Audit Server can collect a variety of data from audited systems. It can then present this data to you in different ways to help monitor the health of your network time,
interface with other systems, and for regulatory compliance purposes.
Audit Data Types
Audit Server collects two main types of data from audited systems:
Audit Results Records - a snapshot record of information about the audited system taken at the time of the audit.
It contains information such as current time on the target, it's last time source, etc.
Audit Results records can be gathered from both Domain Time systems on Windows, domtimed daemons running on 'nix systems, and from machines running NTP daemons that respond to time request packets. Domain Time machines
will provide more complete statistics on their operation than do NTP sources, but both contain enough data for auditing/alerting purposes.
Daily Reports can be generated based on the Audit Result Records during each audit run to summarize and/or export data.
Synchronization logs - a running log of the results of each successful synchronization of the Domain Time Server or Client.
Synchronization logs are only kept by Domain Time Client or Server running on Windows systems.
Synchronization Log data is used to create the Drift Graph display, which is a graphical representation of the accuracy of the
clock on your machine sampled at the time it synchronized with its time source. You may scroll through the entire drift data to see
how your clock has been performing over time, or you may view the actual log data to get more statistical information.
You can view either type of data collected by Audit Server by clicking on the "Audit Server" category in the left-hand column of Manager's interface.
Audit Results Records
Audit Results Records are highly compact collections of data collected from audited systems during an audit run.
The data from all audited machines during an audit run are collected into audit results files kept in the Audit Data Cache folder.
The folder location is specified on the Audit Server -> Advanced -> Data Folders... menu (by default, C:\Program Files\Domain Time II\Audit Data Cache).
Each audit run results in a new file.
You may configure Audit Server to limit the growth of the Audit Data Cache by deleting all Audit Results Records over a certain age.
This setting is found on the Audit Server -> Audit Tasks menu item.
Audit Results Records are viewed using a utility program called Audit Data Viewer (DTREADER.EXE-launched automatically when you view results through Manager).
The DTReader utility is associated with files having the extension .dtad (DT Audit Data) during the installation of Audit Server. However, it can be used to view Audit Record Results files on other systems.
Simply copy the program to any machine from which you'd like to view audit records.
Note: DTREADER.EXE does not function on Windows Server Core systems.
To view sync logs collected by Audit Server on Server Core systems, you must copy the DTREADER.EXE utility to a non-Core system and use it from there to view the .dtad audit records through a network share on the Core machine.
Although each individual audit record file is highly compact, the
The size of each individual audit results file depends on how many machines are included. If unattended (and unlimited by the Audit Tasks setting described above), the folder can grow to contain a very large amount of data.
You should plan to regularly archive this data off to your normal archival storage.
Daily Reports are summary results files using a user-specified format, created during each audit run from audit record data.
They are particularly useful for exporting audit data to external programs.
You set up Daily Reports using the Audit Server -> Daily Reports -> Configure menu item.
When enabled, Audit Server will create a special summary log of audit records each day in the folder specified for Daily Reports on the
Audit Server -> Advanced -> Data Folders... menu item. Click the Audit Server -> Daily Reports -> View menu item
to browse through the existing reports.
Daily Audit Summary Logs only include information from audit records; they do not include information from the Synchronization Logs.
The View Logs button displays the contents of the Daily Report Summary collection folder using the Explorer shell which does not function
on Windows Server Core systems. Use Notepad to view the files manually or view them from a remote machine using any text reader.
A new summary log file will be created each day. Any audits performed during that day will be appended to the log.
Daily Reports are particularly useful if you are using your own log file collection and analysis program and need the audit record information to appear in a particular
format to be imported correctly.
The Daily Report Format section is where you specify how data will appear in the log. You can specify the format of the header used
before the records as well as the format of the records themselves.
The format string entered in the text field indicates the
order of data variables (keywords surrounded by the % character) which represent specific data collected from the audited machine,
special characters (such as \r representing
a carriage return), and delimiters (if any) used to create each line of the log file. You can preview the effect of your settings by clicking the Show Example
For example the format string:
results in a log file entry with this format:
# Audit results from audit performed at 17:00:00 UTC
OK,DC_2,126.96.36.199,Y,Central Daylight Time
OK,PDC,188.8.131.52,Y,Central Daylight Time
Note that the entry for the NTP server in the example above shows ? in the DST and Unknown in the TimeZone fields. This information
is only available from Domain Time II components.
