立即与支持人员聊天
与支持团队交流

InTrust 11.5.1 - Product Overview

Introduction to InTrust

InTrust is a powerful framework for enterprise log management, provision of regulations compliance and IT data analytics.

What InTrust Can Do for You

InTrust focuses on logs, which make up the bulk of IT data in the enterprise. The log-oriented approach helps you achieve the following:

  • Securely collect and archive logs in real time from across the diverse enterprise network
  • Automate the log review process without hiring event log experts
  • Pass audits by providing faster answers to the questions auditors will ask
  • Conduct efficient investigations of security incidents and fraudulent activity of insiders
  • Improve day-to-day operations by minimizing the number of tools and making IT data readily available
  • Assess the robustness of security and operations without much effort

What's Inside

InTrust has many components, but not all of them are needed for most scenarios. The default components are few, accessible and easy to deploy; yet they cover the most common log management needs and incorporate impressive InTrust expertise.

The remaining components help manage rare logs, implement specialized scenarios and provide advanced capabilities such as reporting powered by SQL Server Reporting Services and real-time monitoring with alerts and automated response.

Default Deployment

The following components are installed by default:

  • InTrust Server
    This is the principal component that provides most of the capabilities of InTrust, in both default and extended deployments. It is a back-end that keeps the InTrust configuration up to date and runs the operations according to that configuration.
  • InTrust Deployment Manager
    This console is used for setting up real-time data gathering. This workflow is based on collections of Windows computers or Syslog devices, from which data is continuously gathered to the InTrust repository that you specify. In addition, InTrust Deployment Manager lets you forward Syslog messages and events from repositories to SIEM solutions such as SecureWorks.
  • InTrust Repository Viewer
    This application lets you browse the contents of InTrust repositories, which are data stores that keep the InTrust-gathered data. Repository Viewer offers flexible searching, grouping, sorting and filtering for focused event analysis. It also supports running search-based scheduled reports on a regular basis, with customizable layouts and convenient delivery options.

Extended Deployment

The other components you can set up are also built around InTrust Server but geared for a different workflow and style of configuration. These components form an extended InTrust deployment.

  • InTrust Manager
    This console sets up scheduled task-based gathering, reporting based on SQL Server Reporting Services, and real-time monitoring. InTrust Manager is required for all of these advanced features. For details about them, see the following documentation:
  • Knowledge Portal
    This Web application is an alternative to the Reporting Services Web UI, streamlined for use with InTrust reports.
  • InTrust Monitoring Console
    This Web application displays real-time alerts produced by InTrust and lets you track and manage their state.
  • Knowledge Packs
    These are collections of InTrust resources that are needed for supporting specific platforms and logs. For example, installing the Linux Knowledge Pack enables InTrust to gather logs from Linux hosts (through InTrust agents), monitor these hosts in real time and build SSRS reports based on the collected data. The range of supported platforms and logs is broader for extended deployments than for default deployments.

Key Concepts

The following terms are important for understanding the basics of InTrust.

InTrust Server

An InTrust server is a computer where the InTrust Server component is set up. It processes requests from client applications such as Repository Viewer and InTrust Deployment Manager, performs the operations they request and handles the configuration.

InTrust Repository

The repository is the primary type of data store in InTrust. Repositories are intended for long-term archiving of data in a compressed format. For fast access to the data they contain, repositories have indexes, which are maintained by the InTrust server.

Repositories are normally file-based, but in extended deployments you also have the option of associating a repository with an EMC Centera appliance.

The same repository can be used for both real-time gathering and scheduled task-based gathering; the only restriction is that the same data from the same computers must not be gathered using both methods at once.

InTrust Organization

An InTrust organization is a group of InTrust servers with a shared configuration, for which a SQL Server database is used.

An InTrust organization provides the following:

  • Load balancing among InTrust servers
  • A common list of InTrust organization administrators
  • A uniform selection of available data sources for all member InTrust servers

InTrust Agents

An InTrust agent is an application which is usually automatically installed by InTrust Server on target computers to locally perform audit data gathering and, in extended deployments, real-time monitoring. Alternatively, you install and uninstall agents explicitly using InTrust Deployment Manager (or InTrust Manager). However, you can install InTrust agents manually (for example, if the target computer is behind a firewall or in an untrusted domain). In addition, a Windows Installer package for the InTrust agent makes it possible to manage agent installations using Group Policy.

During its operation an agent communicates with InTrust Server over the TCP protocol. In complex environments, agents require only one open port to allow incoming traffic to the InTrust server address.

Note: For extended deployments, consider the following:

  • In some scheduled task-based gathering scenarios, agents are not required for working with Windows networks. However, they are still recommended due to improved performance, better security and reduced network load.
  • Scheduled task-based gathering from Unix networks requires agents, which must be installed manually.
  • Agents are mandatory for real-time monitoring in both Windows and Unix networks.

If an agent cannot connect to the InTrust Server for the certain time period (for example, if the InTrust server was removed), it is “retired” (uninstalled) automatically.

How It Works

The following diagram summarizes the points made in the Introduction to InTrust topic and shows where the components fit in the big picture. The roles of the users shown here are pure examples. Of course, each of them can benefit from all of the client applications.

Note that the diagram shows only the default InTrust deployment. For a representation of an extended deployment, see Technical Insight.

Supported Platforms and Data Sources

This is a breakdown of how InTrust handles heterogeneous audit data. Instead of "log", the broader term "data source" is used, because some of the valuable transient data that InTrust can watch is not strictly logs.

The real-time gathering feature is part of the default InTrust deployment.

The task-based gathering and real-time monitoring features come with the extended deployment.

Microsoft Windows

64-bit architecture:

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows 10
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2012

32-bit architecture:

  • Microsoft Windows 10
  • Microsoft Windows 7
Data sources Real-time gathering Task-based gathering Real-time monitoring
Windows event logs (such as Application or Security log) Yes Yes Yes
User session events captured by the InTrust agent for superior user activity tracking Yes Yes Yes
Text logs of any format No Yes No
Windows Security Log events collected by Microsoft System Center Operations Manager 2007 and 2012 Audit Collection Services No Yes No

Red Hat Enterprise Linux

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7 – 7.4
  • Red Hat Enterprise Linux 6.3 – 6.9
Data sources Real-time gathering Task-based gathering Real-time monitoring
Linux Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes

Oracle Linux

  • Oracle Linux 8
  • Oracle Linux 7 – 7.4
  • Oracle Linux 6.3 – 6.9
Data sources Real-time gathering Task-based gathering Real-time monitoring
Linux Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes

Ubuntu Linux

Ubuntu Linux 18.04

Data sources Real-time gathering Task-based gathering Real-time monitoring
Linux Syslog No Yes Yes
Text logs of any format No Yes No
Configuration files (modifications) No Yes Yes

VMware ESX and ESXi

  • VMware ESXi 6.7
  • VMware ESXi 6.5
Data source Real-time gathering Task-based gathering Real-time monitoring
VMware vCenter, ESX and ESXi events No Yes No

Trend Micro InterScan Web Security Virtual Appliance

Trend Micro InterScan Web Security Virtual Appliance 6.5

Data source Real-time gathering Task-based gathering Real-time monitoring
Syslog messages forwarded from virtual appliances to Linux hosts No Yes Yes
自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级