This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Missing Audit Events?

Hello all,

We have a resource on our landing page that shows what nodes have been unmanaged, from when, till when, and by whom.

Well Recently its been noticed that the by whom is sometimes empty.

Looking into the report, I found that this is provided by the Orion.AuditingEvents table. When I use SWQL to look at this table there is no audit event for unmanaging these nodes. They are obviously unmanaged, but somehow it was not logged at all.

Anyone have an Idea as to why/how this could happen?

aLTeReGo​/ cobrien​ - Any Past experience with this?

Turns out its difficult to hold others responsible if I don't know who they are. emoticons_wink.png

  • When I've changed settings directly in the database (via RDP session), I've seen the audit trail empty as you've described.  Makes sense if you think about it.

  • That does make sense, Scary though, cause NO ONE except myself on one other should be messing around in the DB. Definitely not some person unmanaging stuff. Even a SWQL session leave those with its SWIS Calls.

    I'm a relative noob on DBs, is there a way myself or a DBA might be able to track if someone track if that's been done?


  • Is it possible that these objects were unmanaged using the Scheduled Unmanage Utility or via SWIS using the Orion SDK?

  • I just got off the phone with SW Support. Turns out one of the users had disabled the Audit Trail. *Facepalm*

    Just in case anyone else needed this,

    You can check if Audit Tail is enabled by going to All Settings -> Web Console Settings -> Check the Box.

    Thanks for everyone's help!

  • rfackrell​ the resource you mention and its functionality caught my eye as something that would be helpful in our environment.  But I have not been able to figure out what resource you are referring to.  Is this something custom for your environment or a canned resource that SolarWinds provides?  Would love to hear more details on this.

    THANKS

    Mike

  • Thanks aLTeReGo​...

    That was what I thought at first.  Except he states that the resource he is using also show the schedule times and the Audit Log does not show those.  It should, IMHO, but doesn't.

    Here is what I get selecting the "Node managed" and "Node unmanage" types:

    Unmanaged Nodes.png

    But wait...  If I use the "Node edited" type it does show the times but now also shows all other Node edits which is not what I would want:

    Node Edits.png

    I guess what would be helpful in this resource would be to allow for filtering.  Then I could filter on the keyword "UnManageFrom" and get what rfackrell​ is talking about.  This would also come in handy

    This does seem to be handled much better for Alert Muting Audit Events.  With those their are types for "Alerts muted", which shows the schedule, "Schedule for muting alerts changed", which shows the new schedule, and "Alerts unmuted".

    Alert Muting.png

    Adjusting the Unmanage types to work the same would also provide the desired result.  However I still think the ability to filter would better cover all scenarios across all Audit Types.

    Still wondering if he is doing something different to only get the unmnage audit events.

    Mike

  • Mike, Yeah we created custom report that shows us the Currently Unmanaged Devices. I think someone else modified some code they found in the community in order to accomplish our goals. I just shared it in the content exchange:

    https://thwack.solarwinds.com/docs/DOC-192739

    It’s just a SQL Query so it’s possible to edit it however you need. For example, we have a Site Code and a Tech Group Custom Property that we group it by. I took these out of the uploaded version.