SCOM Auditing?

Hello, I am working with SCOM 2012.   I want to know if there is any records kept when a person with the property security access changes a monitor/rule in the SCOM management server.  So if I, for example, override and change the disk space threshold for a specific server, is that logged somewhere?   I saw there is such a thing as Audit Collection Services (ACS):
http://technet.microsoft.com/en-us/library/hh212908.aspx

But I am not clear what specifcally this does.  Does it log authoring events in SCOM?  The article above says it logs "audit policy" but I dont really understand what that is, or what that means specifically.  I just want to know if when I make a change to a monitoring rule, does it get logged somewhere?

Thanks

-Mark

July 15th, 2013 11:09am

Hi Mark,

>So if I, for example, override and change the disk space threshold for a specific server, is that logged somewhere?

Unfortunately, no, OpsMgr doesn't have any 'self-auditing' features.

Free Windows Admin Tool Kit Click here and download it now
July 15th, 2013 11:24am

Ok, that is good to know.  Thanks for your response.  Can you give me a better idea of what ACS actually does, or an example or something, so that I understand what that is at least?  Any idea?
July 15th, 2013 11:27am

Ok, that is good to know.  Thanks for your response.  Can you give me a better idea of what ACS actually does, or an example or something, so that I understand what that is at least?  Any idea?

http://technet.microsoft.com/en-us/library/bb381258.aspx

it's for collecting events that are presented in Event View -> Security

like this - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Free Windows Admin Tool Kit Click here and download it now
July 15th, 2013 11:41am

Thanks!
July 15th, 2013 11:42am

  I just want to know if when I make a change to a monitoring rule, does it get logged somewhere?


it get logged in DB if there is a new override but there is no mention who has changed that override. So if there is only few scom admins you can identify who has changed overrides with a great likelihood.

check this - http://social.technet.microsoft.com/Forums/systemcenter/en-US/e9dc1224-914d-4751-a242-c0268e9c39bb/how-can-i-see-when-a-monitor-override-was-created-and-by-whom

Free Windows Admin Tool Kit Click here and download it now
July 15th, 2013 11:55am

Gotcha.  Thanks for the info.
July 15th, 2013 1:08pm

I really don't see how hard this would be to achieve. I mean, you log into SCOM so it knows you who are, and whenever you commit an override, it should log that to an auditing table. This feature should be able to be turned off or on. This just seems like a no brainer that maybe Product Management should put in their backlog for the next release.
Free Windows Admin Tool Kit Click here and download it now
October 31st, 2013 6:12pm

Sorry for digging that up, but what @SFBarbarino said, I cannot agree more. Audit options for various purposes should be available. There are many rather redundant things in SCOM for most times while the data I would need to acquire should be available... I'm kind of disappointed and I hope it gets included in the next release.
June 23rd, 2014 8:37am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics