none
SCOM Audit Reports contain no data RRS feed

  • Question

  • Hi,

    I deployed SCOM Audit Reports, and then run any audit report.

    None of audit reports contains any data.

    Example: report "Usage_User_Logon"

    How can solve this issue?

    How can I check in Audit database if it contains any data?

    Best regards

    Birdal


    • Edited by _Birdal Friday, October 18, 2019 7:43 AM
    Friday, October 18, 2019 7:43 AM

Answers

All replies

  • Hi Birdal,

    Have you actually enabled the Audit Collection in the Operations Console for the computers you want to audit?

    If you open the Operations Manager console, does it say anything about the ACS collectors or the ACS database?

    Make sure the ACS service running on your ACS collectors and that the database services are running.

    Anything in the Operations Manager event viewer on your ACS collectors?

    Here's a few links that takes you through everything:

    Installing Audit Collection Services (ACS) for SCOM 2016

    How to Deploy Audit Collection Services (ACS) in SCOM 2012

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Marked as answer by _Birdal Monday, October 21, 2019 6:32 AM
    Friday, October 18, 2019 8:07 AM
  • Hi Leon,

    yes, I missed an important step: I cid not enable Audit Collection on an Agent.

    I tried to do it following Installing Audit Collection Services (ACS) for SCOM 2016, and set all in Task:

    But the issue is with credentials. The article tells:

    "8. In the Task credentials section, click Other. In the User Name box, type the name of a user account that belongs to the local Administrators group on the agent computers. In the Password box, type the password for this user account. Click to expand the Domain list to view the available domains, and then click the domain of the user account."

    I used a local administrator credentials and run afterwards the process "Enable Audit Collection". But I get always following error:

    Enable Audit Collection Failed

    Logon failure: the user has not been granted the requested logon type at this computer. Error Code: -2147023511 (Logon failure: the user has not been granted the requested logon type at this computer).

    What is the issue here?

    Bet regards

    Birdal


    Friday, October 18, 2019 9:52 AM
  • Hi Leon,

    OK, I know why this error occured.

    I tried first to enable Audit on a Domain Controller. It failed, because I used the not correct account.

    Then I enabled it successful wit the correct account.

    How long should be waited to get data in audit database?

    Best regards

    Birdal


    • Edited by _Birdal Friday, October 18, 2019 9:56 AM
    Friday, October 18, 2019 9:56 AM
  • Ok great, it should start showing up pretty quickly depending on how many audit events are created, I don't have a specific time estimate unfortunately.

    By default, not much gets audited on a Windows computer; that is not so many events will appear in the Security log of the computer.

    The way you get more auditing on a computer is with security policies, in an Active Directory domain environment, this is done with group policies.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Friday, October 18, 2019 10:09 AM
  • Hi Birdal

     

    How's everything going? Is it working now? If there's any update, please let us know.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 21, 2019 1:58 AM