Question: What reports offer a historical view of asset changes, such as when the Status is changed, or when assets are deleted?
Answer: There are no out of box reports that display historical changes to assets or list which ones have been deleted. It's beyond the scope of Altiris to record such changes system-wide. There is, however, several ways to find some of this information. The following are some examples of how to do this. For the SQL script methods, these can be run directly on the SQL Server or added to a custom report (which is not otherwise documented on how to do in this article). Note: It is beyond the scope of Altiris and the Symantec Management Platform to monitor, keep track of, document and otherwise determine which user deleted what record or made what change. While some of this data can be incidentally found in the database, its purpose in being there is not to monitor user's actions or to provide this data to an administrator looking to find who deleted or changed what. If the customer need such a level of security, they are encouraged to procure a third-party Microsoft SQL Server security product, as Altiris does not offer this.
On a report showing the asset (such as Home > Service and Asset Management > Manage Configuration Items > Computers and Peripherals > Computer), right click on it and then click on Resource Manager. From there, click on the View menu > Resource Change History. Many historical changes to the asset are documented here (but not all). Note: Not all historical changes are necessarily documented. Also, the absence of a change is not usually recorded. For example, a computer that doesn't have an asset owner isn't listed historically as having "no" owner; there just simply isn't any record for that as there was never a database value committed. When the first asset owner for it is committed, then that becomes the first actual historical record. It is implied therefore, that before that, it didn't have any asset owner. In other cases, a historical table may indicate that a value was removed, such as the ResourceAssociationHistoryDelta table. The removal of an Asset Owner would be reflected with which user's GUID was removed (which was therefore the previously assigned user) by the ChangeType value of "D". The user, when evaluating SQL changes to records, must take all of this into account in the best meaningful way to them, which may involve a lot of implying to fully understand the history of an asset or data class.
Many historical changes can also be found in various history tables in SQL. The following are two example SQL scripts that demonstrate how to use history tables. Common tables to check for historical changes include:
Note: Evaluating some tables may not be productive, as some add more than one record, making a "clean" history not possible to directly ascertain from them.
The following are two example scripts that demonstrate how to use a history delta table, and an InvHist table, respectively.
SELECT vc.Name 'Computer Name', vi.Name 'Status was Changed To', vi.ModifiedDate 'Modified On', vi.ModifiedBy 'By User or Process'
FROM vComputer vc
LEFT JOIN ResourceAssociationHistDelta rahd
ON vc.Guid = rahd.ParentResourceGuid
LEFT JOIN vItem vi
ON rahd.ChildResourceGuid = vi.Guid
LEFT JOIN vItem vi2
ON rahd.ResourceAssociationTypeGuid = vi2.Guid
WHERE vi.Name <> ''
AND rahd.ResourceAssociationTypeGuid = '3028166F-C0D6-41D8-9CB7-F64852E0FD01'
ORDER BY 3, 1
SELECT vc.Name 'Computer', ISNULL(ihm.Manufacturer, '') 'Manufactuer was Changed To', ISNULL(ihm.Model, '') 'Model was Changed To', ihm.CreatedDate 'Modified On'
FROM InvHist_Manufacturer ihm
LEFT JOIN vComputer vc
ON vc.Guid = ihm._ResourceGuid
ORDER BY 4, 1
Run a SQL script to view the contents of the ItemDeleted table. This records assets deleted through the Symantec Management Platform Console. The following example script demonstrates how to do this.
ORDER BY 4 DESC, 3
Another way is to review the Evt_NS_Item_Management table. The following SQL script example demonstrates how to do this.
SELECT [User], Action, ItemName AS [Resource Name], Name AS [Resource Type], _eventTime as [Time Modified]
ON ClassGuid = ItemClassGuid
WHERE Name = 'computer' -- Change this to what resource name is to be checked, such as Computer, Furniture and Fixtures, Network Printer, etc.
and Action = 'Delete'
ORDER BY 1
Computer's Manufacturer, Model, Serial Number or System Number are incorrect
Computer Barcode field value disappears later after being set
Random assets suddenly disappear from the Symantec Management Platform Console