Audit Trail
The Audit Trail is a collection of text log files that contain information about the interaction of a runbook with external tools and systems. By using the Audit Trail, you can report on configuration and change compliance of processes and identify changes made to a non-Microsoft system for audit purposes or to remediate a change that causes service interruption.
Depending on how many runbooks you invoke and how many activities those runbooks contain, the Audit Trail can consume a large amount of disk space on the computer that runs the management server and runbook server. If you enable auditing, you should implement an archiving procedure to move the files generated by the Audit Trail to another computer regularly.
Activate or Deactivate the Audit Trail
By default, the Audit Trail isn't activated when you install Orchestrator. You can use the following procedure to activate or deactivate it:
- Open a command prompt with administrative credentials.
- Navigate to
C:\Program Files (x86)\Microsoft System Center\Orchestrator\Management Server.
- Navigate to
C:\Program Files\Microsoft System Center\Orchestrator\Management Server.
To activate the Audit Trail, enter atlc /enable.
To deactivate the Audit Trail, enter atlc /disable.
Audit Trail Files
Audit Trail files are stored in comma-separated value file (.csv) format. The following table shows the details:
Log Type: Runbook Publisher
File Name: Computer Name_ RunbookPublisher_Timestamp.csv
Contents:
Date and time that the runbook was started
User name and domain that started the runbook
Name of the computer where the runbook ran
| Computer | Location |
|---|---|
| Management Server | C:\ProgramData\Microsoft System Center 2012\Orchestrator\Audit\ManagementService |
| Runbook Server | C:\ProgramData\Microsoft System Center 2012 \Orchestrator\Audit\RunbookService |
Log Type: Activity Runtime Information
File Name: Computer Name_ ObjectRuntimeInfo_Timestamp.csv
Contents:
Date and time that activity ran
Name of runbook server that ran the activity
ID of the job process that ran the activity
Object XML code that activity received as input data
| Computer | Location |
|---|---|
| Runbook Server | C:\ProgramData\Microsoft System Center 2012 \Orchestrator\Audit\PolicyModule |
When a file reaches 200 megabytes (MB) in size, a new file is created. The time stamp is included in the file name to ensure that each file name is unique. Passwords and other encrypted text fields are represented by five asterisks (*****) in the Audit Trail files.
Note
The ProgramData folder holding the audit files is often a hidden system folder.