In our last post we installed SCOM and the Agent on several systems. Now we are going to install ACS to audit security events.
Install Audit Collection Services
Since Audit Collection Services (ACS) is not a part of the main SCOM installation, we have to install it separately.
NOTE: In a Production environment, ACS is normally implemented in a segregated space. The reason for this is because ACS is used to audit security and logons. Since the Administrator of SCOM will more than likely be a part of an Operations team, and have access to various Production/Non-Production servers, for security reasons, the ACS installation would be on a server that the Operations team would not have access to (since they would be among the logons being monitored/audited).
To start the installation, mount the SCOM ISO and run the setup.exe. From the splash screen, click the ‘Audit Collection Services’ link.
On the Welcome screen click Next.
Read the License Agreement, accept the agreement, and click Next.
On the Database Installation Options screen, choose whether you will create a new database or use an existing one. In our example, we will choose the ‘Create a new database’ option, and click Next.
On the Data Source screen, enter a new for the data source or accept the default, and then click Next.
On the Database screen, enter the database server name and instance name, and change the database name if you do not want to use the default. Since this is a lab environment, we will choose the ‘Database server running locally’ because we have SQL Server installed on the same server as SCOM. Make the appropriate choices, and then click Next.
For Database Authentication, we are going to choose the ‘Windows authentication’ option for our lab since it’s in its own domain. Read the information for each option, and make the applicable choice, and then click Next.
For the Database Creation Options, in a Production environment you would specify different disks for the database and log files, but since we are in a lab, we will chose the ‘Use SQL Server’s default data and log file directories’ and click Next.
NOTE: I believe, though am not 100% sure, that if when you first setup/install SQL Server and specify different disks for the database(s) and log(s), then choose the ‘use SQL default’ would be appropriate since the defaults would already be offloaded to appropriate separate disks.
On the Event Retention Schedule screen, you can specify the time for the database maintenance to occur, as well as the number of days to retain. This last option is very important, as in Production your organization may have some legal/security obligations to meet. However, just remember that the longer the retention, the more space the database will need. Usually, when planning ACS in a Production environment, most use the SCOM Sizing Helper Tool to know how large the database will be, and how much to plan for growth.
For our lab environment, we will accept the defaults and click Next.
Make the appropriate selection for the Timestamp Format, and click Next. In our lab example, we will use ‘Local’.
On the Summary screen, review the selections and input, and click Next.
Immediately after you click Next from the Summary screen, you will be prompted for the SQL Server Login. By default it will assume the login for the account that is currently logged in. If this is accurate, just click OK.
Wait for the Installation Wizard to complete, which didn’t take too long in our small scaled-down environment.
Finally, the installation will complete. Click Finish.
Congratulations, you have now installed ACS! But there is still more to do. We need to setup reporting, and the event forwarder.
ACS Reporting
For ACS Reporting, you first need an instance of SQL Server Reporting Services (SSRS). If you have been following these guided series, we will be using the same SSRS instance that we originally setup/configured for SCOM Reporting, since we are in a lab environment.
First, we need to log onto the server that we will use for hosting the ACS reports. In our example, this is the same server that we installed SCOM on. From within that server, we need to create a temporary folder. We’ll create one on the root of C:\ and call it ACS (i.e. C:\ACS).
Mount the SCOM ISO, and navigate to \ReportModels\ACS (in my example it is D:\ReportModels\ACS\) and copy everything from this location into the temporary folder that we created.
Next, still within the mounted ISO, navigate to \SupportTools\ (in my example it is D:\SupportTools\AMD64\ReportingConfig.exe) and copy the ReportingConfig.exe file into the temporary folder that we created.
Now we need to run a command through an elevated command prompt. In Windows Server 2012 to do this, mouse over to the bottom left corner, which will cause the Start ‘square’ (not sure what the official name is) to appear. Right-click on the Start square, and click on ‘Command Prompt (Admin)’ to launch an Administrative Command Prompt.
Next, you will need to change the directory to the temporary folder that we created. You will then have to run the following command: UploadAuditReports “<auditdbserver\instance>” “” “”. In our lab example the command line would be: UploadAuditReports "SCOM\SCOMSQL" "http://SCOM/Reports_SCOMSQL" "C:\ACS"
NOTE: The reporting server URL needs the reporting server virtual directory (ReportingServer_<InstanceName>) instead of the reporting manager directory (Reports_<InstanceName>).
This creates a new data source called DB Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the ACS\Reports directory.
IMPORTANT: In order for the import to function properly make sure you have the .NET Framework 3.5 installed. If you have been following these guides, this will already be installed from when we installed SQL Server 2012.
Now click on the ‘Audit Reports’ directory folder, and then click the ‘Details View’ button in the top right corner.
Now click the DB Audit data source to open it.
