Hi,
Our Intrust server is consuming data at an exponential rate, largely because we are logging Event ID 4663 which results in A LOT of logs.
I'm new to Intrust so I'm not sure how I can A) purge the existing repository of these events to reclaim the disk space B) change the audit rules to stop collecting these events.
Can someone help? Thanks.
Sincerely,
Patrick Wong
Hi Patrick,
Could you provide more information on the size of the repository and growth rate? Usually, the repository should duplicate and compress well-known security events like 4663 quite well, so removing them from the repository will not reclaim a lot of space. Did you enable 4663 via the group policy? Also, did you do this with default settings, or additional files were set to produce audit information? Do you see a lot of events from a File Server or all of your servers?
There is a way to do a clean-up but only based on the data age, also data could be consolidated into the archival repository elsewhere. Real-time collection rules do not have filters and collect everything OS pushes to the agent. I believe there should be a way to reduce the number of audit events changing the GPO policy. Is there a specific use case you want these events for?
Sure Sergey.
Our repository is currently at 2 TB and it consuming about 200GB of data every 2 weeks or so. I'm not sure how to tell if we enabled 4663 in the group policy - and I'm sure we used default settings.
Right now we are looking for any and all ways on how to slow down the data growth rate. We went down the path of 4663 because we saw over half of the events that were collected were this event from our Windows servers. We don't see this problem in our other repositories (i.e. File Server) but only in our Windows Server repository.
Patrick
Hi Patrick,
Could you use the attached repository info tool to get the information about the volume of events in the repository? Just download and unpack the RepositoryInfoCounter.exe on the InTrust server, then navigate to the folder with the tool using CMD or PowerShell. Here is an example of how to use it (-v for verbosity, -m 0 is for aggregating by Event ID, -r 24 is for looking just past 24 hours). I used the default repository for an example, so make sure to change to your repository path.
PowerShell: ./RepositoryInfoCounter.exe -v -m 0 -r 24 "C:\Program Files (x86)\Quest\InTrust\Server\InTrust\Repositories\Default"
CMD: RepositoryInfoCounter.exe -v -m 0 -r 24 "C:\Program Files (x86)\Quest\InTrust\Server\InTrust\Repositories\Default"
Keep in mind that it can take some time, and depends on the number of events in the specified timeframe (24 hours), disk IOPS and number of CPU cores
Thanks Sergey. I'll work with my team to install this tool and do some analysis on the repository.
Thanks Sergey. I'll work with my team to install this tool and do some analysis on the repository.
