                                                                                                                                                                               =========================================================================
e-Policy Orchestrator Auditing                              
=========================================================================


This document describes the Auditing feature for ePO 3.5. By default, this feature is not activated, but can be activated by installing the Auditing component on the computer that runs the SQL Server for ePO.  On local database installations of ePO, this computer is the same computer as your ePO Server.


INSTALLATION:
-------------------------------------------------------------------------

1) Copy the file ePOAuditInstall.exe to the computer that runs the SQL Server used for ePO (on local database installs, this is your ePO Server computer).

2) Logon to your computer that runs the SQL Server used for ePO (on local database installs, this is your ePO Server computer) with an account having local administrator privileges.

3) Execute "ePOAuditInstall.exe" and follow the wizard to completion.

4) Perform ONE of the following actions:

	* Restart the server.
	* Stop and restart the SQL Server service. 
	   (Note: all dependent services will need to be restarted)



READING LOG FILES:
--------------------------------------------------------------------------

All logs will be saved in "c:\ePOAudit\". A SQL job is scheduled to run just before midnight each day, which produces a log file for the entire day. The format of the log file name is "ePO yyyy-mm-dd HHMMSS.csv", where "yyyy-mm-dd" is the date the log file was created, and HHMMSS is the time it was created.  Log files can be viewed using MS Excel or notepad.



UNINSTALL:
--------------------------------------------------------------------------
To uninstall this Add-on, simply remove "McAfee ePO Audit Logs for SQL" using "Add/Remove Programs".



WHAT WILL BE INCLUDED IN THE AUDIT LOGS?
--------------------------------------------------------------------------
The following administrative actions will be logged (Note: Any action involving deletion will not provide specific details on what was actually deleted, since it no longer exists in the database):

	-User login
	-Adding/deleting a user
	-User role change
	-User password change
	-Adding/deleting a site
	-Adding/deleting a group
	-Adding/deleting a computer
	-Uninstalling agent when deleting
	-Renaming sites, groups, or computers
	-Policy changes


The resultant log file has the following fields:

EventType: Could be User Login, User Created, User Deleted, User Modified, Inherit policy enabled, Inherit policy disabled, Policy change, Group/Site Added, Computer Added, Node Uninstalled, Site/Group Deleted, Computer Deleted, Node Renamed, Node Moved.

Event: The specific event that took place.

ePOServer: The local-host ePO server name.

ePOConsole: The local or remote ePO console server name from which changes are made.

DatabaseID: Internal SQL Server ID for the ePO database.

ProcessID: Process ID of the logged in user. Using this ID, you can map all the subsequent changes back to the user when they first logged in.

DateTime: Time stamp of event




TROUBLESHOOTING TIPS
--------------------------------------------------------------------------

1) On your computer with SQL Server, make sure SQL Agent service is running (SQLSERVERAGENT), and is set to automatic start



-Network Associates, Inc.-
