none
How to audit collection changes in SCCM?

    Question

  • Hi all,

    I want to be able to audit changes to collections in SCCM (such as when a helpdesk person adds a PC to a colelction for software deployment), I have looked in the Colleval.log file, and used the Status Message Queries, but these only seem to say who made a change and when. I also want to be able to see what the change was, but how do I get that info out of SCCM? Without knowing what the change was, the audit seems pointless.

    Any help greatly appreciated
    James
    Thursday, March 11, 2010 2:36 PM

Answers

  • I don't think that's possible.  Because if a collection was changed, the collection query could be a small change, like from "all os type 5.0 to 5.2".  That's 1 small character, 0 vs. 2, but the collection query results are drastic.

    You'd almost have to take snapshots in time of the results of every possible combination of v_fullcollectionmembership, and keep those around for days/weeks, just so you could compare from 10 am to 10:05am.
    Standardize. Simplify. Automate.
    Thursday, March 11, 2010 4:20 PM
    Moderator
  • This kind of detail is not recorded anywhere that i can think of.  The server knows and makes the change it doesn't keep track of what that change was.  You would need a snap shot before and after to know what computer was added or what query was modified.

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Friday, March 12, 2010 1:20 AM
    Moderator

All replies

  • Hi,

    Navigate to Status Messages, Status Messages Queries. here you will find two Audit status message queries. One for the site and for for a specific user. Those will tell you who did what and when.
    Kent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products
    Thursday, March 11, 2010 3:00 PM
    Moderator
  • The problem is I think James wants to know which computer not just a collection change was made by person x.  Is this correct James?
    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Thursday, March 11, 2010 3:50 PM
    Moderator
  • I don't think that's possible.  Because if a collection was changed, the collection query could be a small change, like from "all os type 5.0 to 5.2".  That's 1 small character, 0 vs. 2, but the collection query results are drastic.

    You'd almost have to take snapshots in time of the results of every possible combination of v_fullcollectionmembership, and keep those around for days/weeks, just so you could compare from 10 am to 10:05am.
    Standardize. Simplify. Automate.
    Thursday, March 11, 2010 4:20 PM
    Moderator
  • Matthew is right - I have seen the output of what Kent mentioned, but it is simply not enough - with the current output of status message queries I could make a change, and all anyone would know is that a change was made to "Collection A" by "James" - If I want to use auditing to catch who added a specific computer/query rule to a collection, how can I do that?

    How does the change get flagged/amended in the database? Is is possible to pull this level of detail from the logs, or somewhere in the inboxes folder - SCCM must record what the change is in order to make the update, since the Colleval.log seems to tell us how many changes have occured to a collection?

    James
    Thursday, March 11, 2010 6:38 PM
  • This kind of detail is not recorded anywhere that i can think of.  The server knows and makes the change it doesn't keep track of what that change was.  You would need a snap shot before and after to know what computer was added or what query was modified.

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Friday, March 12, 2010 1:20 AM
    Moderator
  • The SMSPROV.log does record exactly what happened to which collection and when, however you only get approx 24 hours worth of data even if you set the log files to 50MB as they roll over.
    Friday, October 18, 2013 11:13 AM