Domain Time II Configuration - Audit Server/Data Collection

Domain Time II Audit Server
Version 5.1

Data Collection

Audit Server can collect a variety of data from audited systems. It can then present this data to you in different ways to help monitor the health of your network time, interface with other systems, and for regulatory compliance purposes.

Daily Reports

Audit Server -> Daily Reports -> Configure

Audit Server Daily Report Configuration Dialog [Click for larger size]

When enabled, Audit Server will create a special summary log of audit records each day in the folder specified for Daily Reports on the Audit Server -> Advanced -> Data Folders... menu item. Click the Audit Server -> Daily Reports -> View menu item to browse through the existing reports.

Notes:
Daily Audit Summary Logs only include information from audit records; they do not include information from the Synchronization Logs.
The View Logs button displays the contents of the Daily Report Summary collection folder using the Explorer shell which does not function on Windows Server Core systems. Use Notepad to view the files manually or view them from a remote machine using any text reader.

A new summary log file will be created each day. Any audits performed during that day will be appended to the log.

Daily Reports are particularly useful if you are using your own log file collection and analysis program and need the audit record information to appear in a particular format to be imported correctly.

The Daily Report Format section is where you specify how data will appear in the log. You can specify the format of the header used before the records as well as the format of the records themselves.

The format string entered in the text field indicates the order of data variables (keywords surrounded by the % character) which represent specific data collected from the audited machine, special characters (such as \r representing a carriage return), and delimiters (if any) used to create each line of the log file. You can preview the effect of your settings by clicking the Show Example button.

For example the format string:

%Status%,%MachineName%,%IP%,%DST%,%TimeZone%\r\n

results in a log file entry with this format:

#
# Audit results from audit performed at 17:00:00 UTC
#
# Status,MachineName,IP,DST,TimeZone\r\n
OK,DC_2,172.10.1.12,Y,Central Daylight Time
OK,PDC,172.10.1.10,Y,Central Daylight Time
OK,NTP Server,192.43.244.18,?,Unknown

Note that the entry for the NTP server in the example above shows ? in the DST and Unknown in the TimeZone fields. This information is only available from Domain Time II components.

These are the items that can be included in the format string:

Delimiters
You may specify any text you want to use between variables in the format string.

Special Characters

\n	line feed
\r	carriage return
\t	tab character
\\	backslash character
%%	percent sign character

Data Variables

%Status%	Whether or not the machine was audited successfully Returns OK or Err
%AuditStampVersion%	Audit stamp version number
%ContactFailures%	Number of consecutive contact failures
%SecsSinceLastSet%	Number of seconds since time was last set
%Variance%	Variance from reference at time of audit
%LastContact%	Time this machine was last contacted
%SerialNumber%	Machine's serial number
%LastProtocol%	Name of last time protocol used to set the time
%LocalTime%	Local time (adjusted for timezone and dst) at time of audit
%UTC%	UTC time at time of audit
%LastVariance%	Variance last time machine corrected its time
%Corrections%	Number of time corrections since last startup
%Checks%	Number of time checks (whether or not correction made) since startup
%Errors%	Number of times machine encountered an error while checking the time
%InstallDate%	Time this machine's client was installed
%UnixTime%	Time (in seconds) at time of audit (usually matches LocalTime)
%LastSet%	Time machine last corrected its time
%LastStartup%	Time machine last started the time service
%LastSource%	Most recently-used time source
%TimeZone%	Time zone (for example, "Eastern Standard Time")
%Version%	Version number of time software on machine
%MachineName%	Machine's NetBIOS name
%DNSName%	Machine's DNS name (if available)
%IP%	Machine's last-known IP address
%DST%	Y if machine is known to be applying Daylight Savings Time correction N if machine is known to NOT be applying DST correction ? if machine's treatment of Daylight Savings Time is unknown
%Role%	Machine's Domain Time II role (client, server, etc)
%Registered%	Y if software is registered N if software is an evaluation copy (or not a Domain Time component)
%OS%	Name of architecture, operating system, and OS version
%AverageInfo%	List of servers used for averaging (if available)

Synchronization Logs
Audit Server can collect synchronization (drift) logs from audited machines into a central location. Synchronization logs contain a record of every successful synchronization of Server of Client and can be displayed as either a drift graph or as text records.

Notes:
Synchronization Logs can only be retrieved from Windows Domain Time II Server and Clients version 3.1 and later.
The Audit Server must use credentials with sufficient rights to connect to the administrative shares on the remote systems
The utility used to view binary sync logs (DTDRIFT.EXE) does not function on Windows Server Core systems. To view sync logs collected by Audit Server on Server Core systems, you must copy the DTDRIFT.EXE utility from the /System32 folder to a non-Core system and use it from there to view the sync log data files through a network share on the Core machine.

Synchronization logs are collected in the folder specified for them on the Audit Server -> Advanced -> Data Folders... menu item.
Enable Synchronization Log collection by choosing Audit Server -> Synchronization Logs -> Enable from the menu.
View the collected logs in graphical format by choosing Audit Server -> Synchronization Logs -> View Drift Graphs... from the menu.
If you have chosen to expand the binary logs to text files (see below), you can view the text versions by choosing Audit Server -> Synchronization Logs -> View Text Reports... from the menu.
Synchronization Log Collection Settings
Use the Audit Server -> Synchronization Logs -> Configure menu item to bring up the Synchronization Configuration Dialog.

Synchronization Configuration Dialog [Click for larger size]

Foreground - collection must finish before audit completes
Background - collection finishes independent of scheduled audits
Run background collection periodically, not just at audit time
These choices determine whether Audit Server will collect the sync logs in a separate thread from the audit run itself. Collecting sync logs from each audited machine can take an extended amount of time, particularly if you have a large number of machines to audit. Choosing Background allows collection of the basic audit data very quickly, and then the collection of the sync logs can complete in the background. Running the collection in the background periodically can make collection even more efficient.
Limit size of collected Synchronization Logs
You may restrict log size by limiting the number of records kept per machine (older records are rolled off to make room for new entries), and/or by deleting all records over a certain age.
Expand binary sync log database file to text files
Enabling this function will cause Audit Server to create a text file version of the binary sync log collection file(s). The text files will be named and formatted according to the settings indicated. You should only use this option if you require a text file be kept for a specific purpose, since the text files are dramatically larger than the binary files. Normally, you would use the View Logs function described below to view the binary files in a more friendly graphical format and generate a text file only if necessary by clicking the Raw Data button on the Log Viewer.

Proceed to the Advanced page

Back to the Configure Alerts page