• Article

How to Manage the Audit Log for AMT-Based Computers in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

If you have configured System Center 2012 Configuration Manager for AMT auditing, you can enable and disable auditing on selected Intel AMT-based computers, you can update existing audit settings, you can export the auditing entries to a file, and you can clear the auditing log. You might have to clear the audit log on AMT-based computers to make more space in the log for new entries. All the auditing features that you can select by using Configuration Manager are categorized as noncritical, and depending on your AMT version, these might stop writing to the audit log when it is 85 percent full or might start overwriting old entries. You can save the current audit log entries and delete them from an AMT-based computer by using the out of band management console.

Use the following procedures to manage the audit log for AMT-based computers:

  • To enable auditing and update audit settings on AMT-based computers

  • To disable auditing on AMT-based computers

  • To export the audit log for AMT-based computers

  • To clear the audit log on AMT-based computers

  • To monitor auditing activities by using status messages

Before you perform these procedures, you must configure Configuration Manager for AMT auditing as described in Step 5: Configuring the Out of Band Management Component.

To enable auditing and update audit settings on AMT-based computers

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, click Devices or Device Collections.

  3. Select one or multiple AMT-based computers for which you want to enable auditing or update the audit settings, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Enable Auditing and Apply Audit Log Settings.

  4. Click OK in the confirmation dialog box.

To disable auditing on AMT-based computers

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, click Devices or Device Collections.

  3. Select one or multiple AMT-based computers for which you want to clear the AMT audit log, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Disable Audit Log.

  4. Click OK in the confirmation dialog box.

To export the audit log for AMT-based computers

  1. Connect to the AMT-based computer by using the out of band management console.

  2. Click System Audit Log, click Export All, specify the path and file name to contain the auditing entries, and then click OK.

To clear the audit log on AMT-based computers

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, click Device Collections.

  3. From one of the collections, perform one of the following actions:

    - To clear the audit log for all AMT-based computers in a collection, select the collection, and then, on the **Home** tab, in the **Device** group, click **Manage Out of Band**, and then click **Clear Audit Log**.

- To clear the audit log for selected AMT-based computers, select one or multiple computers within a collection, and then, on the **Home** tab, in the **Device** group, click **Manage Out of Band**, and then click **Clear Audit Log**.

  4. Click OK in the confirmation dialog box.

To monitor auditing activities by using status messages

  1. In the Configuration Manager console, click Monitoring.

  2. In the Monitoring workspace, expand System Status, click Status Message Queries, and then in the results pane, click All Status Messages.

  3. On the Home tab, in the Status Message Queries group, click Show Messages.

  4. In the All Status Messages dialog box, you are prompted for the time period for which you want to check status messages. Enter the time period or date and time, and then click OK.

  5. All status messages are displayed in the Configuration Manager Status Message Viewer. Click the Component column, and locate the status messages with a component named Microsoft.ConfigurationManagement.exe.

  6. For more information about any of the status messages, right-click a status message, and then select Detail.

  7. View the information in the Status Message Details dialog box, and then click OK to close this dialog box, or click Previous or Next to view the details of other status messages.

  8. Click OK to close the Status Message Details dialog box, and close the Configuration Manager Status Message Viewer.