• State Verified Answer
  • Replies 6 replies
  • Subscribers 15 subscribers
  • Views 4258 views
  • Users 0 members are here
Options
Related

Repository Viewer "Search" versus gathering and storing in Audit Database

shrum brian
over 3 years ago

Today we are storing security events in a repository.  We then have a search set up each night to grab logon info for the previous day.  This has been working for a couple of years, and gives us the info we need.  However, the only option is to store this in a CSV/PDF, which doesn't give us a lot of options for storage or enhancing the report.  Currently we pull user ID information out of the report and query AD for more information on said user.  A manual process that we want to automate.  In addition, we'd like to utilize PowerBI to build reports off of this information.  Having a CSV works, but not for a nightly report since the file name changes on each report.

I started looking at using the InTrust Manager for a gathering rule that would write to the database.  I wouldn't necessarily need the data to stay there if I could get what I want from the table as I know over time this database would get very large.  However, I am not seeing nearly the amount of data in the table from the gathering rule that I see when the same events are stored in the repository.  So on the surface this doesn't seem to be a good option.

Is there a way to write the Repository Viewer search data to a SQL table? 

Do the gathering policies in InTrust Manager collect less detailed information that what is stored in the repositories for Security events?  If the answer is "No", then I must not be doing something correctly with the gathering policy.  

I am VERY new to this InTrust product, so I am not positive I am doing everything correctly.  I know there is an SRS option, and at this point we don't have it enabled.  I don't know that it would help us for 2 reasons: 1) the lack of detail from the security events, and 2) the need to have Active Directory information added to our reports.

What we have today in our report from Repository Viewer:  

Date, Type, Who, Computer, Logon Type, Where From

Type is "success audit", Who is user ID, where from is an IP address....all of this info comes from the event in the repository.  

Hopefully this makes sense and someone knows if we have any options. 

Parents
  • 0 over 3 years ago

    You should definitely be able to get the level of detail you are looking for using data "exported" to SQL.

    I'm not sure if you have considered Quest's Enterprise Reporter product but data mining the information it collects from AD and combining that with the InTrust data would be a sweet solution.

    Alternatively, you could add some custom tables to the InTrust audit databases to cache some AD object information collected with Powershell and then generate a "rich" report off that.

    SSRS is a nice option if you don't mind the learning curve to get it setup.

    If any of this is of interest, I would suggest you approach your Quest rep to get some services help with achieving what you need.  He / she could recommend a qualified Partner or Quest's own Professional Services to help you out.

Reply
  • 0 over 3 years ago

    You should definitely be able to get the level of detail you are looking for using data "exported" to SQL.

    I'm not sure if you have considered Quest's Enterprise Reporter product but data mining the information it collects from AD and combining that with the InTrust data would be a sweet solution.

    Alternatively, you could add some custom tables to the InTrust audit databases to cache some AD object information collected with Powershell and then generate a "rich" report off that.

    SSRS is a nice option if you don't mind the learning curve to get it setup.

    If any of this is of interest, I would suggest you approach your Quest rep to get some services help with achieving what you need.  He / she could recommend a qualified Partner or Quest's own Professional Services to help you out.

Children
No Data