Executive Summary:
Microsoft System Center Operations Manager 2007 includes a feature called Audit Collection Services (ACS). ACS is a reporting tool, based on SQL Server Reporting Services, which simplifies the task of collecting and auditing security event log events on multiple Windows systems by gathering events from systems in your network and consolidating them in one location for reporting. ACS provides a number of useful reports, accessible through a Web browser, on security event types including access violations, account management events, forensic reports, planning, system integrity, and usage. |
Security event-log auditing is an important compliance tool for Windows administrators because the log contains an audit trail of security-related events that occurred on a system. Ordinarily, to seek proof of compliance, an auditor might need to search through the logs from multiple systems, which can be a time-consuming, error-prone job. Microsoft Systems Center Operations Manager 2007’s Audit Collection Services (ACS) feature simplifies the task of collecting and auditing security events on multiple Windows systems, by gathering security-log events from systems in your network and consolidating them in a centralized location. We’ll look at how to plan for, set up, and configure ACS in Operations Manager 2007, then explore how to use it for Security event-log auditing.
Planning Your ACS Deployment
Before you set up and configure ACS, you’ll need to spend some time planning for the deployment. ACS requires Operations Manager 2007 to be already deployed in your organization, and ACS can be installed only on a server running Operations Manager 2007. ACS uses Operations Manager to configure the audit-collection agent on managed servers and workstations. The client-side agent, called the ACS forwarder, is included in the Operations Manager agent but is disabled by default. The server component of ACS, called the ACS collector, is responsible for collecting events from ACS forwarders and storing them in a database. You can install more than one ACS collector for fault-tolerance and scalability. You can also configure ACS forwarders to send events to one collector and fail over to another, if required. Finally, you need an ACS database, which must be Microsoft SQL Server 2005 SP1 or later, and you’ll need SQL Server Reporting Services (SSRS).
You’ll need to ensure that each ACS server you use has plenty of memory and processing power, at minimum 2GB of RAM and a 2GHz processor. Each Operations Manager server with the ACS collector installed can support up to 150 domain controllers (DCs); 3,000 member servers; or 20,000 workstations or combination of DCs, member servers, and workstations, each with an ACS forwarder configured and enabled. For most enterprises, this means you’ll need to install ACS on more than one Operations Manager server.
Installing ACS
The first step in installing ACS is to install the ACS collector. You can do so by running SetupOM.exe from your Operations Manager installation disk and selecting Install Audit Collection Server. You should be logged on, as a member of the local Administrators group, to the system on which you’re installing the collector component. If you’ll be using a database on a remote machine to store collected events, the account you’re using should be a member of the local Administrators group on that machine, too, and the Administrators group or the user account should have the sysadmin role on the database server.
The collector installation is wizard based and begins with the Welcome screen. Clicking Next takes you to the License Agreement. If you accept the agreement and click Next, you then see the Database Installation Options screen, where you must choose either Create a new database or Use an existing database. I strongly recommend that, for performance reasons, you choose to create a new database.
You should be aware of another consideration, which is described in the online ACS documentation. If you’re using SQL Server 2005 Standard Edition, SQL Server database transactions will be temporarily paused while ACS runs daily reports. (This doesn’t occur with SQL Server 2005 Enterprise Edition.) This causes events to queue up in the collector for delivery to the database once processing has finished. If the database is shared with Operations Manager, it, too, will be affected by the pause in transactions.
The next step in the wizard prompts you for a data source name, which the collector uses when connecting to the database. The default is OpsMgrAC, and unless you have a compelling technical need to change the data source, I recommend that you accept the default. The next wizard step asks you to select a local database server or remote database server (which is the default). A dedicated remote database is preferable for performance reasons. If you want to use a remote database server, you must specify the database server machine name. If you don’t want to use the default database instance, enter the instance name you want to use. You can also specify the name of the database to be created; the default is OperationsManagerAC.
The next wizard step asks you to specify the authentication mode the collector uses when connecting to the database. The options are Windows authentication (default) and SQL authentication. Whenever possible, you should use Windows authentication for security reasons. If you chose to create a new database, you’ll be asked where to store the database and log files in the next wizard step.
Prev. page
[1]
2
3
next page 
