How to Deploy Audit Collection Services (ACS) in SCOM 2012
This article is a step by step tutorial how to deploy the SCOM 2012 Audit Collection Service (ACS).
The deployment has 3 parts:
- How to Install an ACS Collector and Database
- How to Enable ACS Forwarders
- How to Deploy ACS Reporting
Audit Collection Service (ACS) is used to collect records generated by an audit policy and store them in a centralized database. Using ACS, organizations can consolidate individual Security logs into a centrally managed database and can filter and analyze events using the data analysis and reporting tools provided.
ACS has the following components:
· ACS Forwarders
The service that runs on ACS forwarders is included in the Operations Manager agent. By default, this service is installed but not enabled when the Operations Manager agent is installed. After you enable this service, all security events are sent to the ACS collector in addition to the local Security log.
· ACS Collector
The ACS collector receives and processes events from ACS forwarders and then sends this data to the ACS database.
· ACS Database
The ACS database is the central repository for events that are generated by an audit policy within an ACS deployment.
This looks like the following:
For details have a look at:
Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908.aspx
Prerequisites
Following prerequisites:
· Collector:
MDAC (latest version), see:
HOW TO: Determine Whether MDAC Is Installed
https://support.microsoft.com/kb/292627
And / or
Learning Microsoft Data Access Components (MDAC)
https://msdn.microsoft.com/en-us/data/aa937703.aspx
· ACS Database
Microsoft SQL Server 2005 or SQL Server 2008 (R2)
· ACS Reporting
SQL Reporting, check if https://YourReportServerName/ReportServer works:
Note: You can deploy Audit Collection Services (ACS) Reporting on a supported version of Microsoft SQL Server Reporting Services (SSRS) instance. If System Center 2012 – Operations Manager Reporting has also been installed on the same SSRS instance, you can view the ACS Reports in the Operations console.
I have installed SQL/RS/Collector all on OR-OM12-1.
See for the details:
Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908.aspx
Deployment steps
Step 1 How to Install an ACS Collector and Database
The TechNet deployment guide you can find here:
How to Install an Audit Collection Services (ACS) Collector and Database
https://technet.microsoft.com/en-us/library/hh284670.aspx
The following steps describe how to install the ACS Collector and database on the computer that is designated as your ACS collector.
On the Operations Manager installation media, run Setup.exe , and then click Audit collection services :
On the Welcome page, click Next :
On the License Agreement page, read the licensing terms, click I accept the agreement :
On the Database Installation Options page, click Create a new database , and then click Next :
On the Data Source page, in the Data source name box, type a name that you want to use as the Open Database Connectivity (ODBC) data source name for your ACS database. By default, this name is OpsMgrAC :
On the Database page, if the database is on a separate server than the ACS collector, click Remote Database Server and change or leave the database name OperationsManagerAC :
On the Database Authentication page, select one of the authentication methods. If the ACS collector and the ACS database are members of the same domain, you can select Windows authentication , otherwise select SQL authentication :
On the Database Creation Options page, click Use SQL Server's default data and log file directories to use SQL Server's default folders, otherwise, click Specify directories :
On the Event Retention Schedule page, click Local hour of day to perform daily database maintenance, and in Number of days to retain events box type the number of days ACS should keep :
On the ACS Stored Timestamp Format page, choose Local or Universal Coordinated Time , formerly known to as Greenwich Mean Time :
Check if the summary is correct:
And install the collector:
Choose the server to login to SQL:
Let the wizard finish:
Click Finish when ready:
Check if the database is installed:
The collector is deployed now and the AdtServer Service is started:
Now we can enable the ACS Forwarders.
Step 2 How to Enable ACS Forwarders
The TechNet deployment guide you can find here:
How to Enable Audit Collection Services (ACS) Forwarders
https://technet.microsoft.com//library/hh272397.aspx
The following steps describe how enable the ACS forwarders.
In the Operations console, click Monitoring, Operations Manager , expand Agent Details , and then click Agent Health State :
In the details pane, click all agents that you want to enable as ACS forwarders. You can make multiple selections by pressing CTRL or SHIFT, and in the Actions pane, under Health Service Tasks , click Enable Audit Collection to open the Run Task - Enable Audit Collection dialog box:
Set task credentials or override for collector server if needed:
Run the Task:
And wait until success:
See if the AdtAgent services is started on the agent:
It is forwarding the security events now.
Step 3 How to Deploy ACS Reporting
The TechNet deployment guide you can find here:
How to Deploy ACS Reporting
https://technet.microsoft.com/en-us/library/hh299397.aspx
The following steps describe how to install the ACS Collector and database.
On the server that will be used to host ACS reporting create a (temp) folder C:\ACS:
On your installation media, go to \ReportModels :
acs and copy the directory contents to the temporary installation folder:
On your installation media, go to \SupportTools :
and copy the file ReportingConfig.exe into the temporary acs folder if not already there:
Open a Command Prompt window by using the Run as Administrator option, and then change directories to the temporary acs folder:
Run the following command:
UploadAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the copied acs folder>”
For example:
UploadAuditReports “myAuditDbServer\Instance1” “https://myReportServer/ReportServer$instance1” “C:\acs”
In my case:
UploadAuditReports OR-OM12-1 https://OR-OM12-1/ReportServer C:\ACS
This example creates a new data source called Db Audit , uploads the reporting models Audit.smdl and Audit5.smdl , and uploads all reports in the acs\reports directory :
Open Internet Explorer and enter the following address to view the SQL Reporting Services Home page. https://<yourReportingServerName>/Reports_<InstanceName>
In my case:
Click Audit Reports in the body of the page and then click Details View in the upper right part of the page:
Go to Audit Reports:
And choose Manage for the Db Audit data source :
In the Connect Using section, select Windows Integrated Security and click Apply:
Check if the Audit Reports are in the console:
And see if the reports work :
Now you can start configuring ACS using AdtAdmin.exe, see:
Audit Collection Services Administration (AdtAdmin.exe)
https://technet.microsoft.com/en-us/library/hh212727.aspx
You have installed ACS now!!
Thanks to Dirk van Coeverden (dirkv(at)microsoft.com)