What reports offer a historical view of asset changes or deletions?
Last Updated February 12, 2015
Question: What reports offer a historical view of asset changes, such as when the Status is changed, or when assets are deleted? Answer: There are no out of box reports that display historical changes to assets or list which ones have been deleted. It's beyond the scope of Altiris to record such changes system-wide. There is, however, several ways to find some of this information. The following are some examples of how to do this. For the SQL script methods, these can be run directly on the SQL Server or added to a custom report (which is not otherwise documented on how to do in this article). Note: It is beyond the scope of Altiris and the Symantec Management Platform to monitor, keep track of, document and otherwise determine which user deleted what record or made what change. While some of this data can be incidentally found in the database, its purpose in being there is not to monitor user's actions or to provide this data to an administrator looking to find who deleted or changed what. If the customer need such a level of security, they are encouraged to procure a third-party Microsoft SQL Server security product, as Altiris does not offer this.
On a report showing the asset (such as Home > Service and Asset Management > Manage Configuration Items > Computers and Peripherals > Computer), right click on it and then click on Resource Manager. From there, click on the View menu > Resource Change History. Many historical changes to the asset are documented here (but not all). Note: Not all historical changes are necessarily documented. Also, the absence of a change is not usually recorded. For example, a computer that doesn't have an asset owner isn't listed historically as having "no" owner; there just simply isn't any record for that as there was never a database value committed. When the first asset owner for it is committed, then that becomes the first actual historical record. It is implied therefore, that before that, it didn't have any asset owner. In other cases, a historical table may indicate that a value was removed, such as the ResourceAssociationHistoryDelta table. The removal of an Asset Owner would be reflected with which user's GUID was removed (which was therefore the previously assigned user) by the ChangeType value of "D". The user, when evaluating SQL changes to records, must take all of this into account in the best meaningful way to them, which may involve a lot of implying to fully understand the history of an asset or data class.
Many historical changes can also be found in various history tables in SQL. The following are two example SQL scripts that demonstrate how to use history tables. Common tables to check for historical changes include:
InvHist_<table name>, such as InvHist_Serial_Number.
ResourceAssociationHistoryDelta, ResourceAssociationHist and ResourceAssociationHistDelta for ResourceAssociation changes such as an asset's status or owner.
Note: For more information about history tables and Resource Change History, refer to the following article:
Evt_NS_Item_Management, which is similar to the Resource Change History's display.
Note: Evaluating some tables may not be productive, as some add more than one record, making a "clean" history not possible to directly ascertain from them.
The following are two example scripts that demonstrate how to use a history delta table, and an InvHist table, respectively.
USE Symantec_CMDB SELECT vc.Name 'Computer Name', vi.Name 'Status was Changed To', vi.ModifiedDate 'Modified On', vi.ModifiedBy 'By User or Process' FROM vComputer vc LEFT JOIN ResourceAssociationHistDelta rahd ON vc.Guid = rahd.ParentResourceGuid LEFT JOIN vItem vi ON rahd.ChildResourceGuid = vi.Guid LEFT JOIN vItem vi2 ON rahd.ResourceAssociationTypeGuid = vi2.Guid WHERE vi.Name <> '' AND rahd.ResourceAssociationTypeGuid = '3028166F-C0D6-41D8-9CB7-F64852E0FD01' ORDER BY 3, 1
USE Symantec_CMDB SELECT vc.Name 'Computer', ISNULL(ihm.Manufacturer, '') 'Manufactuer was Changed To', ISNULL(ihm.Model, '') 'Model was Changed To', ihm.CreatedDate 'Modified On' FROM InvHist_Manufacturer ihm LEFT JOIN vComputer vc ON vc.Guid = ihm._ResourceGuid ORDER BY 4, 1
Run a SQL script to view the contents of the ItemDeleted table. This records assets deleted through the Symantec Management Platform Console. The following example script demonstrates how to do this.
USE Symantec_CMDB SELECT * FROM ItemDeleted ORDER BY 4 DESC, 3
Another way is to review the Evt_NS_Item_Management table. The following SQL script example demonstrates how to do this.
Use Symantec_CMDB SELECT [User], Action, ItemName AS [Resource Name], Name AS [Resource Type], _eventTime as [Time Modified] FROM Evt_NS_Item_Management JOIN ResourceType ON ClassGuid = ItemClassGuid WHERE Name = 'computer' -- Change this to what resource name is to be checked, such as Computer, Furniture and Fixtures, Network Printer, etc. and Action = 'Delete' ORDER BY 1