Real time gathering logs and realtime monitoring

Hi mcsebala,

Real-Time Monitoring engine (RTM) provides alerting on events of different types that you consider critical on your systems. You need to bind a Rule (which events in which Log to analyse and what condition apply to them), an Operator (to send an email) , and a Site (with the list of computer names, or Domain, or LDAP query result) in one RTM Policy. A Rule is sent to Agents and starts the log analysis in accordance with it's conditions. When condition is met, Agent sends a message to Server and then Server sends email to Operator. The examples of RTM alerts are "Group member added by unauthorized personnel on the DC", "Syslog.conf file modified on the Redhat Linux box", "Suspicious PowerShell activity detected on the Workstation", "Removable device attached on my Desktop" and tons of other predefined RTM alerts. To configure RTM you have to use InTrust Manager console (ITM). You might want to create your own alerts based on existing ones or from scratch.

Real-Time Gathering or Real-Time Collecting (RTC) is a simplified gathering mechanism for compliance. You need to create a Collection which binds a list of computer names (or Domains or LDAP query results) with the list of Log Names, and specify a storage which is called Repository. Repository is an archived folder with a big compression ratio and indexing/full text search abilities. Under the hood RTC is using RTM by creating an internal rule "alert for any event in the log". The log cannot be filtered in any way. The example of RTC is "collect all Security, System, Application logs and track all User Sessions on all Windows computers in the OU, and keep the results in the Repository on our NAS for five years". To configure RTC you have to use InTrust Deployment Manager (IDM) client application.

Thank you for the explanation.

We have scheduled the task for collecting security logs. Every 4 fours hours once security logs will be copied to repository.

Real-Time Gathering  or Scheduled task  which is the best method for collecting the logs in InTrust.

If you're already using Scheduled Task Gathering and have no problems and do not suffer from its "complexity" then maybe switching to RTC is not necessary. RTC was created to simplify the evaluation of InTrust for new users and strictly speaking has less functionality (no filtering during gathering).

So the two main advantages of RTC are relative ease of use and the fact that all events go directly to the Repository in real time. You choose.

Dear Balasubramaniam, if you think your questions are answered please do not forget to mark your threads as finished by clicking "this helped me".

Thank you.