Finally, under the ‘Connect Using’ selections, ensure that ‘Windows Integrated Security’ is selected, and click Apply.
You can now go into the SCOM console, under Reporting, and view the Audit Reports.
REMINDER: It is acceptable to have the Audit Reports accessible via the SCOM console in a lab environment. But in a Production environment your organization may have strict security policies that you are required to follow, which would include auditing of IT to be handled by some security department.
Congratulations, you have finished configuring/deploying ACS Reporting. But, there is still one last step we need to complete, the Event Forwarder.
ACS Event Forwarder
Now that we have ACS installed, and the Reporting configured, we can now turn on the Event Forwarder to start collecting security events.
We are going to follow the TechNet article here: http://technet.microsoft.com/library/hh272397.aspx. As stated by this article: “By default, the service needed for an agent to be an Audit Collection Services (ACS) forwarder is installed but not enabled when the Operations Manager agent is installed.” Therefore, in order to audit security events, you need to have the SCOM Agent installed on the system(s) first.
Log onto the SCOM server and open the SCOM console and click on the Monitoring pane. From there, navigate to Operations Manager > Agent Details > Agent Health State.
In the details pane (the middle pane), in the Agent State area, select the system(s) that you want to enable Audit Collection on. When you select a system, in the right-hand Actions pane, under the Health Services Tasks, click the ‘Enable Audit Collection’ link.
This will launch the Enable Audit Collection task. From this window, you will need to enter the Collector Server for the Forwarder to report to. To do this, click the Override button.
On the Override dialog, enter the FQDN of the Collector Server. In our lab example, we will enter the only Management Server in our environment (i.e. SCOM.SC.LAB). Enter the appropriate information and then click the Override button.
The Enable Audit Collection dialog will now show the Collector Server that you just entered. At this point, you can also add a specific account to use within the Task Credentials section, or accept the defaults. Once you are ready to enable ACS, click the Run button.
Once the task runs and completes successfully, the dialog will appear similar to the following. You can click Close.
Congratulations, not only do you now have SCOM installed, along with Reporting; you additionally have setup ACS and enabled security auditing in your environment.
I haven't decided what to do next for the series, but I believe I have covered all installation elements. The next series extension will be more configuration vs. installation. If anyone has any requests or suggestions, let me know.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
In our last post we installed SCOM and the Agent on several systems. Now we are going to install ACS to audit security events.
Install Audit Collection Services
Since Audit Collection Services (ACS) is not a part of the main SCOM installation, we have to install it separately.
NOTE: In a Production environment, ACS is normally implemented in a segregated space. The reason for this is because ACS is used to audit security and logons. Since the Administrator of SCOM will more than likely be a part of an Operations team, and have access to various Production/Non-Production servers, for security reasons, the ACS installation would be on a server that the Operations team would not have access to (since they would be among the logons being monitored/audited).
To start the installation, mount the SCOM ISO and run the setup.exe. From the splash screen, click the ‘Audit Collection Services’ link.
On the Welcome screen click Next.
Read the License Agreement, accept the agreement, and click Next.
On the Database Installation Options screen, choose whether you will create a new database or use an existing one. In our example, we will choose the ‘Create a new database’ option, and click Next.
On the Data Source screen, enter a new for the data source or accept the default, and then click Next.
On the Database screen, enter the database server name and instance name, and change the database name if you do not want to use the default. Since this is a lab environment, we will choose the ‘Database server running locally’ because we have SQL Server installed on the same server as SCOM. Make the appropriate choices, and then click Next.
For Database Authentication, we are going to choose the ‘Windows authentication’ option for our lab since it’s in its own domain. Read the information for each option, and make the applicable choice, and then click Next.
For the Database Creation Options, in a Production environment you would specify different disks for the database and log files, but since we are in a lab, we will chose the ‘Use SQL Server’s default data and log file directories’ and click Next.
NOTE: I believe, though am not 100% sure, that if when you first setup/install SQL Server and specify different disks for the database(s) and log(s), then choose the ‘use SQL default’ would be appropriate since the defaults would already be offloaded to appropriate separate disks.
On the Event Retention Schedule screen, you can specify the time for the database maintenance to occur, as well as the number of days to retain. This last option is very important, as in Production your organization may have some legal/security obligations to meet. However, just remember that the longer the retention, the more space the database will need. Usually, when planning ACS in a Production environment, most use the SCOM Sizing Helper Tool to know how large the database will be, and how much to plan for growth.
For our lab environment, we will accept the defaults and click Next.
Make the appropriate selection for the Timestamp Format, and click Next. In our lab example, we will use ‘Local’.
On the Summary screen, review the selections and input, and click Next.
Immediately after you click Next from the Summary screen, you will be prompted for the SQL Server Login. By default it will assume the login for the account that is currently logged in. If this is accurate, just click OK.
