Track if auditing was turned off
I want the ability to track if auditing was turned off for the PI System (PI Data Archive and AF) so that I can determine if there was the risk of potential changes that were not captured by PI System audit functions.
How would you like to track this information? For example, is it sufficient to be a message in a log file, a performance counter? Do you want to maintain the history of all the changes you want on this flag? This will help us understand how to implement it.
Franz Krauter commented
I want to track this information by a message in the Audit Trail Viewer Application. it should be immediately visible (e.g. in red font) if in the searched time-range the audit trail was switched of (include the information when it was switched off/on and from whom).
Rachelle Howard commented
Hello, has there been any progress on this item? We are also needing a method to detect if the Audit Trail was turned off or a way to prevent admins from turning it off. Thank you!
Dave Tayler commented
I have another customer wanting changes to the enableAudit parameter logged by auditing.
Note: I believe this used to be tracked as PLI 9591osi8 but this is hard to find and has status: "removed".
Colm Bambury commented
In response to David Hearn, "Changes to auditing in the AF Server are..."
We are more concerned with changes in the PI Data Archive at this time. We set the 'EnableAudit' tuning parameter to -1 on all our systems which means all changes made by administrators are logged.
Currently an admin could change this setting to 0 which would disable auditing and then freely change other settings in the system without maintaining a history.
Changes to auditing in the AF Server are recorded in the Windows System Event Log along with the user who made the change. Is this the type of tracking you are looking for or are you wanting something in addition to this?
Colm Bambury commented
Yes maintaining a history of all changes to this flag is critical. Without this there is potential that someone could turn off auditing, make changes to the system without generating any records and enable auditing again. A message in a log file is acceptable so long as it can be easily found during audit trail review.
The first step of our typical audit review process is to confirm that auditing is enabled and has not been turned off since the time of last audit.