Microsoft Audit Connection Service (ACS) is a new function in SCOM 2007 that can collect logs from machines. All logs are saved in a special Audit Collection database. You can then run reports against the database to see trends and do security analyzes. You can also for example trace a user activity over many systems.
Operations Manager (Ops Mgr) comes with a number of ACS reports but most of them only work with Windows Server 2003. I have customers who have upgrade to Windows Server 2008 and now experience that ACS no longer is working. That is due to ACS reports are looking for Windows Server 2003 events. For example the â€œUsage _-_User_Logonâ€ report is looking for event ID 540 and 528, but in Windows Server 2008 the logon events are ID 4624 and 4648.
Another problem with ACS reports is that you canâ€™t schedule them with relates dates, for example â€œlast week first dayâ€ and â€œlast week last dayâ€.
To create a new report to show all logons (event ID 4624) for a domain user, last seven days, you can use the build in SQL Report Builder. These presuppose that you have ACS installed correct. You can read how to deploy ACS here.
- Start the Operations Manager 2007 console and navigate to the Reporting workspace, click â€œDesign a new reportâ€
- In â€œMicrosoft Report Builderâ€ select Audit as source of data for your report, select table report layout and click OK
- Click and add a title, for example â€œContoso â€“ Domain User Logon
- From â€œFieldsâ€ drag and drop â€œLogon Timeâ€ to the table
- From â€œFieldsâ€ drag and drop â€œTarget Userâ€ to the table
- From â€œFieldsâ€ drag and drop â€œEvent Machineâ€ to the table
- From â€œFieldsâ€ drag and dropÂ â€œString 13â€ to the table
- From â€œFieldsâ€ drag and drop â€œString 02â€ to the table
- From â€œFieldsâ€ drag and drop â€œString 12â€ to the table
- From â€œFieldsâ€ drag and drop â€œString 03â€ to the table
- Click â€œFieldsâ€ in the tools menu
- In the â€œFilter Dataâ€ window, from â€œFieldsâ€ drag and drop â€œEvent IDâ€ to the â€œDv Alls withâ€ box. Select event ID 4624 in the drop down menu
- In the â€œFilter Dataâ€ window, from the â€œFieldsâ€ drag and drop â€œLogon Timeâ€ to the â€œDv Alls withâ€ box. Select â€œLogon Time on or after 7 days agoâ€ and â€œLogon Time on or before todayâ€
- In the â€œFilter Dataâ€ window, from the â€œFieldsâ€ drag and drop â€œTarget Domainâ€ to the â€œDv Alls withâ€ box. Select â€œTarget Domain equals â€
- In the â€œFilter Dataâ€ window, from the â€œFieldsâ€ drag and drop â€œTarget Userâ€ to the â€œDv Alls withâ€ box. Right-click â€œTarget Userâ€ and select â€œPromptâ€.If you donâ€™t add a filter to this formula you will get a drop-down menu with all usernames to select from. (Right-click â€œTarget Userâ€ and select â€œEdit As Formulaâ€, double click â€œParameter: Target Userâ€, expand, add a simple filter, for example a empty filter)
- Rename the table cells, to for example
Event Machine to â€œComputer (Logon on to)
String13 = Auth Package
String02 = Logon Type
String12 = Logon Process
String03 = Computer (Logon on from)
- When you are happy with your new report you can test run it with the â€œRun Reportâ€ button. You can then save the report to your report server on the File menu.
It can also be nice with an information box both what this report does and what all different logon types mean. Also insert a filter description to your report from the Insert menu.