machine collections is similar to working with regular Windows collections, except that an Azure collection has additional settings for communication between Azure and the on-premises InTrust server.

In InTrust Deployment Manager, go to the Collections tab, click New and select Azure Collection.

On the Azure Virtual Machine Settings step, supply the Azure-specific configuration options:

  • Resource group name
  • Tenant ID
  • Application ID
  • Application key
  • Subscription ID
  • Connection string used by the storage account
    If you are collecting events both from virtual machines and from event hubs, it is recommended that you have separate storage accounts for each purpose. For virtual machine auditing, use a storage account that supports file storage.

If you don't know where to get any of these items, see Providing Access to Your Azure Environment.

TIP: It is recommended that you create a dedicated application and resource group in your Azure subscription specifically for auditing purposes. This will give you better scalability and ensure problem-free coexistence with other Azure services. You will also be able to track and troubleshoot resource usage in a more precise way.

The remaining steps are the same as for regular Windows collections.

Azure Collection Specifics

  • Only one Azure collection is allowed per InTrust organization.
  • You cannot manually edit the membership of an Azure collection. It is populated automatically based on the contents of the Azure resource group that it is associated with. To collect from the right virtual machines, make sure you select the right resource group.

Collecting Events from Azure Event Hubs

Azure log (Event Hub) collections let you gather events that Azure objects direct to event hubs, including diagnostic events, activity logs and metrics.

To stream Activity log events to an event hub

  1. In the Azure portal, navigate to Monitor| Activity log.
  2. Select Diagnostic Settings and click Add diagnostic setting.
  3. Under Category details, select the kinds of events that you want to export.
  4. Under Destination details, select Stream to an event hub.
  5. Select your subscription and namespace for the event hub.
  6. Specify the Event hub name or leave it blank. If you omit it, Azure will use the predefined name "insights-activity-logs".
  7. Select RootManagedSharedAccessKey as the policy.
  8. Save the changes.

To create an Azure log (Event Hub) collection

In InTrust Deployment Manager, go to the Collections tab, click New and select Azure log (Event Hub) Collection.

On the Specify Azure Subscriptions step, click Add and specify the event hub that you need. Supply the following options:

  • Event hub name
    This is either the name of the particular event hub, which you can look up in the Azure portal. Some event hub names are predefined. For example, if you need the event hub with Azure Activity log events, supply the name of an event hub to which the Activity log is streamed. However, you should first make sure that the event hub really exists in the correct event hubs namespace.
    For details about setting up redirection of events to event hubs, see Stream Azure monitoring data to an event hub. For details about Activity log events, see To stream Activity log events to an event hub above.
  • Consumer group name
    You should create a separate consumer group specifically for event hub auditing in advance.
  • Event hub connection strings
  • Storage connection strings
    If you are collecting events both from virtual machines and from event hubs, it is recommended that you have separate storage accounts for each purpose. For event hub auditing, it is sufficient to use a storage account that supports only blob storage.

If you don't know where to get any of these items, see Providing Access to Your Azure Environment above.

TIP: It is recommended that you create a dedicated event hub and consumer group in your Azure subscription specifically for auditing purposes. This will give you better scalability and ensure problem-free coexistence with other Azure services. You will also be able to track and troubleshoot resource usage in a more precise way.

The remaining steps are the same as for regular Windows collections.

Azure Log (Event Hub) Collection Specifics

  • The members of an Azure log (Event Hub) collection are Azure event hubs not computers. You can have multiple Events Hubs in a single collection.
  • Only one preselected non-editable "Azure Log" data source can be associated with this type of collection.
  • If you collect Activity log events from an event hub, the scope of those events is the entire Azure subscription. If you are interested in just the resource group you are auditing with your Azure collection, be prepared to get Activity log events for a lot more than that.
  • Due to the way these collections work, InTrust Deployment Manager may temporarily show valid errors about network connectivity that may have already been resolved. If such an error doesn't go away after a few minutes, you should investigate the situation, but you don't necessarily have to take immediate action as soon as you see the error.

Analyzing Azure Events

After you have made sure that InTrust collects data from Azure, use InTrust Repository Viewer to connect to the repository that stores the events and view them.

