Audit and snapshot sources

There are several options for choosing a source for an audit or a snapshot specification:

The source of an audit determines the rules you are able to select from and configure in your audit or snapshot specification. Choosing a source depends on the purpose of your audit or snapshot specification.

Source: Server

A managed server can be a source for an audit or a snapshot specification.

If you know that a certain server contains the desired server objects that you want to add to the audit or snapshot specification, choose that server as the source of an audit. For example, if you are interested in auditing or taking a snapshot of application configuration files for an Apache Web Server (such as httpd.conf) on certain target servers, choose a server that you know has Apache installed on it and that is configured correctly—as the source of your audit.

You can choose several different source servers when you create your audit or snapshot specification rules. You can also choose a different source for each server object rule.

Note
ESXi servers can only use another ESXi server as a target.

VMware ESXi servers cannot be the source of an audit or snapshot.

The following figure shows the content pane that displays in an Audit window or in a Snapshot Specification window, when you choose a server as the source for an audit.

Server as source of audit: Creating audit rules

See Common scope cases for more information about Directory Options.

Source: Snapshot

A snapshot can be a source for an audit or a snapshot specification.

If you have a snapshot of a managed server that is in a known good state (a golden server configuration) and you would like to compare that snapshot with other servers in an audit, choose that snapshot as the source for an audit or a snapshot specification. Or, choose this option to use the captured server values to take a snapshot of another server. Using a snapshot as the source for an audit or snapshot specification allows you to choose both the results and the rules of the original snapshot specification that the snapshot was based on.

The following figure shows the options for creating audit or snapshot specification rules when you use a snapshot as the source. You can choose from the snapshot’s results and the snapshot’s rules.

Snapshot as source of audit: Available server objects to create audit rules

Source: Snapshot specification

A snapshot specification can be a source for an audit. This is commonly known as reflexiveauditing. When you run an audit from a snapshot specification, the audit uses all the information defined in the specification, then applies any filters that you have defined.

Choose this option if you want to keep track of a server’s configuration over time and monitor any changes that occur. For example, you might want to keep track of an application to make sure that its configuration remains correct over a period of time. If this application runs on several servers, you can create a snapshot specification that defines a desired state of server configuration and then run the snapshot.

Next, you can create an audit and use the snapshot specification as the source for your audit. Each server that was targeted by the snapshot is now also included as a target of the audit. When you run the audit, either on-demand or on a scheduled basis, each server’s current configuration will be compared with the state originally captured from the snapshot. If the snapshot specification that serves as the source of the audit is set to run on a recurring basis, the audit will compare against the most recently run snapshot. Any changes are displayed in the audit results window.

Source: Rules

Rules that use a source value from a source server can be used as a source for an audit.

Most rules require a source in order to define them, except the following rules:

  • Any of the pre-configured rules that you do not set the value to derive from a source (server or snapshot or snapshot specification)
  • Custom Scripts rules that you do not set the compare value to derive from a source (server or snapshot or snapshot specification)

You cannot save an audit that contains rules that require a source and no source has been specified You must select a source for all comparison checks and for rules that compare against a source value.