Home » Orchestrator » Who Did That? Auditing in Orchestrator

Who Did That? Auditing in Orchestrator

In this post I want to share with you some ideas around auditing in Orchestrator. When Orchestrator gets more and more integrated into your IT environment auditing and change control within Orchestrator also gets more important. In Orchestrator you have a couple of different ways to do this. You have the possible to enable audit trail. Audit trail is a number of text log files that contacts information about activities in runbooks and who started which runbook. Depending on how your runbooks are working the audit trail log files can grows very large and consumes a large amount of disk space. If you enable audit trail you should also plan how to archive and purge these log files. To enable or disable audit trail follow these steps

  1. On the Orchestrator management server open a command prompt and change folder to the Management Server folder in the Orchestrator installation folder , default  C:\Program Files (x86)\Microsoft System Center 2012\Orchestrator\Management Server
  2. Run “ATLC.EXE /enable” to enable audit trail or run “ATLC.EXE /disable” to disable audit trail
Audit trail log files are written to the C:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit folder. In the Audit folder there are two sub folders that will be used for audit logs, ManagementService and PolicyModule. The ManagementService folder will store log files that log date, runbook server, user and which runbook that was started. The PolicyModule folder store log files that log details about each activity in each runbook that is executed. Below is a couple of screens of these log files. More info about modifying trace log settings at MSDN. Trace log settings is controlled in the registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCenter2012\Orchestrator\TraceLogger. Each component of Orchestrator has a set of registry values where you can configure level of log details. At the MSDN link you can read how to enable logging for more components in Orchestrator and also how to level of details of each component.

 

In the Orchestrator Runbook Designer you can also see some auditing information. In the console there is an Audit History tab for each runbook. In the Audit History tab you can see all changes to a runbook, for example who change the name of an activity. Below there is figure that show an example of Audit History information. The information shown in the Audit History tab is a mix of data from two tables in the Orchestrator database, the OBJECT_AUDIT table and the CHECK_IN_HISTORY table.

 

To review all changes to objects in the Orchestrator database, for example a new setting on a activity run the following SQL query against your Orchestrator database. Note that the SQL query only show objects that have DELETED equals “0”, the SQL query only show objects that are non-deleted. You can change this setting if you want to see changes also to objects that are deleted.

SELECT P.Name AS [Runbook Name], O.Name AS [Activity Name], OT.Name AS [Activity Type], OA.Action,
CASE WHEN OA.Attribute LIKE '%[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-
[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F]-[0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F][0-F]
[0-F][0-F]%'
 THEN 'NEW ACTIVITY' ELSE OA.Attribute END AS Attribute, OA.OldValue, OA.NewValue, CIH.DateTime AS
 [Change Timestamp], S.Account AS [User]
FROM OBJECT_AUDIT AS OA INNER JOIN
 OBJECTS AS O ON OA.ObjectID = O.UniqueID INNER JOIN
 POLICIES AS P ON O.ParentID = P.UniqueID INNER JOIN
 OBJECTTYPES AS OT ON OA.ObjectType = OT.UniqueID INNER JOIN
 CHECK_IN_HISTORY AS CIH ON CIH.UniqueID = OA.TransactionID INNER JOIN
 SIDS AS S ON CIH.CheckInUser = S.SID
WHERE (O.Deleted = 0)
ORDER BY [Change Timestamp] DESC

 

Thanks to Fanjoy and Ahrens for SQL query support.


5 Comments

  1. I know this is an old post, but I will post mine anyway.
    I have done som research in a Orchestrator 2019 environment and did find a way to get who started a RunBook both from Console and webservice via powershell . In the SQL view [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs every job is logged, not with a Username but with a SID so you have to get the username using the SID against Active Directory.

    Here is a very simple query for testing

    SELECT RunbookId, CreatedBy, CreationTime, Parameters
    FROM [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs
    WHERE (CreationTime >= ‘2020-02-18’)
    ORDER BY CreationTime

    This one is joined with another view to get RunBook name

    SELECT [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.CreatedBy AS ‘Job Created By’, [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.CreationTime AS ‘Job Creation Time’, [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.Status ‘Job Status’,
    [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.Parameters AS ‘Job Parameters’, [Microsoft.SystemCenter.Orchestrator].Runbooks.Name AS ‘RunBook Name’
    FROM [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs INNER JOIN
    [Microsoft.SystemCenter.Orchestrator].Runbooks ON [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs.RunbookId = [Microsoft.SystemCenter.Orchestrator].Runbooks.Id

  2. Hi, audit runbook actions that is started in the web console is difficult. It is the web service service account that will be visable in the logs, not the user that logged on to the web console and clicks start/stop. Instead you have to check the web site logs to see who logged on to the web console at the moment.

  3. “ATLC.EXE” has been enabled and log files are now generating in C:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit , however no ManagementService logs are created when running a runbook from the Web console. Seems that only logs are being created are when books are run through Runbook Designer.

    Am I missing something?

  4. EVERYONE points to this one post and i am sick of it. I wish someone that points to this post would first try it. I have wasted hours and hours thinking it must be me. I must be doing something wrong. Please stop pointing to this to see who launched a runbook as it does NOT work. I have tried this same thing to many times to believe it does. Relay Microsoft never thought hey a 101 basic function would be to see who launched a runbook. Pitiful! Yes i am tired.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.