Audit Trail

 

Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator

The Audit Trail is a collection of text log files that contain information about the interaction of a runbook with external tools and systems. By using the Audit Trail, you can report on configuration and change compliance of processes and identify changes made to a non-Microsoft system for audit purposes or to remediate a change that causes service interruption.

Depending on how many runbooks you invoke and how many activities those runbooks contain, the Audit Trail can consume a large amount of disk space on the computer that runs the management server and runbook server. If you enable auditing, you should implement an archiving procedure to move the files generated by the Audit Trail to another computer on a regular basis.

Activating and Deactivating the Audit Trail

By default, the Audit Trail is not activated when you install Orchestrator. You can use the following procedure to activate it.

To activate or deactivate the Audit Trail

  1. Open a command prompt with administrative credentials.

  2. Navigate to System Drive:\Program Files (x86)\Microsoft System Center 2012\Orchestrator\Management Server.

  3. To activate the Audit Trail, type atlc /enable, and to deactivate the Audit Trail, type atlc /disable.

Audit Trail Files

Audit Trail files are stored in comma-separated value file (.csv) format. The following table shows the details.

Log Type File name Contents Computer Location
Runbook Publisher Computer Name_ RunbookPublisher_Timestamp.csv - Date and time that the runbook was started
- User name and domain that started the runbook
- Name of the computer where the runbook ran
Management Server System Drive:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\ManagementService
Runbook Publisher Computer Name_ RunbookPublisher_Timestamp.csv - Date and time that the runbook was started
- User name and domain that started the runbook
- Name of the computer where the runbook ran
Runbook Server System Drive:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\RunbookService
Activity Runtime Information Computer Name_ ObjectRuntimeInfo_Timestamp.csv - Date and time that activity ran
- Name of runbook server that ran the activity
- ID of the job process that ran the activity
- Object XML code that activity received as input data
Runbook Server System Drive:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\PolicyModule

When a file reaches 200 megabytes (MB) in size, a new file is created. The time stamp is included in the file name to ensure that each file name is unique. Passwords and other encrypted text fields are represented by five asterisks (*****) in the Audit Trail files.

Note

The ProgramData folder holding the audit files is often a hidden system folder.

See Also

Orchestrator Logs