In this post I want to share with you some ideas around auditing in Orchestrator. When Orchestrator gets more and more integrated into your IT environment auditing and change control within Orchestrator also gets more important. In Orchestrator you have a couple of different ways to do this. You have the possible to enable audit trail. Audit trail is a number of text log files that contacts information about activities in runbooks and who started which runbook. Depending on how your runbooks are working the audit trail log files can grows very large and consumes a large amount of disk space. If you enable audit trail you should also plan how to archive and purge these log files. To enable or disable audit trail follow these steps
- On the Orchestrator management server open a command prompt and change folder to the Management Server folder in the Orchestrator installation folder , default C:\Program Files (x86)\Microsoft System Center 2012\Orchestrator\Management Server
- Run “ATLC.EXE /enable” to enable audit trail or run “ATLC.EXE /disable” to disable audit trail
In the Orchestrator Runbook Designer you can also see some auditing information. In the console there is an Audit History tab for each runbook. In the Audit History tab you can see all changes to a runbook, for example who change the name of an activity. Below there is figure that show an example of Audit History information. The information shown in the Audit History tab is a mix of data from two tables in the Orchestrator database, the OBJECT_AUDIT table and the CHECK_IN_HISTORY table.
To review all changes to objects in the Orchestrator database, for example a new setting on a activity run the following SQL query against your Orchestrator database. Note that the SQL query only show objects that have DELETED equals “0”, the SQL query only show objects that are non-deleted. You can change this setting if you want to see changes also to objects that are deleted.
SELECT P.Name AS [Runbook Name], O.Name AS [Activity Name], OT.Name AS [Activity Type], OA.Action, CASE WHEN OA.Attribute LIKE '%[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]- [0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F] [0-F][0-F]%' THEN 'NEW ACTIVITY' ELSE OA.Attribute END AS Attribute, OA.OldValue, OA.NewValue, CIH.DateTime AS [Change Timestamp], S.Account AS [User] FROM OBJECT_AUDIT AS OA INNER JOIN OBJECTS AS O ON OA.ObjectID = O.UniqueID INNER JOIN POLICIES AS P ON O.ParentID = P.UniqueID INNER JOIN OBJECTTYPES AS OT ON OA.ObjectType = OT.UniqueID INNER JOIN CHECK_IN_HISTORY AS CIH ON CIH.UniqueID = OA.TransactionID INNER JOIN SIDS AS S ON CIH.CheckInUser = S.SID WHERE (O.Deleted = 0) ORDER BY [Change Timestamp] DESC
Thanks to Fanjoy and Ahrens for SQL query support.
I know this is an old post, but I will post mine anyway.
I have done som research in a Orchestrator 2019 environment and did find a way to get who started a RunBook both from Console and webservice via powershell . In the SQL view [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs every job is logged, not with a Username but with a SID so you have to get the username using the SID against Active Directory.
Here is a very simple query for testing
SELECT RunbookId, CreatedBy, CreationTime, Parameters
FROM [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs
WHERE (CreationTime >= ‘2020-02-18’)
ORDER BY CreationTime
This one is joined with another view to get RunBook name
SELECT [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.CreatedBy AS ‘Job Created By’, [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.CreationTime AS ‘Job Creation Time’, [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.Status ‘Job Status’,
[Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.Parameters AS ‘Job Parameters’, [Microsoft.SystemCenter.Orchestrator].Runbooks.Name AS ‘RunBook Name’
FROM [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs INNER JOIN
[Microsoft.SystemCenter.Orchestrator].Runbooks ON [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.RunbookId = [Microsoft.SystemCenter.Orchestrator].Runbooks.Id
Hi, audit runbook actions that is started in the web console is difficult. It is the web service service account that will be visable in the logs, not the user that logged on to the web console and clicks start/stop. Instead you have to check the web site logs to see who logged on to the web console at the moment.
“ATLC.EXE” has been enabled and log files are now generating in C:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit , however no ManagementService logs are created when running a runbook from the Web console. Seems that only logs are being created are when books are run through Runbook Designer.
Am I missing something?
EVERYONE points to this one post and i am sick of it. I wish someone that points to this post would first try it. I have wasted hours and hours thinking it must be me. I must be doing something wrong. Please stop pointing to this to see who launched a runbook as it does NOT work. I have tried this same thing to many times to believe it does. Relay Microsoft never thought hey a 101 basic function would be to see who launched a runbook. Pitiful! Yes i am tired.
[…] Read the full post: Who Did That? Auditing in Orchestrator […]