14 Replies Latest reply: Mar 27, 2012 8:53 AM by Bill Robinson RSS

Auditing the changes.

Sachin Dhale

Hi All,

 

Is there any way to track all the changes to Every server on daily basis? , I tried with Audit report and it only allow me to Compare with single server/ Snapshot of a single server. I am looking for taking Master snapshot for multiple servers and cmpairing it with multiple servers. Is this possible?

 

 

Regards,

 

Sachin Dhale

  • 1. Auditing the changes.
    Nimrod NameToUpdate

    If I understand you correctly, you want to have audit job with 5 master (for example) and compare it with rest of servers. If it is the case you can do it:

    1. Create a component template for each of the master servers you want (it can be exactly the same component template, but each master should have a component template of its own).
    2. Run discovery job with each of the component temlate on the required server. At teh end of this process you shoud have a component for each master server, and each component is of different component template.
    3. Create audit job of type 'Audit component'. Add all the component templates of step 1 above to the component template for filtering. In the masters selection, you will be able to select different master for each component template. There you go - an audit job with several masters (assuming this is what you are looking for).
  • 2. Auditing the changes.
    Sachin Dhale

    what I want to achive is comparision of a master Snapshot(Older one) with multiple target servers with the Live objetcs or a New snapshot with Multiple targerts. and check for the Hardware changes, Do you mean to say Component of  Master snapshot here? also is it fine i i discover it on multiple targets?

  • 3. Re: Auditing the changes.
    Nimrod NameToUpdate

    I probably didn't understood your first question, so please ignore my last post.

    In case you want to have an with single master and compare to it several targets, all you need to do is to add whatever objects (snapshots or live objects to the targets list of the audit job). Can you please elaborate why the audit job "only allow me to Compare with single server/ Snapshot of a single server"? Does the list in which you select the targets doesn't display all the object that you want to add as targets to the audit job?

     

    BTW - some tips when creating the snapshot job and the audit jobs:

    • When you create the snapshot job the object can be the Hardware Information entry in the server (you can select the root and no need to select specific object in the tree of HW info).
    • On the object selection (same step as above), make sure you select the relevant snapshot options for you (by default not all is marked)
    • Same thing for the audit - amke sure you select teh relevant audit options
  • 4. Auditing the changes.
    Sachin Dhale

    Thanks Nimod for your help.

     

    I ransnapshot job on multiple servers (single instance) , and now i am taking this as Mastar for comparision,  When I try to create a Audit job It will allow me to just take a single server snapshot out of all the servers or else i will have to click individual server snapshot and select it, I am targetting around 700 servers, and to select each server snapshot would not be feasible, Can we select all the results at a time from the Master snapshot?. Please check the below snapshot

     

     

     

     

    1.bmp

     

    2.bmp

  • 5. Auditing the changes.
    Nimrod NameToUpdate

    If you want to select the whole 700 snapshot as masters then my first answer is the way, meaning you have to create component for each machine, but this is not feasible as well, as in that way you have to create 700 component templates.

     

    In general, the audit job should have a single master (which is the "golden master") and all the rest of targets are compared to this one. if you'll have 700 masters and say 50 targets, you'll have 700 caparisons,each against 50 targets, which means 35,000 results. IMHO, this is not the way to use audit.

     

    In case you still want to have audit with 700 masters this is the option as I see it:

    1. Use looped BLCLI script which will create the 700 component templates (for each server)
      1. Use Template createEmptyTemplate to create the template
      2. Use Template addSystemInfoPart to add part (I don't know if there is a way to add hardware information part)
    2. Group all the component templates and set the group as target for the component discovery job. In this way you can create a component discovery job which will run against all the component templates.
    3. Group all the generated components under single group (you can use component smart group)
    4. Open the Group explorer (Ctrl+G) and select the component smart group. You'll see all the components under the group.
      1. Multi select all of them (click on the first one, hold shift key board button and click on the last one).
      2. Right click and audit. This will create an audit job with 700 masters (but I still don't recommend it)
  • 6. Auditing the changes.
    Sachin Dhale

    Thanks, Apart from this is there any way to track the changes to the Hardware of a Multiple servers?

  • 7. Auditing the changes.
    Nimrod NameToUpdate

    Can you please provide exactly the scenario? Do you want to make sure that all your servers doesn't deviate from a predefined setup? Do you want to make sure that no one tampered the server configuration? any other use case?

  • 8. Auditing the changes.
    Sachin Dhale

    Thats correct, Want to run audit and make sure if the servers are deviate from the predefined Setup and configuration.

  • 9. Re: Auditing the changes.
    Nimrod NameToUpdate

    In that case you need to define a single server with the expected configuration and take snapshot of the HW info of this server. The snapshot is a static data of the object and it will be your golden master. Now use this snapshot in the audit job and set all the rest of the server as targets. Any server which is not the same as the snapshot will be indicated in the audit job as non-compliant. Can this be useful for your case?

  • 10. Auditing the changes.
    Sachin Dhale

    Though its helpful, but the configurations arent similar in my case. Also if run I Run audit on the Master, It wont allow me to see the changes like if a network card was removed or any hardware not matching like Disc and all.

  • 11. Auditing the changes.
    Bill Robinson

    basically you define a single master, that is typically as snapshot of the 'good' state, and run an audit job w/ that master and your targets.

     

    you cannot have a multiple master audit.  if you are trying to capture a known good state and see if anything deviates, you may want to use compliance instead.

  • 12. Re: Auditing the changes.
    Nimrod NameToUpdate

    In case the configurations are not similar you should use snapshot job which tells you for each server the changes it had from the last snapshot run (it compares each server with its own last snapshot), or use audit but only with attributes which you know that should be identical. It means that you will not add the NIC to the audit job but may use the BIOS (in case all the servers should have the same BIOS). another option is to use compliance, like Bill suggested, in which you define rules and not specific configuration (which gives you more flexibility in the comparison).

  • 13. Auditing the changes.
    Sachin Dhale

    Thanks Nimrod and Bill, I am not too sure about compliance, Checked the user and admin guide, but could not find much information, can you provide any link for the documentation so that i can refer?

  • 14. Re: Auditing the changes.
    Bill Robinson

    It’s a rules based system.  you run a conditional check on the ‘part’ and pass or fail based on that.

     

    If you install the BMC provided content for DISA STIG, CIS, PCI, etc you will have some examples.  You can also look here:

    http://documents.bmc.com/supportu/documents/99/58/199958/199958.pdf