Documentation forServer Configuration Monitor
Monitoring server configurations is a key capability of SolarWinds Observability Self-Hosted (formerly Hybrid Cloud Observability) and is available in the Advanced edition.

Monitor who made server configuration changes

Server Configuration Monitor (SCM) comes with 'who made the change' detection capability to monitor who made Windows file and registry configuration changes. For file elements on both Windows and Linux operating systems, SCM can capture ownership and various other attributes. This detection feature enables you to view when a file's ownership or content changes so you can take appropriate action.

To use this feature, you must turn on near real-time file monitoring, which enables 'who made the change monitoring.' See the topic Enable near real-time file monitoring and 'who made the change' detection for instructions.

There are some limitations to the 'who made the change' functionality, which are described below, along with the messages a user may encounter in SCM when the 'who' value cannot be detected.

When is 'who made the change' detection available?

Consult the following table to determine when 'who made the change' detection is available.

Feature

Agent-less Via agent Supports 'Who made the change' detection

Hardware

Yes Yes No
Software Yes Yes No

Registry
(Windows only)

No Yes Yes

Windows files

No Yes Yes

Linux files

No Yes No

PowerShell

No Yes No
Linux script No Yes No
Database Yes Yes No

In addition, the following conditions affect 'who made the change' data:

  • Historical data is lost if you switch the collection of hardware and software data between remote and agent.
  • When looking at the profile, the 'who' value is displayed only when the most recent change is from an element that supports collecting 'who' information.

Messages displayed when the 'who' value is not available

Message Displayed in SCM

Explanation

The 'who' value is not available because this change event was not captured in time. Learn more.

SCM cannot determine 'who' made the change, as this change was not detected at the exact time it occurred. For example, the change was detected:

  • After the node was remanaged.
  • After the agent was restarted.
  • When 'Poll Now' was triggered.
The 'who' value is not available because real-time change detection was disabled. Learn more. The SCM polling method does not allow capture of 'who' made the change when real-time change detection is disabled.

The 'who' value is not available because more than one change was detected at the same time. Learn more.

When more than one change event is detected at the same time, SCM cannot determine the usernames associated with each change.

The 'who' value is not available because the changes were aggregated according to data retention settings. Learn more.

SCM cannot determine which username to associate with this change after changes are aggregated according to data retention settings.

The 'who' value is not available because this node is explicitly excluded from enhanced change detection. Learn more.

Even though global real-time polling is enabled, the selected node was specifically excluded from real-time polling in enhanced change detection settings. SCM does not collect the usernames associated with changes when real-time polling is not enabled.