United Kingdom Endpoint Management User Group

 View Only
Expand all | Collapse all

DS 6.9 auditing

  • 1.  DS 6.9 auditing

    Posted Jun 02, 2015 04:37 AM

    Hello all,

    Has anyone developed a query that audits DS Console actions, so that you know who created, moved, deleted items within the DS Console? 

    SK



  • 2.  RE: DS 6.9 auditing

    Posted Jun 02, 2015 07:55 AM

    I do not know if this is tracked. I know you can see who has run a certain job. Here is an example:

    https://www-secure.symantec.com/connect/blogs/sql-query-display-jobs-run-user

    That you can see who has run the jobs the security must be activated in the console.



  • 3.  RE: DS 6.9 auditing

    Posted Jun 03, 2015 04:26 AM

    Hi Scott,

    Select complete_time, status, user_log from dbo.status_log order by Complete_time desc

    There's not that much logged in DS 6.9 and there's really only 4 tables that I know of that are to do with it, 2 of them are archive ones. Status_log and history tables contain all the information recorded relating to task executions, they differ slightly, you may wish to combine columns on both tables. It is probably suitable information for auditing as there are usernames mentioned against task executions with task details. Please note, keeping records of the details of the tasks is more tricky since these can be overwritten.

    A stored procedure runs on a schedule that is not publically documented. The SP’s are ins_archive_history and ins_archive_status_log. These SP’s move the data to the archive’s of each table around every 24 hours. If you make a change to the Options, you can restart the services to trigger them manually.

    The default setting for governing the truncation of data from these tables is in Tools >Options >Global tab à “Delete history entries older than X days” and is ‘undefined’ on a fresh product install.

    So as long as you haven’t defined that setting you will have unlimited history in Status_log_archive and History_archive.

    HTH, take care buddy!

    Mike



  • 4.  RE: DS 6.9 auditing

    Posted Jun 03, 2015 06:11 AM

    Hi Mike,

    I already tried your query via LinkedIn but it only tracks event runs and not actual console item creation, moving and deletion.  :-(

    SK



  • 5.  RE: DS 6.9 auditing

    Posted Jun 03, 2015 09:15 AM

    If you remove all the rights appart from the "run job" you don't need much of audit option :-)



  • 6.  RE: DS 6.9 auditing

    Posted Jun 03, 2015 09:25 AM

    Hmm, i don't think the product was really geared up for this, perhaps I can suggest to David to get it into GSS. I did wonder how the same query popped up twice recently via PB!!



  • 7.  RE: DS 6.9 auditing

    Posted Jun 03, 2015 09:30 AM

    I did have one for 5.5 back in the day; however, I cannot find it anymore. 

    I have been tasked to find out who did something within the DS Console, so if someone's got any ideas please share them. 



  • 8.  RE: DS 6.9 auditing

    Broadcom Employee
    Posted Jun 03, 2015 11:14 AM

    Hi Scott,

    I see there is a SQL table .[dbo].[changeitems] but don't have any thoughts where to JOIN ii to see account names, who did this action...



  • 9.  RE: DS 6.9 auditing

    Posted Jun 03, 2015 11:22 AM

    Hi Igor,

    It looks promising, but unfortunately the server only has these change types: 

    inserted
    updated
    deleted

     

    No move change type  :-(



  • 10.  RE: DS 6.9 auditing

    Broadcom Employee
    Posted Jun 03, 2015 11:40 AM

    Seems like that existing "Stored procedures" also don't help to create audit report to see user name for performed action



  • 11.  RE: DS 6.9 auditing

    Trusted Advisor
    Posted Jun 03, 2015 02:13 PM

    Hi All,

    I've tried grappling with this too; and failed. The options as I saw them were,

    • Have a nightly script that runs which exports the all DS jobs (with full paths) to a text file. On completion the script would then also compare this to the previous night's dump to alert on differences.

      This doesn't give the smoking gun, but it does let you know very well the window where something changed, and exactly what that was. 
       
    • Implement DS Console security with a 'gold' area that only sysadmins can touch

    I got as far as creating the nightly text dumps, but then abandoned the delta emails as I realised I've have to implement a more draconian DS Console security model anyhow ;-)