How to Deploy Audit Collection Services (ACS) in SCOM 2012

 

This article is a step by step tutorial how to deploy the SCOM 2012 Audit Collection Service (ACS).

The deployment has 3 parts:

  1. How to Install an ACS Collector and Database
  2. How to Enable ACS Forwarders
  3. How to Deploy ACS Reporting

Audit Collection Service (ACS) is used to collect records generated by an audit policy and store them in a centralized database. Using ACS, organizations can consolidate individual Security logs into a centrally managed database and can filter and analyze events using the data analysis and reporting tools provided.

ACS has the following components:

· ACS Forwarders

The service that runs on ACS forwarders is included in the Operations Manager agent. By default, this service is installed but not enabled when the Operations Manager agent is installed. After you enable this service, all security events are sent to the ACS collector in addition to the local Security log.

· ACS Collector

The ACS collector receives and processes events from ACS forwarders and then sends this data to the ACS database.

· ACS Database

The ACS database is the central repository for events that are generated by an audit policy within an ACS deployment.

This looks like the following:

clip_image001

For details have a look at:

Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908.aspx

 

Prerequisites

Following prerequisites:

· Collector:

MDAC (latest version), see:

HOW TO: Determine Whether MDAC Is Installed
https://support.microsoft.com/kb/292627

And / or

Learning Microsoft Data Access Components (MDAC)
https://msdn.microsoft.com/en-us/data/aa937703.aspx

· ACS Database

Microsoft SQL Server 2005 or SQL Server 2008 (R2)

· ACS Reporting

SQL Reporting, check if https://YourReportServerName/ReportServer works:

clip_image003

Note: You can deploy Audit Collection Services (ACS) Reporting on a supported version of Microsoft SQL Server Reporting Services (SSRS) instance. If System Center 2012 – Operations Manager Reporting has also been installed on the same SSRS instance, you can view the ACS Reports in the Operations console.

I have installed SQL/RS/Collector all on OR-OM12-1.

See for the details:

Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908.aspx

 

Deployment steps

Step 1 How to Install an ACS Collector and Database

The TechNet deployment guide you can find here:

How to Install an Audit Collection Services (ACS) Collector and Database
https://technet.microsoft.com/en-us/library/hh284670.aspx

The following steps describe how to install the ACS Collector and database on the computer that is designated as your ACS collector.

On the Operations Manager installation media, run Setup.exe , and then click Audit collection services :

clip_image005

On the Welcome page, click Next :

clip_image006

On the License Agreement page, read the licensing terms, click I accept the agreement :

clip_image007

On the Database Installation Options page, click Create a new database , and then click Next :

clip_image008

On the Data Source page, in the Data source name box, type a name that you want to use as the Open Database Connectivity (ODBC) data source name for your ACS database. By default, this name is OpsMgrAC :

clip_image009

On the Database page, if the database is on a separate server than the ACS collector, click Remote Database Server and change or leave the database name OperationsManagerAC :

clip_image010

On the Database Authentication page, select one of the authentication methods. If the ACS collector and the ACS database are members of the same domain, you can select Windows authentication , otherwise select SQL authentication :

clip_image011

On the Database Creation Options page, click Use SQL Server's default data and log file directories to use SQL Server's default folders, otherwise, click Specify directories :

clip_image012

On the Event Retention Schedule page, click Local hour of day to perform daily database maintenance, and in Number of days to retain events box type the number of days ACS should keep :

clip_image013

On the ACS Stored Timestamp Format page, choose Local or Universal Coordinated Time , formerly known to as Greenwich Mean Time :

clip_image014

Check if the summary is correct:

clip_image015

And install the collector:

clip_image016

Choose the server to login to SQL:

clip_image017

Let the wizard finish:

clip_image018

Click Finish when ready:

clip_image019

Check if the database is installed:

clip_image020

The collector is deployed now and the AdtServer Service is started:

clip_image022

Now we can enable the ACS Forwarders.

 

Step 2 How to Enable ACS Forwarders

The TechNet deployment guide you can find here:

How to Enable Audit Collection Services (ACS) Forwarders
https://technet.microsoft.com//library/hh272397.aspx

The following steps describe how enable the ACS forwarders.

In the Operations console, click Monitoring, Operations Manager , expand Agent Details , and then click Agent Health State :

clip_image024

In the details pane, click all agents that you want to enable as ACS forwarders. You can make multiple selections by pressing CTRL or SHIFT, and in the Actions pane, under Health Service Tasks , click Enable Audit Collection to open the Run Task - Enable Audit Collection dialog box:

clip_image026

Set task credentials or override for collector server if needed:

clip_image027

Run the Task:

clip_image028

And wait until success:

clip_image029

See if the AdtAgent services is started on the agent:

clip_image031

It is forwarding the security events now.

Step 3 How to Deploy ACS Reporting

The TechNet deployment guide you can find here:

How to Deploy ACS Reporting
https://technet.microsoft.com/en-us/library/hh299397.aspx

The following steps describe how to install the ACS Collector and database.

On the server that will be used to host ACS reporting create a (temp) folder C:\ACS:

clip_image033

On your installation media, go to \ReportModels :

 clip_image035

acs and copy the directory contents to the temporary installation folder:

clip_image037

On your installation media, go to \SupportTools :

clip_image039

and copy the file ReportingConfig.exe into the temporary acs folder if not already there:

clip_image040

Open a Command Prompt window by using the Run as Administrator option, and then change directories to the temporary acs folder:

clip_image042

Run the following command:

UploadAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the copied acs folder>”

For example:

UploadAuditReports “myAuditDbServer\Instance1” “https://myReportServer/ReportServer$instance1” “C:\acs”

In my case:

UploadAuditReports OR-OM12-1 https://OR-OM12-1/ReportServer C:\ACS

clip_image044

This example creates a new data source called Db Audit , uploads the reporting models Audit.smdl and Audit5.smdl , and uploads all reports in the acs\reports directory :

clip_image046

Open Internet Explorer and enter the following address to view the SQL Reporting Services Home page. https://<yourReportingServerName>/Reports_<InstanceName>

In my case:

clip_image048

Click Audit Reports in the body of the page and then click Details View in the upper right part of the page:

clip_image050

Go to Audit Reports:

clip_image052

And choose Manage for the Db Audit data source :

clip_image054

In the Connect Using section, select Windows Integrated Security and click Apply:

clip_image056

Check if the Audit Reports are in the console:

clip_image058

And see if the reports work :

clip_image060

Now you can start configuring ACS using AdtAdmin.exe, see:

Audit Collection Services Administration (AdtAdmin.exe)
https://technet.microsoft.com/en-us/library/hh212727.aspx

You have installed ACS now!!

 

 

 

Thanks to Dirk van Coeverden (dirkv(at)microsoft.com)