To turn on auditing on the target computer, configure the Audit Policy in the Group Policy Management Editor MMC snap-in.
There is an alternative to edit a local policy on every computer or propagate audit settings applying group policy to computers that are included in the certain organizational unit. Generally, you can set each policy to audit for event success or failure or both.
To collect exactly the events required for particular reports, refer to the Windows Auditing References.
To simplify Windows event data gathering and reporting, InTrust offers a special Windows Knowledge Pack containing, in particular, predefined gathering and import policies, tasks, and reports.
|
Note: The Windows Knowledge Pack is always installed together with InTrust Server. This component is not included in an explicit form in the InTrust feature list. The Windows Knowledge Pack is installed by default. |
To configure the gathering of Windows event data with InTrust:
Usually, audit trails are collected using agents. If the agent is not running under the LocalSystem account, then its account must be granted Manage auditing and security log right to gather events from the Security event log. To run the gathering job with agents, select the Windows and AD Security Daily Collection and Reporting task, click the Gathering tab on the right, and make sure the Use agents to execute this job on target computers check box is selected.
However, in some cases you may need to work without agents (for example, if running extra services on the certain computers is not allowed). If so, you can prevent agents from being installed automatically on those computers; for that, do the following:
The account under which the gathering service will access site computers (which is either specified explicitly in the site’s settings, or inherited from the InTrust server or task) requires the following:
The Admin$ share must exist and should be open on target computer.
|
Caution: If you want to gather events from an event log on a computer, make sure the agent or, for agentless gathering, the gathering job account has Read access in the ACEs of the appropriate logs. You can use Group Policy to grant these permissions automatically. For details, refer to Microsoft Knowledge Base article "How to set event log security locally or by using Group Policy". |
Events from the Microsoft Windows event logs have standard descriptions which InTrust collects as follows:
|
Note: This option can be used for Security log only. |
If you are not using agents for gathering, you can select what libraries to use when retrieving standard descriptions for Windows events. The descriptions can be taken from libraries that exist locally on processed computers or from remote computers.
To select which libraries to obtain descriptions from
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center