I suggest you ...

Auditing changes in SCOM

I have no way to know who made what changes in the SCOM environment. There are multiple admins and they change settings such as Install MPs/ Remove MPs/ Change Overrides/ Author new rules/ Change Admin settings/ Create new users/etc. There is never a way to know who did what.

This is a feature request to Audit all major changes to the SCOM environment.

365 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
SCOM PMs shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

14 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Wayne commented  ·   ·  Flag as inappropriate

    Please add this feature. This is helpful in an environment where everyone needs to have access to everything. In the current security focus world, the lack of auditing makes SCOM look very outdated.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I agree, auditing on SCOM is a must, with multiple hands on a single SCOM solution it is impossible to see who made what changes.

  • Anonymous commented  ·   ·  Flag as inappropriate

    It is strange that you can not audit Admin's work on a system as it can have detrimental effects on the clients environments

  • RG commented  ·   ·  Flag as inappropriate

    I would give this 100+ votes. It is really important to know who actually closed or changed the status of an alert. I know SCOM has covered this issue partially, but there is a special case where a user resets a monitor status, hence related alert(s) appears to be closed by "System". If this alert is "Failed to Connect to Computer", the monitor will never run again.

  • Noah commented  ·   ·  Flag as inappropriate

    Ideally this should be written to log in which we could our log aggregation and analytics tool (our is Splunk) to ingest and store this data so we have it for trending, history, security, etc.

  • Wayne commented  ·   ·  Flag as inappropriate

    Can we have another column in every view, table, or list that indicates who made changes and when?

  • Wayne commented  ·   ·  Flag as inappropriate

    There should be a log of every changes made by who, when, where, before and after changes.

  • Niki commented  ·   ·  Flag as inappropriate

    I agree, not only see what changes have been made but also have the function to delete the "change" and have the settings restored.

  • Sergey Mukhin commented  ·   ·  Flag as inappropriate

    Who/When added/changed/removed
    a) profiles
    b) subscriptions
    c) subscribers
    d) channels
    e) access rights to views
    f) group members
    g) resource pool members
    h) User roles
    i) discovery rules for network devices
    j) approved agents

    Who/When
    f) switched instance(s) to maintenance mode?

  • Wilson Wong commented  ·   ·  Flag as inappropriate

    There should also be a way to track and audit SCOM console/web console usage. My management has often asked for a way to validate that IT Staff is actually looking at SCOM data so they want to see how often and for how long people are on the SCOM consoles.

Feedback and Knowledge Base