These are the items that can be included in the format string:
You may specify any text you want to use between variables in the format string.
percent sign character
Whether or not the machine was audited successfully Returns OK or Err
Audit stamp version number
Number of consecutive contact failures
Number of seconds since time was last set
Variance from reference at time of audit
Time this machine was last contacted
Machine's serial number
Name of last time protocol used to set the time
Local time (adjusted for timezone and dst) at time of audit
UTC time at time of audit
Variance last time machine corrected its time
Number of time corrections since last startup
Number of time checks (whether or not correction made) since startup
Number of times machine encountered an error while checking the time
Time this machine's client was installed
Time (in seconds) at time of audit (usually matches LocalTime)
Time machine last corrected its time
Time machine last started the time service
Most recently-used time source
Time zone (for example, "Eastern Standard Time")
Version number of time software on machine
Machine's NetBIOS name
Machine's DNS name (if available)
Machine's last-known IP address
Y if machine is known to be applying Daylight Savings Time correction N if machine is known to NOT be applying DST correction ? if machine's treatment of Daylight Savings Time is unknown
Machine's Domain Time II role (client, server, etc)
Y if software is registered N if software is an evaluation copy (or not a Domain Time component)
Name of architecture, operating system, and OS version
List of servers used for averaging (if available)
Audit Server can collect synchronization (drift) logs from audited machines into a central location. Synchronization logs contain a record of every successful synchronization of
Server of Client and can be displayed as either a drift graph or as text records.
Windows Server and Clients (version 3.1 or later) maintain internal drift logs that includes information such as the time of synchronization,
the time source used, the reason for the check, and the amount of clock correction (if any). These logs are limited in size and older data scrolls off
over time. Using Audit Server to collect this information allows you to preserve this data for audit trail and archival purposes.
Synchronization Logs can only be retrieved from Windows Domain Time II Server and Clients version 3.1 and later.
The Audit Server must use credentials with sufficient rights to connect to the administrative shares on the remote systems
The utility used to view binary sync logs (DTDRIFT.EXE) does not function on Windows Server Core systems. To view sync logs collected by Audit Server on Server Core systems,
you must copy the DTDRIFT.EXE utility from the /System32 folder to a non-Core system and use it from there to view the sync log data files through a network share on the Core machine.
Synchronization logs are collected in the folder specified for them on the Audit Server -> Advanced -> Data Folders... menu item.
Enable Synchronization Log collection by choosing Audit Server -> Synchronization Logs -> Enable from the menu.
View the collected logs in graphical format by choosing Audit Server -> Synchronization Logs -> View Drift Graphs... from the menu.
Synchronization Logs are viewed using a utility program called DTDRIFT.EXE (launched automatically when you view results through Manager).
The DTDrift utility is associated with files having the extension .dt during the installation of Domain Time Server, Client, and/or Audit Server.
However, it can be used to view Synchronization Log files on other systems. Simply copy the program to any machine from which you'd like to view audit records.
Note: The DTDRIFT.EXE program does not function on Windows Server Core systems. To view sync logs collected by Audit Server on Server Core systems,
you must copy the DTDRIFT.EXE utility to a non-Core system and use it from there to view the .dt synchronization logs through a network share on the Core machine.
Foreground - collection must finish before audit completes Background - collection finishes independent of scheduled audits Run background collection periodically, not just at audit time
These choices determine whether Audit Server will collect the sync logs in a separate thread from the audit run itself.
Collecting sync logs from each audited machine can take an extended amount of time, particularly if you have a large
number of machines to audit. Choosing Background allows collection of the basic audit data very quickly,
and then the collection of the sync logs can complete in the background. Running the collection in the background periodically can make
collection even more efficient.
Limit size of collected Synchronization Logs
You may restrict log size by limiting the number of records kept per machine (older records are rolled off to make room for new entries), and/or
by deleting all records over a certain age.
Estimate your disk requirements
The collected synchronization (Drift) logs can grow to very large sizes. The size depends on how many machines are included and how often each one of them is synchronizing.
Each time an audit scan is performed, Audit Server appends the new drift data collected to the existing log file. Care needs to be taken to ensure that sufficient disk space to contain these logs is always available.
We recommend regular archival and cleanup of this data if the retention settings are not set to limit the log sizes.
Expand binary sync log database file to text files
Enabling this function will cause Audit Server to create a text file version of the binary sync log collection file(s). The text files will be named
and formatted according to the settings indicated. You should only use this option if you require a text file be kept for a specific purpose, since the text files are
dramatically larger than the binary files. Normally, you would use the View Logs function described below to view the binary files in a more
friendly graphical format and generate a text file only if necessary by clicking the Raw Data button on the Drift Graph display.