8 Replies Latest reply on Dec 13, 2017 2:16 PM by rfackrell

    Missing Audit Events?

    rfackrell

      Hello all,

      We have a resource on our landing page that shows what nodes have been unmanaged, from when, till when, and by whom.

       

      Well Recently its been noticed that the by whom is sometimes empty.

      Looking into the report, I found that this is provided by the Orion.AuditingEvents table. When I use SWQL to look at this table there is no audit event for unmanaging these nodes. They are obviously unmanaged, but somehow it was not logged at all.

      Anyone have an Idea as to why/how this could happen?

      aLTeReGo/ cobrien - Any Past experience with this?

       

      Turns out its difficult to hold others responsible if I don't know who they are.

        • Re: Missing Audit Events?
          d09h

          When I've changed settings directly in the database (via RDP session), I've seen the audit trail empty as you've described.  Makes sense if you think about it.

            • Re: Missing Audit Events?
              rfackrell

              That does make sense, Scary though, cause NO ONE except myself on one other should be messing around in the DB. Definitely not some person unmanaging stuff. Even a SWQL session leave those with its SWIS Calls.

              I'm a relative noob on DBs, is there a way myself or a DBA might be able to track if someone track if that's been done?


            • Re: Missing Audit Events?
              Mike Lomax

              rfackrell the resource you mention and its functionality caught my eye as something that would be helpful in our environment.  But I have not been able to figure out what resource you are referring to.  Is this something custom for your environment or a canned resource that SolarWinds provides?  Would love to hear more details on this.

               

              THANKS

               

              Mike

                • Re: Missing Audit Events?
                  aLTeReGo

                  rfackrell is referring to the Last XX Audit Events resource.

                   

                    • Re: Missing Audit Events?
                      Mike Lomax

                      Thanks aLTeReGo...

                       

                      That was what I thought at first.  Except he states that the resource he is using also show the schedule times and the Audit Log does not show those.  It should, IMHO, but doesn't.

                       

                      Here is what I get selecting the "Node managed" and "Node unmanage" types:

                       

                      But wait...  If I use the "Node edited" type it does show the times but now also shows all other Node edits which is not what I would want:

                       

                       

                      I guess what would be helpful in this resource would be to allow for filtering.  Then I could filter on the keyword "UnManageFrom" and get what rfackrell is talking about.  This would also come in handy

                       

                      This does seem to be handled much better for Alert Muting Audit Events.  With those their are types for "Alerts muted", which shows the schedule, "Schedule for muting alerts changed", which shows the new schedule, and "Alerts unmuted".

                       

                       

                      Adjusting the Unmanage types to work the same would also provide the desired result.  However I still think the ability to filter would better cover all scenarios across all Audit Types.

                       

                       

                      Still wondering if he is doing something different to only get the unmnage audit events.

                       

                       

                      Mike