{"id":2980,"date":"2012-05-04T11:23:28","date_gmt":"2012-05-04T09:23:28","guid":{"rendered":"http:\/\/contoso.se\/blog\/?p=2980"},"modified":"2012-05-04T11:23:28","modified_gmt":"2012-05-04T09:23:28","slug":"who-did-that-auditing-in-orchestrator","status":"publish","type":"post","link":"http:\/\/contoso.se\/blog\/?p=2980","title":{"rendered":"Who Did That? Auditing in Orchestrator"},"content":{"rendered":"

In this post I want to share with you some ideas around auditing in Orchestrator. When Orchestrator gets more and more integrated into your IT environment auditing and change control within Orchestrator also gets more important. In Orchestrator you have a couple of different ways to do this.\u00c2\u00a0You have the possible to enable audit trail. Audit trail is a number of text log files that contacts information about activities in runbooks and who started which runbook.\u00c2\u00a0Depending on how your runbooks are working the audit trail log files can grows very large and consumes a large amount of disk space. If you enable audit trail you should also plan how to archive and purge these log files.\u00c2\u00a0To enable or disable audit trail follow these steps<\/p>\n

    \n
  1. On the Orchestrator management server open a command prompt and change folder to the Management Server folder in the Orchestrator installation folder , default\u00c2\u00a0 C:\\Program Files (x86)\\Microsoft System Center 2012\\Orchestrator\\Management Server<\/li>\n
  2. Run “ATLC.EXE \/enable” to enable audit trail or run “ATLC.EXE \/disable” to disable audit trail<\/li>\n<\/ol>\n
    Audit trail log files are written to the C:\\ProgramData\\Microsoft System Center 2012\\Orchestrator\\Audit folder. In the Audit folder there are two sub folders that will be used for audit logs, ManagementService and PolicyModule. The ManagementService folder will store log files that log date, runbook server, user and which runbook that was started. The PolicyModule folder store log files that log details about each activity in each runbook that is executed. Below is a couple of screens of these log files. More info about modifying trace log settings at MSDN<\/a>. Trace log settings is controlled in the registry under the key HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SystemCenter2012\\Orchestrator\\TraceLogger. Each component of Orchestrator has a set of registry values where you can configure level of log details.\u00c2\u00a0At the MSDN link you can read how to enable logging for more components in Orchestrator and also how to level of details of each component.<\/div>\n
    <\/div>\n
    <\/div>\n
    \"\"<\/a><\/div>\n
    <\/div>\n
    \"\"<\/a><\/div>\n

     <\/p>\n

    In the Orchestrator Runbook Designer you can also see some auditing information. In the console there is an Audit History tab for each runbook. In the Audit History tab you can see all changes to a runbook, for example who change the name of an activity. Below there is figure that show an example of Audit History information. The information shown in the Audit History tab is a mix of data from two tables in the Orchestrator database, the OBJECT_AUDIT table and the CHECK_IN_HISTORY table.<\/p>\n

    \"\"<\/a><\/p>\n

     <\/p>\n

    To review all changes to objects in the Orchestrator database, for example a new setting on a activity run the following SQL query against your Orchestrator database. Note that the SQL query only show objects that have DELETED equals “0”, the SQL query only show objects that are non-deleted. You can change this setting if you want to see changes also to objects that are deleted.<\/p>\n

    SELECT P.Name AS [Runbook Name], O.Name AS [Activity Name], OT.Name AS [Activity Type], OA.Action,\r\nCASE WHEN OA.Attribute LIKE '%[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-\r\n[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]\r\n[0-F][0-F]%'\r\n THEN 'NEW ACTIVITY' ELSE OA.Attribute END AS Attribute, OA.OldValue, OA.NewValue, CIH.DateTime AS\r\n [Change Timestamp], S.Account AS [User]\r\nFROM OBJECT_AUDIT AS OA INNER JOIN\r\n OBJECTS AS O ON OA.ObjectID = O.UniqueID INNER JOIN\r\n POLICIES AS P ON O.ParentID = P.UniqueID INNER JOIN\r\n OBJECTTYPES AS OT ON OA.ObjectType = OT.UniqueID INNER JOIN\r\n CHECK_IN_HISTORY AS CIH ON CIH.UniqueID = OA.TransactionID INNER JOIN\r\n SIDS AS S ON CIH.CheckInUser = S.SID\r\nWHERE (O.Deleted = 0)\r\nORDER BY [Change Timestamp] DESC<\/pre>\n
    \"\"<\/a><\/pre>\n
     <\/p>\n
    Thanks to Fanjoy and Ahrens for SQL query support.<\/p>\n","protected":false},"excerpt":{"rendered":"
    In this post I want to share with you some ideas around auditing in Orchestrator. When Orchestrator gets more and more integrated into your IT environment auditing and change control within Orchestrator also gets more important. In Orchestrator you have a couple of different ways to do this.\u00c2\u00a0You have the possible to enable audit trail. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[60],"tags":[],"_links":{"self":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2980"}],"collection":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2980"}],"version-history":[{"count":33,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2980\/revisions"}],"predecessor-version":[{"id":3017,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2980\/revisions\/3017"}],"wp:attachment":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2980"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}