Setting Up Auditing
To turn on auditing on the target computer, configure the Audit Policy in the Group Policy Management Editor MMC snap-in.
There is an alternative to edit a local policy on every computer or propagate audit settings applying group policy to computers that are included in the certain organizational unit. Generally, you can set each policy to audit for event success or failure or both.
To collect exactly the events required for particular reports, refer to the Windows Auditing References.
To simplify Windows event data gathering and reporting, InTrust offers a special Windows Knowledge Pack containing, in particular, predefined gathering and import policies, tasks, and reports.
|
|
Note: The Windows Knowledge Pack is always installed together with InTrust Server. This component is not included in an explicit form in the InTrust feature list. The Windows Knowledge Pack is installed by default. |
Configuring InTrust
To configure the gathering of Windows event data with InTrust:
- In InTrust Manager, select Configuration | Sites | Microsoft Windows Network, than select the All Windows servers in the domain site, or select another existent site (All Windows workstations in the domain, etc.) or create a new one.
- To automatically install agents on the site computers, clear the Prohibit automatic agent deployment on site computers option in the site's properties and select Install Agents from the site’s context menu. Gathering with and without agents is described below in detail.
- Either select the Windows and AD Security Daily Collection and Reporting task, or configure a new task you need, with a gathering job that involves the necessary gathering policy and site.
- Configure a reporting job, if necessary.
Gathering With and Without Agents
Usually, audit trails are collected using agents. If the agent is not running under the LocalSystem account, then its account must be granted Manage auditing and security log right to gather events from the Security event log. To run the gathering job with agents, select the Windows and AD Security Daily Collection and Reporting task, click the Gathering tab on the right, and make sure the Use agents to execute this job on target computers check box is selected.
However, in some cases you may need to work without agents (for example, if running extra services on the certain computers is not allowed). If so, you can prevent agents from being installed automatically on those computers; for that, do the following:
- Use InTrust Manager to arrange those computers into a site.
- In the site properties, select the Prohibit automatic agent deployment on site computers check box.
The account under which the gathering service will access site computers (which is either specified explicitly in the site’s settings, or inherited from the InTrust server or task) requires the following:
- Access this computer from the network right must be granted.
- Deny access to this computer from network right must be disabled.
- Manage auditing and security log right must be granted to gather events from the Security log; members of the local Administrators group have this right by default.
- To clear logs after gathering, account membership in the local Administrators group is required.
The Admin$ share must exist and should be open on target computer.
|
|
Caution: If you want to gather events from an event log on a computer, make sure the agent or, for agentless gathering, the gathering job account has Read access in the ACEs of the appropriate logs. You can use Group Policy to grant these permissions automatically. For details, refer to Microsoft Knowledge Base article "How to set event log security locally or by using Group Policy". |
Collecting Event Descriptions
Events from the Microsoft Windows event logs have standard descriptions which InTrust collects as follows:
- If the events are gathered to a repository, event descriptions are collected automatically.
- If the events are gathered to an audit database and you need the event descriptions to be collected, locate the necessary log in Quest InTrust Manager | Configuration | Data Sources, and open its Properties dialog box from the context menu. Click the Microsoft Windows Events tab and select Store event descriptions to database.
- Also, on that tab you can select whether to resolve SIDs and GUIDs in insertion strings.
|
|
Note: This option can be used for Security log only. |
Collecting Without Agents
If you are not using agents for gathering, you can select what libraries to use when retrieving standard descriptions for Windows events. The descriptions can be taken from libraries that exist locally on processed computers or from remote computers.
To select which libraries to obtain descriptions from
- In the Data Sources, select the Microsoft Windows log you need, and open its properties.
- On the Microsoft Windows Events tab, specify the order in which the libraries should be used:
- Select Only local to retrieve the descriptions from libraries that exist on the InTrust server.
- Select Local, then remote to first retrieve the descriptions from the InTrust server libraries; if they cannot be retrieved, libraries on the remote (processed) computer will be used.
- Select Remote, then local to first retrieve the descriptions from libraries on the remote (processed) computer as long as they are available; if they cannot be retrieved, libraries on the InTrust server will be used.