What reports offer a historical view of asset changes or deletions?
search cancel

What reports offer a historical view of asset changes or deletions?

book

Article ID: 181588

calendar_today

Updated On:

Products

Asset Management Solution IT Management Suite

Issue/Introduction

What reports offer a historical view of asset changes, such as when the Status is changed, or when assets are deleted?

Environment

8.x

Resolution

There are no out of box reports that display historical changes to assets or list which ones have been deleted. It's beyond the scope of Altiris to record such changes system-wide. There is, however, several ways to find some of this information. The following are some examples of how to do this. For the SQL script methods, these can be run directly on the SQL Server or added to a custom report (which is not otherwise documented on how to do in this article).

Note: It is beyond the scope of Altiris and the Symantec Management Platform to monitor, keep track of, document and otherwise determine which user deleted what record or made what change. While some of this data can be incidentally found in the database, its purpose in being there is not to monitor user's actions or to provide this data to an administrator looking to find who deleted or changed what. If the customer need such a level of security, they are encouraged to procure a third-party Microsoft SQL Server security product, as Altiris does not offer this.

Historical Changes

On a report showing the asset (such as Home > Service and Asset Management > Manage Configuration Items > Computers and Peripherals > Computer), right-click on it and then click on Resource Manager. From there, click on the View menu > Resource Change History. Many historical changes to the asset are documented here (but not all). 

Note: Not all historical changes are necessarily documented. Also, the absence of a change is not usually recorded. For example, a computer that doesn't have an asset owner isn't listed historically as having "no" owner; there just simply isn't any record for that as there was never a database value committed. When the first asset owner for it is committed, then that becomes the first actual historical record. It is implied therefore, that before that, it didn't have any asset owner. In other cases, a historical table may indicate that a value was removed, such as the ResourceAssociationHistoryDelta table. The removal of an Asset Owner would be reflected with which user's GUID was removed (which was therefore the previously assigned user) by the ChangeType value of "D". The user, when evaluating SQL changes to records, must take all of this into account in the best meaningful way to them, which may involve a lot of implying to fully understand the history of an asset or data class.

Many historical changes can also be found in various history tables in SQL. The following are two example SQL scripts that demonstrate how to use history tables. Common tables to check for historical changes include:

  • InvHist_<table name>, such as InvHist_Serial_Number.
  • ResourceAssociationHistoryDelta, ResourceAssociationHist and ResourceAssociationHistDelta for ResourceAssociation changes such as an asset's status or owner.
  •  Evt_NS_Item_Management, which is similar to the Resource Change History's display.
     

Note: Evaluating some tables may not be productive, as some add more than one record, making a "clean" history not possible to directly ascertain from them.

The following are two example scripts that demonstrate how to use a history delta table, and an InvHist table, respectively.

USE Symantec_CMDB
SELECT vc.Name 'Computer Name', vi.Name 'Status was Changed To', vi.ModifiedDate 'Modified On', vi.ModifiedBy 'By User or Process'
FROM vComputer vc
LEFT JOIN ResourceAssociationHistDelta rahd
ON vc.Guid = rahd.ParentResourceGuid
LEFT JOIN vItem vi
ON rahd.ChildResourceGuid = vi.Guid
LEFT JOIN vItem vi2
ON rahd.ResourceAssociationTypeGuid = vi2.Guid
WHERE vi.Name <> ''
AND rahd.ResourceAssociationTypeGuid = '3028166F-C0D6-41D8-9CB7-F64852E0FD01'
ORDER BY 3, 1


USE Symantec_CMDB
SELECT vc.Name 'Computer', ISNULL(ihm.Manufacturer, '') 'Manufactuer was Changed To', ISNULL(ihm.Model, '') 'Model was Changed To', ihm.CreatedDate 'Modified On'
FROM InvHist_Manufacturer ihm
LEFT JOIN vComputer vc
ON vc.Guid = ihm._ResourceGuid
ORDER BY 4, 1

Asset Deletions

Run a SQL script to view the contents of the ItemDeleted table. This records assets deleted through the Symantec Management Platform Console. The following example script demonstrates how to do this.

USE Symantec_CMDB
SELECT *
FROM ItemDeleted
ORDER BY 4 DESC, 3

Another way is to review the Evt_NS_Item_Management table. The following SQL script example demonstrates how to do this.

Use Symantec_CMDB
SELECT  [User], Action, ItemName AS [Resource Name], Name AS [Resource Type], _eventTime as [Time Modified]
FROM Evt_NS_Item_Management
JOIN ResourceType
ON ClassGuid = ItemClassGuid
WHERE Name = 'computer' -- Change this to what resource name is to be checked, such as Computer, Furniture and Fixtures, Network Printer, etc.
and Action = 'Delete'
ORDER BY 1

Related Articles

Computer's Manufacturer, Model, Serial Number or System Number are incorrect