Audit Trail

The Audit Trail is a collection of text log files that contain information about the interaction of a runbook with external tools and systems. By using the Audit Trail, you can report on configuration and change compliance of processes and identify changes made to a non-Microsoft system for audit purposes or to remediate a change that causes service interruption.

Depending on how many runbooks you invoke and how many activities those runbooks contain, the Audit Trail can consume a large amount of disk space on the computer that runs the management server and runbook server. If you enable auditing, you should implement an archiving procedure to move the files generated by the Audit Trail to another computer regularly.

Activate or Deactivate the Audit Trail

By default, the Audit Trail isn't activated when you install Orchestrator. You can use the following procedure to activate or deactivate it:

  1. Open a command prompt with administrative credentials.
  1. Navigate to C:\Program Files (x86)\Microsoft System Center\Orchestrator\Management Server.
  1. Navigate to C:\Program Files\Microsoft System Center\Orchestrator\Management Server.
  1. To activate the Audit Trail, enter atlc /enable.

  2. To deactivate the Audit Trail, enter atlc /disable.

Audit Trail Files

Audit Trail files are stored in comma-separated value file (.csv) format. The following table shows the details:

Log Type: Runbook Publisher

File Name: Computer Name_ RunbookPublisher_Timestamp.csv

Contents:

  • Date and time that the runbook was started

  • User name and domain that started the runbook

  • Name of the computer where the runbook ran

Computer Location
Management Server C:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\ManagementService
Runbook Server C:\ProgramData\Microsoft System Center 2012 \Orchestrator\Audit\RunbookService

Log Type: Activity Runtime Information

File Name: Computer Name_ ObjectRuntimeInfo_Timestamp.csv

Contents:

  • Date and time that activity ran

  • Name of runbook server that ran the activity

  • ID of the job process that ran the activity

  • Object XML code that activity received as input data

Computer Location
Runbook Server C:\ProgramData\Microsoft System Center 2012 \Orchestrator\Audit\PolicyModule

When a file reaches 200 megabytes (MB) in size, a new file is created. The time stamp is included in the file name to ensure that each file name is unique. Passwords and other encrypted text fields are represented by five asterisks (*****) in the Audit Trail files.

Note

The ProgramData folder holding the audit files is often a hidden system folder.

Next steps

Orchestrator Logs