ACS Part I : Introduction & Collector Installation

Hi everyone,

With Operations Manager 2007, Microsoft introduces Audit
Collection Services (ACS) as an optional but integrated component of an OpsMgr
management group. By deploying and using the ACS components of Operations
Manager, the administrator will be able to store and present security audit
information.

What is the idea?

ACS Forwarder: It’s your servers/workstations where you
installed an OpsMgr Agent and for which you want to collect the security event
log.

ACS Collector: It’s an OpsMgr management server which will be
designated as an ACS collector.

ACS DB: ACS requires having his own database. Depending of the
numbers of you forwarder, the DB could grow really fast. Satya Vel, a System
Center Program Manager, published an Excel sheet for helping you to size the
ACS DB. (http://blogs.technet.com/b/momteam/archive/2008/07/02/audit-collection-acs-database-and-disk-sizing-calculator-for-opsmgr-2007.aspx)

ACS Reporting: ACS is using SQL Reporting Services, so you have
the choice to install a new fresh server, or using the one that you already
used for OpsMgr reports. If you want to use your existing SQL Reporting server
and want continue to be in a Microsoft supported configuration, each time that one
of your Security Administrators want to generate an ACS report, he will have
to enter his credentials.

The best practice is to generate ACS reports directly from
the SQL Reporting web interface and not directly from the integrated reporting
pane available in SCOM console. This is due to the fact that ACS reports could
contain sensitive information and you don’t want that all your SCOM Operators
could see that information. The other advantage, and that you just need to
provide the web url to you Security Administrators, no need to install the SCOM
Console.

Security Administrator: Is the person of you company that will
be able to generate ACS Reports through the web interface of SQL Reporting
Services.

Pre-requisites

I invite you to take a look to the Operations Manager Supported Configuration page available on Technet : http://technet.microsoft.com/en-us/library/bb309428.aspx

What do you need :

  • OpsMgr infrastructure.
  • Service Account (a simple domain user).
  • A database server (Grant your service account to
    interact with the DB Server.
  • A dedicated management server that you will use as ACS Collector. (Grant your service account as Local Administrator).
  • Active Directory Group which contains your
    Security Administrators.
  • A reporting server (Dedicated or the one used
    for OpsMgr reporting).

Collector Installation

1. Log on to your dedicated management server with
your service account.

2. Launch in the OpsMgr setup and click on Install
Audit Collection Server.

 

3. Choose Create a new database.

 

4. ACS uses a ODBC connection to SQL, here you can
modify the Data source name.

 

5. Select Remote database server

 

6. Select Windows authentication

 

7. I suggest keeping the default parameter, Use
SQL Server’s default data and logging file directories.

 

8. Number of day an event is retained in
database
, is the maximum age for which you’ll be able to generate ACS
report. Keep in my that higher the number of days is, more space your DB will
use.

 

9. In the case, we use only one ACS DB, select Local.

 

10. Summary of the installation options

 

11.  
Click ok to confirm Authentication information

 

12.  
Installation of the ACS Collector finished

Now, you have your first collector installed [:)]
The next post will be about the publication of the ACS reports on the reporting server.
Feel free to contact in case of any remarks and/or comments.

Christopher KEYAERT

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Email this to someoneShare on TumblrPin on PinterestDigg thisShare on RedditFlattr the authorBuffer this pageShare on StumbleUpon

About Christopher Keyaert

Christopher Keyaert is a Consultant, focused on helping partners to leverage the System Center and Microsoft Azure cloud platform. He is also a Microsoft Most Valuable Professional (MVP) for Cloud and Data Center Management and a Microsoft Certified Trainer (MCT).
This entry was posted in Uncategorized. Bookmark the permalink.

0 Responses to ACS Part I : Introduction & Collector Installation

  1. Edward says:

    Hi Christopher, great tutorial!
    Please, I want to know, how I can force to a forwarders sends his events to a Collector Server. I make all steps, but still not watch the events. Previously I configured the audit local policy on servers (forwarders).

    any idea? the “Windows Event Collector” service must be Started on ACS Collector?

    Thanks a lot

    sorry for my Englsh, I from Peru 🙂

    • Hi Edward,

      In fact, to enable ACS on a forward, you have to start the service from the Console.

      For OpsMgr 2007 : http://technet.microsoft.com/en-us/library/bb381332.aspx
      For OpsMgr 2012 : http://technet.microsoft.com/en-us/library/hh272397.aspx

      Come back to me if you have any problem 😉

      Christopher

      • Edward says:

        Hi Christopher! thanks a lot for your rapid response!

        Look, I have to configured the agents, then enable ACS on them see plz: http://imageshack.us/photo/my-images/145/acs1.png/

        But I dont see the events 🙁 ,plz look the image: http://imageshack.us/photo/my-images/21/acs2.png

        This is the log from AdtAgent:
        [20121029 151748,769][Info ]ReadEventLogLoggingLevel(): The eventlog logging level is 0x00000002
        [20121029 151807,468][Info ]AgentLdr: ServiceCtrlHandler(0x12BC): trying to exit…
        [20121029 151807,468][Warning]ReportCollectorEvent(): SendNotifyV3() returned 0x000004CD.
        [20121029 151807,468][Info ]AgentRun(): Wait: Stop event received.
        [20121029 151807,468][Info ]AgentRun(): Run(0xCB4) exits with 0x00000000.
        [20121029 151807,468][Info ]AgentLdr: ServiceMain(0xCB4): AdtLdrRun() returned 0x00000000.
        [20121029 151808,813][Info ]*** Agent starting up ***
        [20121029 151808,813][Info ]AgentLdr: ServiceMain(0xF98).
        [20121029 151808,813][Info ]ReadEventLogLoggingLevel(): The eventlog logging level is 0x00000002
        [20121029 151808,828][Error ]LoadCert: LoadHash() returned 0x00000002.
        [20121029 151808,828][Info ]IoServer::Run(0xC88): Worker thread starting up.
        [20121029 151808,828][Info ]LookupServersReg(): Found svrsc02.domain.local:51909.
        no more…

        What should I check to see which events are coming to the server?

        Thanks!

  2. Edward says:

    Dear Christopher, I solved the problem, I dont created the DataSource on Reporting Services, after configuring, the events showing.

    THanks a lot!

Leave a Reply

Your email address will not be published. Required fields are marked *