8 Replies Latest reply on Dec 13, 2017 2:16 PM by rfackrell

Missing Audit Events?

rfackrell Nov 8, 2017 12:47 PM

Hello all,

We have a resource on our landing page that shows what nodes have been unmanaged, from when, till when, and by whom.

Well Recently its been noticed that the by whom is sometimes empty.

Looking into the report, I found that this is provided by the Orion.AuditingEvents table. When I use SWQL to look at this table there is no audit event for unmanaging these nodes. They are obviously unmanaged, but somehow it was not logged at all.

Anyone have an Idea as to why/how this could happen?

aLTeReGo/ cobrien - Any Past experience with this?

Turns out its difficult to hold others responsible if I don't know who they are.

Re: Missing Audit Events?

d09h Nov 8, 2017 12:53 PM (in response to rfackrell)

When I've changed settings directly in the database (via RDP session), I've seen the audit trail empty as you've described. Makes sense if you think about it.
Like (1)

Actions
- Re: Missing Audit Events?
  
  rfackrell Nov 8, 2017 1:00 PM (in response to d09h)
  
  That does make sense, Scary though, cause NO ONE except myself on one other should be messing around in the DB. Definitely not some person unmanaging stuff. Even a SWQL session leave those with its SWIS Calls.
  
  I'm a relative noob on DBs, is there a way myself or a DBA might be able to track if someone track if that's been done?
  
  Like (0)
  
  Actions
  - Re: Missing Audit Events?
    
    aLTeReGo Nov 8, 2017 1:05 PM (in response to rfackrell)
    
    Is it possible that these objects were unmanaged using the Scheduled Unmanage Utility or via SWIS using the Orion SDK?
    
    Like (0)
    
    Actions
    - Re: Missing Audit Events?
      
      rfackrell Nov 27, 2017 11:58 AM (in response to aLTeReGo)
      
      I just got off the phone with SW Support. Turns out one of the users had disabled the Audit Trail. *Facepalm*
      Just in case anyone else needed this,
      You can check if Audit Tail is enabled by going to All Settings -> Web Console Settings -> Check the Box.
      Thanks for everyone's help!
      1 of 1 people found this helpful
      
      Like (1)
      
      Actions
Re: Missing Audit Events?

Mike Lomax Dec 13, 2017 8:25 AM (in response to rfackrell)

rfackrell the resource you mention and its functionality caught my eye as something that would be helpful in our environment. But I have not been able to figure out what resource you are referring to. Is this something custom for your environment or a canned resource that SolarWinds provides? Would love to hear more details on this.

THANKS

Mike
Like (0)

Actions
- Re: Missing Audit Events?
  
  aLTeReGo Dec 13, 2017 8:31 AM (in response to Mike Lomax)
  
  rfackrell is referring to the Last XX Audit Events resource.
  
  Like (0)
  
  Actions
  - Re: Missing Audit Events?
    
    Mike Lomax Dec 13, 2017 9:13 AM (in response to aLTeReGo)
    
    Thanks aLTeReGo...
    
    That was what I thought at first. Except he states that the resource he is using also show the schedule times and the Audit Log does not show those. It should, IMHO, but doesn't.
    
    Here is what I get selecting the "Node managed" and "Node unmanage" types:
    
    But wait... If I use the "Node edited" type it does show the times but now also shows all other Node edits which is not what I would want:
    
    I guess what would be helpful in this resource would be to allow for filtering. Then I could filter on the keyword "UnManageFrom" and get what rfackrell is talking about. This would also come in handy
    
    This does seem to be handled much better for Alert Muting Audit Events. With those their are types for "Alerts muted", which shows the schedule, "Schedule for muting alerts changed", which shows the new schedule, and "Alerts unmuted".
    
    Adjusting the Unmanage types to work the same would also provide the desired result. However I still think the ability to filter would better cover all scenarios across all Audit Types.
    
    Still wondering if he is doing something different to only get the unmnage audit events.
    
    Mike
    
    Like (0)
    
    Actions
    - Re: Missing Audit Events?
      
      rfackrell Dec 13, 2017 2:16 PM (in response to Mike Lomax)
      
      Mike, Yeah we created custom report that shows us the Currently Unmanaged Devices. I think someone else modified some code they found in the community in order to accomplish our goals. I just shared it in the content exchange:
      https://thwack.solarwinds.com/docs/DOC-192739
      
      It’s just a SQL Query so it’s possible to edit it however you need. For example, we have a Site Code and a Tech Group Custom Property that we group it by. I took these out of the uploaded version.
      
      Like (0)
      
      Actions

Go to original post