Events from Windows virtual machines in Azure are no different from on-premises Windows events, and all of your familiar Repository Viewer searches are compatible with them.

For events that originate in Azure rather than on Azure-hosted virtual machines, the Azure Knowledge Pack provides the following predefined Repository Viewer searches:

  • All activity and diagnostic events
  • All administrative events (RBAC changes) by who, what
  • Key vault activity
  • Resource-level events by subscription ID, resource group, provider
  • Resource-level events by who, what, where
  • SQL activity
  • Tenant-level events by tenant ID, provider
  • Tenant-level events by who, what, where

Use these searches directly or make customized copies of them to suit your needs.

Known Issues

The following issues are known at the time of the Azure Knowledge Pack technical preview for InTrust 11.4.1.

Table 1: Azure Knowledge Pack installation known issues

Known Issue

Issue ID

The Azure Knowledge Pack technical preview is compatible only with the released version of InTrust 11.4.1 and incompatible with Update 1 for this version. You should be aware of the following related caveats:

  • Do not install the Azure Knowledge Pack on servers where InTrust 11.4.1 Update 1 is applied.
  • Do not apply InTrust 11.4.1 Update 1 on servers where the Azure Knowledge Pack is deployed.

IN-11509,
IN-11611,
IN-11513

After you uninstall the Azure Knowledge Pack technical preview, some folders related to it may be left behind on disk.

IN-9995

During Azure Knowledge Pack technical preview installation, you may be taken to the Files in Use step, where the list of applications contains items you don't expect to interfere with the installation.

IN-10408

Table 2: Azure Knowledge Pack general known issues

Known Issue

Issue ID

The Azure Knowledge Pack technical preview supports only configurations with one resource group and one storage account per deployment. If you want to audit multiple resource groups, you need multiple deployments, each with its own resource group and storage account.

IN-8943

After you uninstall the InTrust agent from an Azure VM that is in a collection, InTrust Deployment Manager still shows the VM in the collection.

IN-9073

If you delete a VM from an Azure resource group that an Azure VM collection is associated with, you may get a temporary error message like the following in InTrust Deployment Manager:

Object reference not set to an instance of an object.

The error message goes away after a few minutes.

IN-10514

InTrust Deployment Manager versions released before the Azure Knowledge Pack don't hide Azure VM collections and don't disallow editing them. However, if you modify an Azure VM collection in an old InTrust Deployment Manager console, this causes the InTrust configuration to become invalid.

If you use the Azure Knowledge Pack, make sure all instances of InTrust Deployment Manager are upgraded to a version that fully supports Azure VM collections.

IN-10404

InTrust Deployment Manager shows Azure VMs in collections even after agents have been uninstalled from the VMs.

IN-8681

InTrust Manager doesn't show agents that are deployed on Azure VMs, which are available in InTrust Deployment Manager.

IN-10471

Agent installation fails for Azure VMs whose names contain non-ASCII characters, preventing real-time collection from such VMs.

IN-10011

When the agent is installed on an Azure VM, the AgentInstallDateTime VM tag specifies the wrong timezone. The tags says GMT instead of the local timezone.

IN-9377

After you delete an Azure VM collection, the configuration folder related to this collection is not deleted on the local file systems of the VMs from that collection.

IN-10330

When you manually uninstall the InTrust agent from an Azure VM, the accompanying Azure Proxy service is not automatically stopped and uninstalled.

IN-10231

InTrust fault-tolerance features are not supported for the Azure Knowledge Pack. The failover scenario doesn't work correctly for Azure VM collections audited by the Azure Knowledge Pack.

IN-10410

Changing the destination repository for a collection of Azure VMs causes the reconfiguration of the Azure Proxy service on the VMs. Events that occur during the reconfiguration are not collected.

IN-10449

Organization parameters are applied on agents on Azure VMs only after the reconfiguration of the Azure Proxy service, which happens after a collection is modified in InTrust Deployment Manager. On regular computers, they are applied almost immediately.

IN-10450

In some situations, an Azure VM in a collection may report a "Collecting" state even though the InTrust agent has stopped working on that VM. To check if the agent is functioning properly, see the last gathering time for it.

IN-10453

When you create an Azure collection, the items are configured one by one. Depending on the number of VMs, the collection configuration may take a long time.

IN-10478

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级