立即与支持人员聊天
与支持团队交流

InTrust 11.5.1 - Auditing Custom Logs with InTrust

Using Custom Data Sources

InTrust provides two general-purpose data source types for situations in which you need to gather event logs for which no predefined data source exists. When creating such a data source, you specify how to process the log, what information is stored and how it is ordered.

InTrust supports the following two types of user-defined event logs:

  • Text logs: information is stored in ASCII text files. Configure collection of such logs using the Custom Text Log Events data source type.
  • Database event logs: information is stored in database tables. Configure collection of such logs using the Database Events data source type.

Creating a Data Source for a Custom Log

To create a new database log data source

  1. In InTrust Manager, expand the Configuration node.
  2. Right-click the Data Sources container and select New Data Source.
  3. Select the Database Events type and proceed with the wizard.

For details about custom database log settings, see the Database Events Data Sources topic.

To create a new text log data source

  1. In InTrust Manager, expand the Configuration node.
  2. Right-click the Data Sources container and select New Data Source.
  3. Select the Custom Text Log Events type and proceed with the wizard.

For details about custom database log settings, see the Custom Text Log Data Sources topic.

Editing a Data Source for a Custom Log

To edit an existing database or text log data source, right-click the data source you need in the right pane and select Properties.

Custom Text Log Data Sources

User-defined text log data sources can be configured in any of three modes:

  1. Basic
    This is the simplest way to set up gathering from a custom text log. It provides a minimum of configuration options and may not be suitable for some log formats.
  2. Advanced
    This mode offers much more control than Basic mode and provides sophisticated options. In Advanced mode, most text log formats can be defined.
  3. Raw
    This mode requires that you edit a script in JScript or VBScript that processes log data and prepares it for storage. InTrust acts as the framework for script execution and data gathering. You cannot create a text log data source in Raw mode, but you can convert a Basic or Advanced data source to a Raw data source.

Processing of log information is powered by regular expressions. In Basic mode, you are not exposed to regular expressions (however, you can use them when specifying the path to the log file). In Advanced mode, you specify them as needed to configure the handling of log data. In Raw mode, you use regular expressions in scripts of your own.

Whichever mode you select, the end result is a script that InTrust runs. You can edit the resulting scripts to meet your specific purposes. For example, you can complete the Basic mode wizard to rough out a data source and later edit the script in Raw mode.

You can do the editing directly in a text editor provided by the wizard. If you run the wizard to edit a Basic data source, you can select to convert it to an Advanced or Raw data source. Note that you cannot convert an Advanced or Raw data source to a Basic one, nor can you convert a Raw data source to an Advanced one.

However, in some cases using an Advanced data source in the first place is preferable. This is true when the structure of the resulting regular expressions in the Basic data source is completely different from the type of expression you need eventually.

In general, recommendations for the choice of mode are as follows:

Basic Advanced

Raw

The log has a number of articulated fields. These fields can be distinguished based on delimiters between them or the fixed width of each field. This kind of log can be represented by a table without rearranging or modifying data.

One or both of the following are true:

There are mixed-format entries in the log, so the log does not fit in a simple table without rearranging fields.

The log includes comments and other data that could break the simple row-and-column-style representation.

You feel more comfortable with a script editor user interface than with the wizard's Advanced mode settings.
自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级