立即与支持人员聊天
与支持团队交流

InTrust 11.5.1 - Getting Started with InTrust

First Steps

InTrust is an event-log management solution that provides for collection, correlation, archival, and reporting on the heterogeneous audit data from your enterprise-wide network. InTrust real-time alerting and notification capabilities allow you to stay aware of what is going on in your network and how your business-critical resources are functioning.

Although InTrust is a powerful and comprehensive framework for audit data, deployments can range widely in complexity. The following types of coverage are all possible:

  • Basic everyday security auditing with a minimal set of components
  • Archival of audit data in compressed repositories for regulations compliance
  • Fast search and reporting tools that work with repository data
  • Real-time monitoring for critical security events, with alert tracking and automated response actions
  • Auditing of multiple platforms and custom logs with advanced reporting based on SQL Server Reporting Services
  • Combinations of the above

This guide explains only the use of the basic InTrust deployment. More sophisticated features and workflows are described elsewhere in the InTrust documentation set—for example, in the Deployment Guide.

Installing InTrust

Before you begin installation, confirm that the system requirements are met (see System Requirements). Also note that the InTrust installer verifies this automatically.

If the computer where you are going to install InTrust is a SQL server, then make sure in advance that the installed version of SQL Server Native Client is no earlier than the version required by InTrust; version 11.0.6538.0 of the client is redistributed with InTrust.

To begin installation, use the Autorun application that comes with your InTrust distribution; click InTrust Default Suite on the Install tab to begin setup.

Note: If you need custom InTrust capabilities, consider the InTrust Extended Suite option, which is not covered in this set of topics. For details, see the Deployment Guide.

Next, complete the remaining steps.

Caution: The default InTrust components require that ports 900 and 8340 be open for inbound traffic. The InTrust installer knows how to configure these ports automatically in Windows Firewall.

In addition, IT Security Search and the InTrust repository API work with port 8341, which is not configured automatically. If you use the API or IT Security Search, make sure this port is open.

Participation in the Quest Software Improvement Program

One of the setup steps prompts you to select the country where you are performing InTrust installation. This choice affects whether your participation in the Quest Software Improvement Program is enabled automatically.

The Software Improvement Program involves Quest receiving anonymous usage statistics from the Quest software you install. No personal identifying data (such as account names) is included in this feedback. The purpose is to determine which features are most popular and find out how their use can be streamlined.

The following information is transmitted:

  • Hardware configuration
  • Which product features are used
  • External IP addresses

Participation is voluntary. Although it is enabled automatically for some countries, you can change your choice at any time after InTrust setup is complete; for details, see the Installing the First Server in InTrust Organization topic in the InTrust Deployment Guide.

Collecting Events in Real Time

After you have installed the default components, run the InTrust Deployment Manager console by clicking its entry in the Start menu. This console manages gathering of audit data to InTrust repositories.

In the console, you need to specify the computers you want to audit and specify what kinds of events you need. This is done by setting up collections. Collection settings include the computers to collect from, data sources (definitions of the types of events) and the repository to collect to. Simply put, the point of a collection is to “get this kind of data from these computers to this repository”.

For gathering to work, computers in collections need to have InTrust agents installed. You can install agents on specific computers by selecting them in the right pane while a collection is highlighted and clicking Install Agents. Alternatively, enable the Install agents automatically option while you are creating or editing a collection to automatically install them on all computers in the collection. If this option is off in a newly-created collection, no gathering occurs. Once you enable it, agents are installed and gathering begins.

Caution: If the Install agents automatically option is enabled for a collection, InTrust will try to keep the agents on all computers in the collection. If you uninstall an agent from a computer in such a collection, it will be reinstalled automatically.

In this situation, to stop gathering from a computer, you need to remove it from the collection.

If the Install agents automatically option is disabled, you need to install and uninstall agents manually using toolbar commands.

When you run InTrust Deployment Manager, you are directed to the home view, where you are briefly introduced to the basics of real-time event collection workflow. This view explains collections (how InTrust organizes computers to collect from) and repositories (stores to collect data to), and it provides quick action links to help you get work done.

If you are starting InTrust Deployment Manager for the first time, take the opportunity to create a collection in the home view: either a Windows collection for gathering from Windows computers or a Syslog collection for capturing Syslog messages from devices and hosts.

Introduction to Repositories

An InTrust repository is a store for audit data collected by InTrust. Its architecture is such that massive amounts of data can be stored efficiently in a compact way and indexed for fast browsing in InTrust Repository Viewer and streamlined access by IT Security Search.

