Monday, January 16, 2012

How to Deploy or Install Audit Collection Services (ACS) in SCOM 2007 R2

Hi all,

Q: what is Audit Collection Service (ACS)

Answer: In Operations Manager 2007, you can use Audit Collection Services (ACS) to collect records generated by an audit policy and store them in a centralized database. By default, auditing is configured on individual computers and all events generated from an audit policy are saved to the local Security log of the audited computer. {microsoft}

In simple language, ACS keep the copy of “Security Log” of the Event Log. It save all these security logs in to a database.

This consist of three things.

- ACS Forwarders : this is  service which is installed by default with SCOM-Agents installations but disabled.

- ACS Collector : This collector receive data from forwarders and then send the data to ACS database

- ACS Database : The SQL Database which save all the  security logs in to it.

 

Enough theory, let’s start implementing it now.

I am installing ACS Service on my Root Management server.

PART-1                                                                                                                                                                                               

Install Audit Collection Services Server

Let’s start.

as per Microsoft in you ACS server you have the latest version of MDAC {http://go.microsoft.com/fwlink/?LinkId=74155.}. When i check the the latest version of MDAC it is 2.8 with SP1. and i already have this version because this version was published in year 2005.

16-01-2012 16-17-24 

Insert your SCOM installation media and run “SetupOm.exe” or if its autorun it will open automatically.

Click on “Install Audit Collection server

2

a welcome wizard for ACS installation will open now then click on “NEXT

3

Select “I accept the agreement” and click on “Next

4

I don’t have any previously created ACS database, so i choose “Create a new database” , click on “Next

5

Here it is using MDAC to connect to the SQL Server. lets choose default data source name “OpsMgrAc” and click on “Next

6

In Database, i have a separate “SQL Server” for SCOM databases. Select “Remote Database Server”,  and type the name of you remote “SQL Server” and in database name choose i am choosing the default name “OperationsManagerAC”, now click on “Next”.

7

In “Database Authentication” i choose “Windows Authentication” you can also choose “SQL Authentication” its up to you. click on “Next

8

In “Database Creation Option” i choose the “use SQL Server’s default data and log file directories”, because in my SQL Server i already defined the file location for data and log files that’s why i want to use this option. click on “Next

9

In “Event Retention Schedule” i choose the 3:00am and i want to keep the security log data for at least for 2 months, so i choose 60 days. Click on “Next”.

10

in “timestamp” i want to use my local time . click on “Next

11

it’s showing the “Summary of installation”, now click on “Next”

12

Now it trying to create ACS database and it asking for “SQL Server Login” credentials, i was using windows authentication, so i just click on “Use trust Collection” and click on OK.

13

Yippy!!! its showing that our ACS Server is successfully installed.  Click on Finish.

14

I logged in to my SQL Server to check if the database is created or not. It is successfully created.

Cool.

15

Till here our installation for ACS Server is finished. The next step is to enable auditing on agent.

PART-2                                                                                                                       

Enable Auditing on Agent

Open SCOM console.

Click on “Monitoring” tab and navigate to “Operations Manager” and then click on “Agents” and then click on “Agent health State”. Now the two pane will open , but we are concerned about the “Right hand side” pane only.

16

Now choose the Agents on the right hand side of the pane and in action tab under “Health Service tasks” click on “Enable Audit Collection

17

In Credentials.I am using my “Administrator” account to run the task. provide the credentials and click on “RUN

18

When you click on “RUN” it show you that task is started.

19

Now the status is “Success” all done :)

20

How can i see the Logs???? ahhh !!! that is crucial part. we need to configure “SQL Reporting Services to access these logs.

PART-3                                                                                                       

Configure ACS Reporting Services to Access these Logs or view report bases of Security Logs

make sure you have “SQL Reporting Services Installed” to configure this and make sure that you are able to access http://YourReportServerName/ReportServer .

it should look like this.

24

Now Login to your ACS Server or any SCOM Management Server and create a ACS folder in C Drive of it  C:\ACS

21

Go to your SCOM installation media navigate to ReportsModels\acs and copy all files to C:\ACS folder

22

now open “command prompt” and navigate to c:\ACS and type the command

UploadauditReports.cmd <urACSDatabase Servername> http://YOURREPORTSERVER/ReportServer C:\ACS

 

23

after run the command it shows you that its uploaded few files.

25

now open access you report server again http://YourReportServerName/ReportServer . and you will see that a new folder is added named as “Audit Reports

26

Cool now open this page. http://YourReportServerName/Reports make sure this is Reports not ReportServer

A page will open like below.

28

and then click on “Audit Reports

27

Then click on “DB.Audit” if you not able to find the “DB.audit” then just soft the files by details.

29 

I Keep the everything as it is except i choose “windows integrated security”. Click on Apply.

30

All Done… now lets check it…….

PART-4                                                                                

everything is done and step up now.

Now Open SCOM Console and click on Reporting tab.

You will see the “Audit Reports” options in the left hand side, click on it and then you will see the some predefined templates on right hand side.

31

Open any report and run it.

Voilaa!!! Working now :)

32

I hope that it save someone else time

Thanks

aman dhally

8 comments:

  1. Hello Dude,

    The ACS collector receives and processes events from ACS forwarders and then sends this data to the ACS database. This processing includes disassembling the data so that it can be spread across several tables within the ACS database. Thanks a lot......

    Active Directory Services

    ReplyDelete
    Replies
    1. Yes True StealthBits.. :) , i forget to mention it ... Thanks for the comments...

      Delete
  2. Thank you for your walk through.......

    ReplyDelete
  3. nice walk through, do you have one for 2012?

    ReplyDelete
    Replies
    1. Hi Ralph,

      thanks for liking it.

      Sorry i dont have for 2012. :)

      thanks
      aman

      Delete
  4. Wow i can say that this is another great article as expected of this blog.
    Audit Reporting

    ReplyDelete