We have:-
Orion Platform 2014.2.1, SAM 6.1.1, QoE 1.0, NCM 7.2.2, NPM 11.0.1, NTA 3.11.0, UDT 3.0.2, IVIM 1.11.0, VNQM 4.1
Not sure if this should be in the SAM section or NPM section.
What we want to do:-
Track which users are stopping/starting Services or stopping Processes on Windows servers by having those actions appear in the Event Summary panel for the Node.
We want to enable access to Management options for Windows Servers to our Server Admins but have requirements to be able to log and report on actions they take using these tools.
Audit reports serve as one way for auditing usage - we also need to be able to see the usage against the specific Node when viewing the Node details panels.
Short description of problem:-
Audit events that record the account that issued cmd cannot be seen as an Event against the Node and relevant AuditActionTypes do not appear to be accessible in the Report Tool or in the Advance Manager tool. So unable to (for example) create an Alert whose Trigger Condition is to pickup the relevant AuditActionTypes and from this create a Trigger Action to Log the Alert to the NetPerfMon Event Log (and therefore appear in the Event list for the node).
The relevant AuditActionTypes are:
Orion.APM.ProcessTerminated
Orion.APM.ServiceStateChanged
The Report issue I can get around (to some degree) - I created a dummy report using other AuditActionTypes available in the Report Designer - converted that to SQL and then used that and replaced with the missing options - this appears to work and at least produces a report with the relevant info that we can run daily/weekly and provide for reference/security/auditing purposes. Once again though - there is no way (that I can see) to order these by the Node the actions were performed on.
The creating of a Event that can be seen in the Event Summary panel for a Node has me beat though.
Longer description:-
Referring to Windows Nodes.
In the Management section for Nodes - 2 options - Service Control Manager and Real-Time Process Explorer.
These options available to Admin users but can also be turned on for non-admin account with a View Only option or a Control option.
When turning on the Control option for either widget, user can then (for Service Control Manager) stop and start Windows Services and (for Real-Time Process Explorer) can stop (kill) individual processes.
When a Stop/Start of a Service or terminate of a process is issued, an Audit entry is created listing the Account that the request came from (the actual cmd is sent to the target server via WMI connection using whatever Account credential was configured for that Node (if any) - if none a Window pops up requesting a valid account - we use an AD Account with Domain Admin rights (as per doc) for all our Windows boxes.
So (for example) I logon with my AD account to Solarwinds - view a Windows Node - click Service Control Manager - another Window opens to display the Services on the Node (populated by Solarwinds issuing WMI (or something) to the server using the stored AD Account with Domain Admin rights) - I then select a Service and click the Stop button and Solarwinds performs the Stop - again using the stored AD Account with Domain Admin Rights stored against the server definition in Solarwinds).
From the Windows end it appears that the Solarwinds AD Account is the one managing (stopping) the Service (which is correct). There is no correlation (on the Server) to the actual user (account) that is performing the stop.
The only place I have found where we can see which user has issued a Stop/Start for a Service or Stop for a process is in the Audit log.
The Audit log entries do not appear related to the Node the options were issued on - i.e. if I go to Message Center and select "All Network Objects" and tick "Show Audit Events" I will see the event:-
User ddddddd\nnnn stopped service SNMP Service (SNMP) on node abcd1234'
If I select the specific Node rather than All Network Objects then I do not see these Audit Events.
Also - in the Node Details page - with the Last XX Audit Events panel, these events also do not appear.
So - there appears to be no correlation that can be used to tag the Event to the Node.
In an effort to have the actions visible in the Event Summary panel I created an Alert with the intent of having the Trigger Action set to log an event against the node - but I can not access the relevant AuditActionTypes when selecting "Auditing Events" in the "Type of Property to Monitor" selection box for the Trigger Condition.
When I select "Auditing Events" and create a Trigger Condition with other AuditActionTypes (using these as "dummies") - view the SQL for that and then use that SQL to create a "Custom SQL ALert" in the "Type of Property to Monitor" changing the "dummy" AuditActionTypes to Orion.APM.ProcessTerminated and Orion.APM.ServiceStateChanged the subsequent SQL tests OK but doesn't appear to actually work from what I can see. When selecting "Custom SQL Alert" and then Auditing Events in the "Set up your Trigger Query" box it creates some non-editable SQL that appears to be similar (but slightly different) to that that starts the copied SQL from the "dummy" attempt. Not being an SQL guru I do not really know what is going on or where to go from here.
Anyone have any ideas how I can achieve what is required?