This helps achieve security regulations compliance and provides a ready-made toolset for event analysis. For an in-depth description of InTrust repositories, see the Understanding InTrust Repositories topic.

For the purposes of this guide, however, it is sufficient to know the following about repositories:

  • When you set up InTrust, a default repository is automatically created for you in the InTrust installation folder (by default, installation to Program Files is suggested). Note that the default repository is not recommended for real production use, but only for evaluation and training. When you are confident with the InTrust workflow, create your own repository on a server that has ample disk space and is ready for intensive disk writes.
  • You can use the default repository for all your logon and user session auditing needs (unless further scaling is required).
  • The folder where you create a repository should be available over the network.
  • If necessary, you can have multiple repositories, specialized by the type of data they are supposed to contain, by their location, or by some other characteristic. However, try to keep a manageable number of repositories.
  • The toolset described in this document works only with indexed repositories.

To manage repositories, use the Storage view in InTrust Deployment Manager.

Common Tasks

The following topics describe how you can manage and adapt InTrust using the InTrust Deployment Manager console.

Managing Collections

You can add, delete and edit collections at any time. To work with collections, go to the Collections view of InTrust Deployment Manager.

To create a collection, right-click the Collections node and select New Windows Collection or New Syslog Collection. To edit or delete a collection, right-click it and use the corresponding command.

To add computers to a collection

Use any of the following ways:

  • In the wizard that opens when you edit a collection, change the computer list on the Specify Computers step. For that, click the Add button under the computer list. You can supply the computers using a variety of methods:
    • Click Computers to supply individual computer names.
    • Click Computer Names from Text File to specify an existing computer list in a plain-text file. Note that this is only a one-off import action. InTrust does not track changes to the file or remember its location.
    • Click Domains to make InTrust enumerate the computers in the domains you select. InTrust will re-enumerate the computers periodically to keep the collection membership up to date.
    • Click LDAP Query to supply a detailed query that extracts computers from Active Directory. For convenience, the dialog box that opens provides the native Windows LDAP control to help you compose the query; click New Query to use the control.
      InTrust will rerun the query periodically to keep the collection membership up to date.
    • Click All DCs in the domain to include just the domain controllers. InTrust will re-enumerate them periodically to keep the collection membership up to date.
  • Select the computers you need in the Computers not in a collection search folder in the navigation pane and click Add to Collection (in the toolbar or in the shortcut menu), and then select the collection you need.

To delete computers from a collection

  1. Right-click the collection and select Edit Collection.
  2. In the wizard that opens, go to the Specify Computers step.
  3. In the list of computers, select the computers you do not need, and click Remove (in the toolbar or in the shortcut menu).

To stop gathering from a computer without removing it from a collection

This works only in collections where the Install agents automatically option is disabled. In such collections, use the Install agent and Uninstall agent commands (in the toolbar or in the shortcut menu) to manage gathering without affecting collection membership.

NOTE: The Install agent command is not available for collections where the Install agents automatically option is enabled. The Uninstall agent command remains available, but its effect is temporary; an uninstalled agent is re-installed in a few hours.

In addition, the following management actions can be done in the wizard:

  • Change the account used for connecting to the computers in the collection
    Set the credentials on the Specify Computers step.
  • Change the list of logs that are gathered
    Select the data sources you need on the Data Sources and Repository step.

NOTE: By default, InTrust gives you no indication of situations where a log that you selected is not available on an agent's computer. If you would prefer to know when this happens, select the If any of the selected data sources cannot be found, consider this an error option. Be aware that this will make InTrust Deployment Manager show the Failed status for computers where the logs are absent.

  • Change the repository that events are gathered to
    Select the repository on the Data Sources and Repository step.

Availability of Collection Management Commands

In some situations, you cannot perform a specific action (Install agent, Uninstall agent or Remove) on one or more computers in a collection, as explained below:

You cannot...

Possible reason

Install the agent

The Install agents automatically option is enabled for the collection. Manual installation is not needed.

Uninstall the agent

  • The Install agents automatically option is enabled for the collection. Manual agent removal makes no sense, because the agent would be automatically restored anyway.
  • The agent is not installed.

Remove a computer from a collection

  • The computer became a member of the collection dynamically instead of being added individually or through a computer list. For example, you cannot single out a computer for removal if it was added through an LDAP query. In this case, you need to edit the query to exclude it.
  • It is the last computer in the collection. Just delete the collection that contains this computer.
自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级