Who Did That? Auditing in Orchestrator

Posted: 4th May 2012 by Anders Bengtsson in Orchestrator

In this post I want to share with you some ideas around auditing in Orchestrator. When Orchestrator gets more and more integrated into your IT environment auditing and change control within Orchestrator also gets more important. In Orchestrator you have a couple of different ways to do this. You have the possible to enable audit trail. Audit trail is a number of text log files that contacts information about activities in runbooks and who started which runbook. Depending on how your runbooks are working the audit trail log files can grows very large and consumes a large amount of disk space. If you enable audit trail you should also plan how to archive and purge these log files. To enable or disable audit trail follow these steps

  1. On the Orchestrator management server open a command prompt and change folder to the Management Server folder in the Orchestrator installation folder , default  C:\Program Files (x86)\Microsoft System Center 2012\Orchestrator\Management Server
  2. Run “ATLC.EXE /enable” to enable audit trail or run “ATLC.EXE /disable” to disable audit trail
Audit trail log files are written to the C:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit folder. In the Audit folder there are two sub folders that will be used for audit logs, ManagementService and PolicyModule. The ManagementService folder will store log files that log date, runbook server, user and which runbook that was started. The PolicyModule folder store log files that log details about each activity in each runbook that is executed. Below is a couple of screens of these log files. More info about modifying trace log settings at MSDN. Trace log settings is controlled in the registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCenter2012\Orchestrator\TraceLogger. Each component of Orchestrator has a set of registry values where you can configure level of log details. At the MSDN link you can read how to enable logging for more components in Orchestrator and also how to level of details of each component.

 

In the Orchestrator Runbook Designer you can also see some auditing information. In the console there is an Audit History tab for each runbook. In the Audit History tab you can see all changes to a runbook, for example who change the name of an activity. Below there is figure that show an example of Audit History information. The information shown in the Audit History tab is a mix of data from two tables in the Orchestrator database, the OBJECT_AUDIT table and the CHECK_IN_HISTORY table.

 

To review all changes to objects in the Orchestrator database, for example a new setting on a activity run the following SQL query against your Orchestrator database. Note that the SQL query only show objects that have DELETED equals “0”, the SQL query only show objects that are non-deleted. You can change this setting if you want to see changes also to objects that are deleted.

SELECT P.Name AS [Runbook Name], O.Name AS [Activity Name], OT.Name AS [Activity Type], OA.Action,
CASE WHEN OA.Attribute LIKE '%[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-
[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]
[0-F][0-F]%'
 THEN 'NEW ACTIVITY' ELSE OA.Attribute END AS Attribute, OA.OldValue, OA.NewValue, CIH.DateTime AS
 [Change Timestamp], S.Account AS [User]
FROM OBJECT_AUDIT AS OA INNER JOIN
 OBJECTS AS O ON OA.ObjectID = O.UniqueID INNER JOIN
 POLICIES AS P ON O.ParentID = P.UniqueID INNER JOIN
 OBJECTTYPES AS OT ON OA.ObjectType = OT.UniqueID INNER JOIN
 CHECK_IN_HISTORY AS CIH ON CIH.UniqueID = OA.TransactionID INNER JOIN
 SIDS AS S ON CIH.CheckInUser = S.SID
WHERE (O.Deleted = 0)
ORDER BY [Change Timestamp] DESC

 

Thanks to Fanjoy and Ahrens for SQL query support.

  1. […] Read the full post: Who Did That? Auditing in Orchestrator […]