SCCM- Audit logs

Question

Hi

Someone did modify and remove patches from a SUG sometime before.

Me ,Without noticing this and reporting to my mgr I added some patches to this SUG coz of which now my id is displayed in LAST MODIFIED.
Now, im being blamed..

I wanna know who removed and modified the SUG ..

Which log can i use to identify and where this log will be present in sccm site server?

solved 0
Santhosh P 2020-05-15T19:14:48+05:30 17 Answers 895 views Beginner
0

Answers ( 17 )

  2. Anoop C Nair
    1
    2020-05-23T16:42:06+05:30
    Reply

    Stay tuned more blog posts are coming on your way next week

  4. Santhosh P
    0
    2020-05-23T16:21:23+05:30
    Reply

    All the answers were helpful to me.
    Thank you so much HTMD .

    And HTMD,
    From SCCM console I could not get the audit log as there is no option to get for one month because it gives only for specific date (please correct me if im wrong).

    From SQL query ,I tried and it gives lot of info but I could still not find what im looking for ,may be because of my Infrastructure.

    So Sql method should help ppl who have issues like mine.

    Thanks again

  6. Santhosh P
    0
    2020-05-22T13:14:19+05:30
    Reply

    Tq all.

    Please have this thread closed.

    Best answer
  8. karthikeyan
    0
    2020-05-16T18:04:32+05:30
    Reply

    Hi,

    Try this below SQL query:
    ———————————————————————————
    Select
    rsm.Severity,
    rsm.MessageTypeString as ‘Type’,
    rsm.SiteCode,
    rsm.Timestamp as ‘Date/Time’,
    rsm.System,
    rsm.Component,
    rsm.MessageID,
    ‘User “‘ + rsm.InsStrValue1 + ‘”‘ +
    CASE
    when rsm.MessageID = 30196 Then ‘ created updates assignment ‘
    when rsm.MessageID = 30197 Then ‘ modified updates assignment ‘
    when rsm.MessageID = 30198 Then ‘ deleted updates assignment ‘
    when rsm.MessageID = 30219 Then ‘ created authorization list ‘
    when rsm.MessageID = 30220 Then ‘ modified authorization list ‘
    when rsm.MessageID = 30221 Then ‘ deleted authorization list ‘
    End
    + rsm.InsStrValue2 + ‘ ‘ + rsm.InsStrValue3 + ‘ ‘ + rsm.InsStrValue4 as ‘Description’,
    cia.CollectionID,
    cia.CollectionName
    from v_Report_StatusMessageDetail rsm
    left join v_CIAssignment cia on rsm.InsStrValue2 = cia.AssignmentID
    where rsm.MessageID >= 30196 and rsm.MessageID = 30218 and rsm.MessageID <= 30221
    order by 4 desc
    ———————————————————-

    Regards,
    Karthikeyan

  10. karthikeyan
    0
    2020-05-16T18:01:38+05:30
    Reply

    Hi Santhosh,

    You can get the information sccm console under status message queries node:
    \Monitoring\Overview\System Status\Status Message Queries

    1. All Status Messages
    2. All Status Messages from a Specific Site

    If that information is deleted from audit log then more difficult to find the information.

    Regards,
    Karthikeyan

  12. Deepak Rai
    0
    2020-05-16T15:08:03+05:30
    Reply

    Can you please go through this one? Written 2 years before by Anoop Nair. Full detailed blog.

    https://www.anoopcnair.com/track-deleted-modified-changed-sccm-settings/

    Let us know if questions/doubts.

  14. Kayyum
    0
    2020-05-16T14:55:01+05:30
    Reply

    Strange I was not able to see my earlier response, so updated again… please ignore this duplicate 🙂

  16. Anoop C Nair
    1
    2020-05-16T14:53:12+05:30
    Reply

    SQL mgmt studio is the place you should look for

  18. Santhosh P
    0
    2020-05-16T14:51:50+05:30
    Reply

    1.May I know where vSMS_Audit can be found..

    2.Sir, I went through your link ,in which i followed steps in SCCM ,Monitoring node and I chose Audit for a specific site but the problem is I dont know when the modification was made in that SUG and this prevents me from choosing the date and time…Any way to sort this out…Because I need to find logs for atleast a month ago from now

  20. Kayyum
    2
    2020-05-16T13:24:38+05:30
    Reply

    In addition to Anoop C Nair’s suggestion, maybe you can check the Monitoring tab | System Status Messages | All Status Messages | select time duration and you can go through the details.

    Also worth having a look at the below article :
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/enhanced-audit-status-message-queries/ba-p/884897

    • Santhosh P
      0
      2020-05-16T14:54:07+05:30
      Reply

      I did that too ,but since im not aware of date and time of the modification i cannot choose date..

      So i need to find log for the whole current month atleast

  22. Anoop C Nair
    1
    2020-05-15T19:42:12+05:30
    Reply

    I understand the critical situation

    select * from SCCM_Audit
    Select * from SCCM_Audit_UserInfo
    Select * from Audit_Users
    Select * from Audit_RecoveryAuditEvents
    Select * from Audit_RecoveryInfoType
    Select * from vSMS_Audit

    I would check Select * from vSMS_Audit to get the details

    Also try to check

    https://howtomanagedevices.com/sccm/41/sccm-audit-reports/

Leave an answer

Sorry, you do not have permission to answer to this question .