Introduction
The tags beginning with box.win_intrust identify Windows event logs generated by Quest InTrust.
Valid tags and data tables
The full tag must have at least 2 levels. The first two are fixed as box.win_intrust. The third level identifies the type of events sent.
Technology | Brand | Type |
|---|---|---|
box | win_intrust |
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
box.win_intrust | box.win_intrust |
box.win_intrust.application | box.win_intrust.application |
| box.win_intrust.security | box.win_intrust.security |
| box.win_intrust.system | box.win_intrust.system |
| box.win_intrust.other | box.win_intrust.other |
| box.win_intrust.invalid | box.win_intrust.invalid |
How is the data sent to Devo?
Windows logs generated by InTrust must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Relay rule 1
Source port → Enter the required free port
Source data → gatheringEventLog\”\s?:\s?\”(Security|Application|System)
Target tag → box.win_intrust.\\D1
Select the Stop processing and Is prefix checkboxes
Relay rule 2
Source port → Enter the required free port
Target message → box.win_intrust.other
Select the Stop processing and Is prefix checkboxes
Log samples
The following are sample logs sent to each of the box.win_intrust data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.