Home

Forums
       Operations Manager
       MP Development
       Config Manager
       CP Development
       Data Protection Mgr
       Essentials (SCE)
       Hyper-V
       SCVMM
       Service Manager
       Cloud
       Cross-Platform
       Opalis
       Avicode

Articles
       Operations Manager
       MP Development
       Config Manager
       CP Development
       Data Protection Mgr
       Essentials (SCE)
       SCVMM
       Hyper-V
       Virtualization
       Service Manager
       Cross-Platform

Web/Podcasts
       Virtualization
       Essentials (SCE)
       SCVMM
       Hyper-V
       Data Protection Mgr
       Config Manager
       Operations Manager

Downloads
       Config Manager
       Cross-Platform
       Data Protection Mgr
       Essentials (SCE)
       Operations Manager
       SCVMM
       Scripts
          Samples (SCOM 2007)
       Service Manager
       SQL Queries

Pack Catalog
       MP Catalog
       CP Catalog
       Mgmt Pack Extensions Contest
       Opalis IP Catalog

WIKI

Blogs
       Community
       Community Feedback
       Events

User Groups
       Arizona Systems Management User Group
       Atlanta Systems Management User Group
       Microsoft Enterprise Management User Group (Denver
       System Center Professional's User Group of Jax (Fl
       New York System Center User Group
       Portland EPG System Center User Group
       Northwest System Center User Group (Seattle)
       System Center User Group (Netherlands)
       System Center User Group (Belgium)
       System Center User Group (Malaysia)
       System Center Virtual User Group
       Powershell Virtual User Group

RSS
       Support Forum
 
  
 
Pages
Operations Manager
Forwarder
History of ACS
ACS Reference
AdtAdmin
ACS Microsoft KBs
ACS Events
Collector
Audit Database
Audit Collection
Submitted by MadHatter  :: Views: 15759 :: 947 days ago

Information related to Audit Collection Loan Modification link building service Services, part of Operations Manager 2007 on the System Center WIKI.

Audit Collection Services (ACS)

Microsoft System Center Operations Manager 2007 provides the ability to centrally gather audit data from Windows security event logs through Audit Collection Services (ACS). ACS is designed to provide a secure near real-time collection channel for Windows security event logs that is tamper resistant, lightweight over the network, and optimized for centralized Security-log collection. ACS follows three core principles to enable enterprise auditing:
  • Compliance: Centrally collect, monitor, archive, and report security events.
  • Auditing: Maintain an audit trail of internal security-related activities.
  • Scalable and secure: Guarantee the collection and integrity of large volumes of security events.
The diagram below helps illustrate the principal concepts of audit collection and how Windows security events are forwarded to a secure and trusted environment for centralized audit and reporting.
 
 
 
ACS provides users many benefits out-of-box such as:
  • Free add-on included with Operations Manager license
  • Near real-time secure centralized collection of Windows security event logs
  • Immutable collection policy on endpoints, filtering optional at central Collector
  • Offers high scalability and performance in relation to collection points and event load
  • Event data normalized for optimal forensics and reporting across Windows security events
  • Includes generic audit reports with customizable report templates
  • Supports regulatory compliance audit logging requirements
Why Audit?
 
The Windows security event log provides a comprehensive audit trail of Active Directory and local system activity as defined by audit policies. This enables users to track things like changes to users and groups, privilege use activity, authentications and logon/logoff, resource misuse and security threats. The security log becomes an essential tool for IT support staff, security teams and auditors.
 
Some reasons why the Windows Security Event Log is important:
  • Change and privilege use is monitored
  • Security threats can be identified, e.g. hacking and viral activity
  • Misuse or Unauthorized use of resources can be tracked
  • Administrators can track activity, e.g. account lockouts and privilege group changes
  • Auditors and security officers can use for regulatory compliance activities
Unfortunately a security log is only as trust worthy as the administrator, can generate large volumes of events, is stored locally on a system and often needs to be centralized for alerting, audit reporting and storage of audited activities. This requires a solution that can support those needs while guaranteeing the integrity and usage of the data once collected. This is where Microsoft System Center Operations Manager 2007 can provide the ability to centrally gather audit data from Windows security event logs through the Audit Collection Services (ACS) which enables users to alert, report and store that information. Learn more about the History of ACS.
 
Architecture Overview
 
ACS consists of three core components that enable the foundation for enterprise auditing. The Forwarder is an agent service running on local Windows servers and clients collecting security events in near real-time that are then sent to over the network using SDLC compression and 128bit RC4 encryption to a central Collector which receives and processes security events to the Audit Database where they are stored, managed and used for audit reporting. As the Collector processes inbound events the data is normalized for insertion into the Audit Database via an event schema that maps common attributes together and translates object ids into meaningful text. While the data is being processed users can apply noise filters to exclude events from being inserted into the database and query specific audit scenarios for alerting via the ACS WMI channel. Once the data is in the audit database it can be used for audit reporting and stored as needed.
 
