Audit Trail
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator
The Audit Trail is a collection of text log files that contain information about the interaction of a runbook with external tools and systems. By using the Audit Trail, you can report on configuration and change compliance of processes and identify changes made to a non-Microsoft system for audit purposes or to remediate a change that causes service interruption.
Depending on how many runbooks you invoke and how many activities those runbooks contain, the Audit Trail can consume a large amount of disk space on the computer that runs the management server and runbook server. If you enable auditing, you should implement an archiving procedure to move the files generated by the Audit Trail to another computer on a regular basis.
Activating and Deactivating the Audit Trail
By default, the Audit Trail is not activated when you install Orchestrator. You can use the following procedure to activate it.
To activate or deactivate the Audit Trail
Open a command prompt with administrative credentials.
Navigate to System Drive:\Program Files (x86)\Microsoft System Center 2012\Orchestrator\Management Server.
To activate the Audit Trail, type
atlc /enable
, and to deactivate the Audit Trail, typeatlc /disable
.
Audit Trail Files
Audit Trail files are stored in comma-separated value file (.csv) format. The following table shows the details.
Log Type | File name | Contents | Computer | Location |
---|---|---|---|---|
Runbook Publisher | Computer Name_ RunbookPublisher_Timestamp.csv | - Date and time that the runbook was started - User name and domain that started the runbook - Name of the computer where the runbook ran |
Management Server | System Drive:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\ManagementService |
Runbook Publisher | Computer Name_ RunbookPublisher_Timestamp.csv | - Date and time that the runbook was started - User name and domain that started the runbook - Name of the computer where the runbook ran |
Runbook Server | System Drive:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\RunbookService |
Activity Runtime Information | Computer Name_ ObjectRuntimeInfo_Timestamp.csv | - Date and time that activity ran - Name of runbook server that ran the activity - ID of the job process that ran the activity - Object XML code that activity received as input data |
Runbook Server | System Drive:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\PolicyModule |
When a file reaches 200 megabytes (MB) in size, a new file is created. The time stamp is included in the file name to ensure that each file name is unique. Passwords and other encrypted text fields are represented by five asterisks (*****) in the Audit Trail files.
Note
The ProgramData folder holding the audit files is often a hidden system folder.
See Also