Query SQL database for deleted computers and who deleted them

We recently had someone delete old systems that weren’t reporting out of bigfix. We have a process to verify that we should remove them (to make sure for example the server really IS down) so this causes a bit of a problem for us.

Is there any way to query what was deleted (I have a list of Names if not), and who did it?

It is possible to query the MSSQL db to see which computers are deleted from the console and to undelete them. This is only if they haven’t been removed from the database using the Audit Trail Cleaner, but that is something you would have to specifically run.

I’m not certain if it is possible to tell when they were deleted, but I think it is. I’m even less certain if it is possible to tell who deleted them.

Related:

• Expired actions
• Query DB for Action History
• http://www-01.ibm.com/support/knowledgecenter/SS63NW_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/API_Reference/DatabaseAPI/DatabaseAPIIntro.html
• https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Querying%20BigFix%20Data
• http://www-01.ibm.com/support/docview.wss?uid=swg21505950
• Automatic/Manual group Creator and modifier Information
• SQL Analyses Properties
• Computer Remover Utility

As @jgstew suggests, there are methods to query the database for computers that have been marked as deleted, but we don’t currently keep track within the database of who deleted them, or when. Here’s a sample query that might be leveraged (though this may not work with all versions):

select c.ComputerID, c.IsDeleted, c.LastReportTime, c.Isrelay, q.resultstext as ‘Computer Name’
from computers c
inner join questionresults q on q.computerid=c.computerid
where c.isdeleted=1 and q.siteid=(select siteid from sitenamemap where sitename like ‘%actionsite%’) AND q.analysisid=(select id from LOCAL_OBJECT_DEFS where name = ‘computer name’ and dbo.fn_extractfield(‘IsReserved’, 0, fields)=‘yes’) and q.propertyid=(1)

Note: When a computer is deleted from the console it is simply marked as “deleted” in the database so that it does not appear in the console. No computer or property data gets deleted or goes missing during this marking as deleted. And as soon as the next report from the computer endpoint is received the computer gets marked again as “not deleted” and becomes visible in the console. If there is an operator who is acting with malicious intent in this area they can’t really do it via the console as you just can’t keep a good computer down, the next report received from the endpoint reactivates the visibility of the computer in the console.

However if the computer has been offline for a while or has 0 probability of reporting again, then the computer would never become visible in the console again as a report from it would never be received again. A good reason why you should not rely on BigFix to keep a full inventory of all your network assets.