The ACS infrastructure is very scalable in which a single Collector can support an average event load of 2,500 events per second and sustain short bursts of up to 100,000 events per second. With a standard audit policy and reasonable resources a Collector should support collection loads up to 150 Domain Controllers or 2,000 member servers or 20,000 workstations or 500 servers (DC and member mix). Determining if and when a second Collector is needed is often based on load capacity, secured DMZ environments, disaster recovery, geographical or organizational reasons.
 
The diagram below shows a basic overview of the ACS Forwarder, Collector and Audit Database components with a dedicated reporting server.  
 
Best Practices
The following best practices for ACS have been shown to consistently relate to healthier infrastructures, faster reporting and more successful use of ACS to support audit requirements.  
  • Dedicated hardware with optimized SQL configuration
    It is always recommended to have dedicated hardware for the ACS Collector and Audit Database roles where possible. Shared hardware for SCOM and ACS is supported but users will not find any capacity or performance planning guidance from Microsoft. For the Audit Database it is always recommended to run SQL Enterprise 64bit with 16-64 GB of RAM and use SAN attached storage or 15k RPM drives. The ACS data insertion load and performance is bound by the storage subsystem and SQL resources. 
  • Capacity and Storage Planning
    It is important to run through capacity and storage planning exercises before, during and after deploying ACS. Local disk and storage requirements for the ACS audit database will fluctuate with the number of Forwarders and events per second increase in addition to the required retention periods. 

  • Implement Noise Filtering Day 1
    Implementing noise filters at the Collector will reduce unwanted and unnecessary event load from being inserted into the database which is the number one factor related to ACS performance. Noise filters should align with audit requirements and are something that will need to be tuned over time.

  • Progressive Rollouts
    As you enable Forwarders within an environment start with a subset of target systems so you can progressively tune noise filters and watch the deployment to provide metrics for capacity and performance planning.

  • Monitoring and Routine Tuning
    Like any solution the ACS infrastructure needs to be monitored for service availability, health and performance. The loss of service could lead to undesired interruption of auditing or even loss of audit data. Additionally as the environment changes overtime with more Forwarders, audit policy changes, and control requirements the infrastructure must be managed and tuned accordingly.

Audit Reporting

While ACS provides the infrastructure to collect security event logs users still need to leverage the data for audit reporting to support internal security requirements or regulatory controls. ACS includes several reports out-of-box as well as 2 reporting templates to help users build custom audit reports via SQL Reporting Services. The list below summarizes the audit reports available with ACS.
  • Access Violation Account Locked
  • Access Violation Unsuccessful Logon Attempts
  • Account Management Domain and Built-In Administrator Changes
  • Account Management Password Change Attempts by Non Owner
  • Account Management User Accounts Created
  • Account Management User Accounts Deleted
  • Forensic All Events for Specified Computer
  • Forensic All Events for Specified User
  • Forensic All Events with Specific Event ID
  • Planning Event Counts
  • Planning Events Counts by Computer
  • Planning Hourly Event Distribution
  • Planning Logon Counts of Privileged Users
  • Policy Account Policy Changed
  • Policy Audit Policy Changed
  • Policy Object Permission Changes
  • Policy Privilege Added or Removed
  • System Integrity Audit Failure
  • System Integrity Security Log Cleared
  • Usage Object Access
  • Usage Privileged Logons
  • Usage Sensitive Security Group Changes
  • Usage User Logon

Important Links

Community Resources
 

There is a wealth of resources created by the community specifically for ACS and available to users for download. The list below summarizes these resources.

Resource

Description

Configuring ACS in OpsMgr 2007 SP1

How to deploy and configure ACS in SCOM SP1

ACS Deep Dive - Part 1

Overview of ACS components plus alerting and reporting concepts

ACS Deep Dive - Part 2

Examples of custom ACS alerting and reporting

ACS Disk and DB Calculator

Included in ACS Resource Kit, in-depth guidance and samples for implementing ACS Noise Filters

ACS Event Count Script

SCOM script that queries the active partition for event counts.

ACS Resource Kit

Wealth of guides, utilities and scripts for ACS administrators and engineers. Includes noise filtering guide, planning calculators, sql queries, Visio stencils and more.

Enable ACS Per Group in Powershell

Enable ACS Forwarders in bulk using PowerShell

 

 

 
Share This

Quick Links
Top Contributors
Featured Members
Pete Zerger
Points: 65442
Level: System Center Expert
Tommy Gunn
Points: 42712
Level: System Center Expert
Simon Skinner
Points: 40744
Level: System Center Expert
Stefan Koell
Points: 28999
Level: System Center Expert
Andreas Zuckerhut
Points: 27434
Level: System Center Expert
  
  
 
    
Copyright 2009 - 2012 by System Center Central