Wait for the Installation Wizard to complete, which didn’t take too long in our small scaled-down environment.
Finally, the installation will complete. Click Finish.
Congratulations, you have now installed ACS! But there is still more to do. We need to setup reporting, and the event forwarder.
ACS Reporting
For ACS Reporting, you first need an instance of SQL Server Reporting Services (SSRS). If you have been following these guided series, we will be using the same SSRS instance that we originally setup/configured for SCOM Reporting, since we are in a lab environment.
For our process, we are going to be following the steps outlined in this TechNet article: http://technet.microsoft.com/en-us/library/hh299397.aspx.
First, we need to log onto the server that we will use for hosting the ACS reports. In our example, this is the same server that we installed SCOM on. From within that server, we need to create a temporary folder. We’ll create one on the root of C:\ and call it ACS (i.e. C:\ACS).
Mount the SCOM ISO, and navigate to \ReportModels\ACS (in my example it is D:\ReportModels\ACS\) and copy everything from this location into the temporary folder that we created.
Next, still within the mounted ISO, navigate to \SupportTools\ (in my example it is D:\SupportTools\AMD64\ReportingConfig.exe) and copy the ReportingConfig.exe file into the temporary folder that we created.
Now we need to run a command through an elevated command prompt. In Windows Server 2012 to do this, mouse over to the bottom left corner, which will cause the Start ‘square’ (not sure what the official name is) to appear. Right-click on the Start square, and click on ‘Command Prompt (Admin)’ to launch an Administrative Command Prompt.
Next, you will need to change the directory to the temporary folder that we created. You will then have to run the following command: UploadAuditReports “<auditdbserver\instance>” “” “”. In our lab example the command line would be: UploadAuditReports "SCOM\SCOMSQL" "http://SCOM/Reports_SCOMSQL" "C:\ACS"
NOTE: The reporting server URL needs the reporting server virtual directory (ReportingServer_<InstanceName>) instead of the reporting manager directory (Reports_<InstanceName>).
This creates a new data source called DB Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the ACS\Reports directory.
IMPORTANT: In order for the import to function properly make sure you have the .NET Framework 3.5 installed. If you have been following these guides, this will already be installed from when we installed SQL Server 2012.
Next, open Internet Explorer and navigate to the following URL: http:///Reports_, in our example it will be http://SCOM/Reports_ SCOMSQL.
Now click on the ‘Audit Reports’ directory folder, and then click the ‘Details View’ button in the top right corner.
Now click the DB Audit data source to open it.
Finally, under the ‘Connect Using’ selections, ensure that ‘Windows Integrated Security’ is selected, and click Apply.
You can now go into the SCOM console, under Reporting, and view the Audit Reports.
REMINDER: It is acceptable to have the Audit Reports accessible via the SCOM console in a lab environment. But in a Production environment your organization may have strict security policies that you are required to follow, which would include auditing of IT to be handled by some security department.
Congratulations, you have finished configuring/deploying ACS Reporting. But, there is still one last step we need to complete, the Event Forwarder.
ACS Event Forwarder
Now that we have ACS installed, and the Reporting configured, we can now turn on the Event Forwarder to start collecting security events.
We are going to follow the TechNet article here: http://technet.microsoft.com/library/hh272397.aspx. As stated by this article: “By default, the service needed for an agent to be an Audit Collection Services (ACS) forwarder is installed but not enabled when the Operations Manager agent is installed.” Therefore, in order to audit security events, you need to have the SCOM Agent installed on the system(s) first.
Log onto the SCOM server and open the SCOM console and click on the Monitoring pane. From there, navigate to Operations Manager > Agent Details > Agent Health State.
In the details pane (the middle pane), in the Agent State area, select the system(s) that you want to enable Audit Collection on. When you select a system, in the right-hand Actions pane, under the Health Services Tasks, click the ‘Enable Audit Collection’ link.
This will launch the Enable Audit Collection task. From this window, you will need to enter the Collector Server for the Forwarder to report to. To do this, click the Override button.
On the Override dialog, enter the FQDN of the Collector Server. In our lab example, we will enter the only Management Server in our environment (i.e. SCOM.SC.LAB). Enter the appropriate information and then click the Override button.
The Enable Audit Collection dialog will now show the Collector Server that you just entered. At this point, you can also add a specific account to use within the Task Credentials section, or accept the defaults. Once you are ready to enable ACS, click the Run button.
Once the task runs and completes successfully, the dialog will appear similar to the following. You can click Close.
Congratulations, not only do you now have SCOM installed, along with Reporting; you additionally have setup ACS and enabled security auditing in your environment.
I haven't decided what to do next for the series, but I believe I have covered all installation elements. The next series extension will be more configuration vs. installation. If anyone has any requests or suggestions, let me know.
Share this post
Link to post
Share on other sites