In this post I want to share with you some ideas around auditing in Orchestrator. When Orchestrator gets more and more integrated into your IT environment auditing and change control within Orchestrator also gets more important. In Orchestrator you have a couple of different ways to do this. You have the possible to enable audit trail. Audit trail is a number of text log files that contacts information about activities in runbooks and who started which runbook. Depending on how your runbooks are working the audit trail log files can grows very large and consumes a large amount of disk space. If you enable audit trail you should also plan how to archive and purge these log files. To enable or disable audit trail follow these steps
- On the Orchestrator management server open a command prompt and change folder to the Management Server folder in the Orchestrator installation folder , default C:\Program Files (x86)\Microsoft System Center 2012\Orchestrator\Management Server
- Run “ATLC.EXE /enable” to enable audit trail or run “ATLC.EXE /disable” to disable audit trail
In the Orchestrator Runbook Designer you can also see some auditing information. In the console there is an Audit History tab for each runbook. In the Audit History tab you can see all changes to a runbook, for example who change the name of an activity. Below there is figure that show an example of Audit History information. The information shown in the Audit History tab is a mix of data from two tables in the Orchestrator database, the OBJECT_AUDIT table and the CHECK_IN_HISTORY table.
To review all changes to objects in the Orchestrator database, for example a new setting on a activity run the following SQL query against your Orchestrator database. Note that the SQL query only show objects that have DELETED equals “0”, the SQL query only show objects that are non-deleted. You can change this setting if you want to see changes also to objects that are deleted.
SELECT P.Name AS [Runbook Name], O.Name AS [Activity Name], OT.Name AS [Activity Type], OA.Action, CASE WHEN OA.Attribute LIKE '%[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]- [0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F] [0-F][0-F]%' THEN 'NEW ACTIVITY' ELSE OA.Attribute END AS Attribute, OA.OldValue, OA.NewValue, CIH.DateTime AS [Change Timestamp], S.Account AS [User] FROM OBJECT_AUDIT AS OA INNER JOIN OBJECTS AS O ON OA.ObjectID = O.UniqueID INNER JOIN POLICIES AS P ON O.ParentID = P.UniqueID INNER JOIN OBJECTTYPES AS OT ON OA.ObjectType = OT.UniqueID INNER JOIN CHECK_IN_HISTORY AS CIH ON CIH.UniqueID = OA.TransactionID INNER JOIN SIDS AS S ON CIH.CheckInUser = S.SID WHERE (O.Deleted = 0) ORDER BY [Change Timestamp] DESC
Thanks to Fanjoy and Ahrens for SQL query support.