Default language.

Information
Important This documentation space contains information about the on-premises version of BMC Helix Discovery. If you are using the SaaS version of BMC Helix Discovery, see BMC Helix Discovery (SaaS).

Auditing the system


Users with sufficient privileges can modify the system configuration in ways which could affect it or the customer environment. The audit feature enables you to track changes to the system configuration. All user-initiated events that modify the state or the behavior of the system are logged.

To use the audit feature, you must be logged in as a system user. If you are not a member of this group, you are shown the message You do not have permission to run audit reports.

The BMC Discovery integration with ServiceNow CMDB is supported for all supported releases of ServiceNow CMDB.

Reporting on audit events

You can configure the actions that will occur when the system's status changes. To do this:
From the main menu, click the Administration icon. The Administration page opens. In the Security section, click Audit.

To search for events, enter search criteria in all or some of the following fields:

  • From—The start date and time of the search. The default for this field is 24 hours before the page was loaded.
  • To—The end time and date of the search. The default for this is to display the following text in the To fields: Day Month Year hh mm. This means that the logs will be searched up to the current time.
  • User ID—A filter to search only for events logged to a particular user, for example, the reporter user.
  • Event group—A drop-down filter to search only for events belonging to a particular event group or category. The event group provides a means for viewing related event types. See event groups for a list of event groups.

When you have entered the search criteria, click Run to start the search. The page is refreshed to show a results table below the search panel.

You can only search the logs through the user interface (UI) using the fields in the Search audit records page. However, if you export the Results List by clicking Export as CSV, you can use a spreadsheet or text editor to perform detailed searches on the data. For example, you can search for events on a specific host.

Click Export as CSV and choose a location to save the file.

Each item in the result row is a hyperlink to the detailed record of the event.

The record data is divided into two sections:

Standard details

The standard details that are recorded for every event are described in the following table:

Name

Description

Event

The type of event.

Event Group

The event group to which this event belongs. The purpose of the event group is to provide a filter for viewing related event types.

User

The user ID who initiated the event.

Full Name

The full name of the user who initiated the event.

User Groups

The name of the groups the user who initiated the event belongs.

When

When the event was logged.

Summary

Summary description of the event.

Additional details

The details shown in the Additional Details section varies from event to event. For example, the following information is provided for a Windows proxy that has been pinged:

  • IP address
  • Port
  • Windows proxy name
  • Windows proxy type

When logging in to the user interface over an IPv6 connection, the client might use a temporary IPv6 address. It is this temporary IP address that is reported in the appliance audit log. Where temporary addresses are shown, tracing the particular computer from which the login came is difficult. To avoid this, you can disable temporary IPv6 addresses on client computers.

Event groups 

Audited events are collected into the following groups:

  • Appliance Config
  • Audit Log
  • Consolidation
  • DIP
  • Datastore Edit
  • Discovery Config
  • Discovery Ruleset
  • ECA Reasoning
  • Search
  • Security
  • Windows proxy
  • UI Access
  • cmdb-export

The events that belong to these groups are shown on the Audit page in the user interface.

Purging the audit Log

You can purge the audit log of all events that are over one month old. Events less than one month old cannot be deleted. You can purge events using the Audit Purge page. To access the Audit Purge page, from the Audit section of the Administration tab, select Purge.

On the Audit Purge page, the log name, number of events, and the date and time of the oldest record is displayed. A selection drop-down list is displayed which enables you to select the purge until date. The following options are available:

  • 1 month ago
  • 3 months ago
  • 6 months ago
  • 12 months ago
  • 24 months ago

This ensures that there is a minimum retention period of one month. Click Purge to purge the archive up to the Purge until date selected. When you click Purge, the operation commences immediately. You can navigate away from the page and continue with other tasks.

Purging archive information is also an auditable event. Therefore, after a purge, the newest event is a record of that purge.

Warning

There is no automatic purge of the audit information. When the audit information on the appliance becomes very large, you can use the appliance backup  feature to create an archive.

A typical number of auditable events is approximately 1,000 per day. This equates to approximately 90,000 events in three months.

When deleting events, you can typically remove 500 events per second. Deleting 60,000 or more events will result in the browser timing out, however, the process continues.
{{/confluence_layout}}

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Discovery 24.2 (On-Premises)