Home » System Center Operations Manager 2007 » Audit Collection Services (ACS)

Contoso.se

Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Microsoft infrastructure and system management. I am a principal engineer in the FastTrack for Azure team, part of Azure CXP, at Microsoft. Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP
MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
OMS
Inside the Microsoft Operations Management Suite

Contoso.se

Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.



MVP awarded 2007,2008,2009,2010

My Books

Service Manager Unleashed


Orchestrator 2012 Unleashed


Inside the Microsoft Operations Management Suite

Audit Collection Services (ACS)

Microsoft Audit Connection Service (ACS) is a new function in SCOM 2007 that can collect logs from machines. All logs are saved in a special Audit Collection database. You can then run reports against the database to see trends and do security analyzes. You can also for example trace a user activity over many systems. This is a general guide how to deploy ACS. The ACS collector is your management server that collects audit events from your agents, ACS forwarders.

COOPSMGR is my ACS server, you should replace that with your ACS server hostname.

The first step is to install Audit Collection Server. This can be done from the Ops Mgr 2007 Setup. On the last page of the wizard, before you click “Finish”, verify that the setup has been successfully.

The next step is to enable audit collection on an agent.  

  1. Start the console, click monitoring and then state view
  2. Right-click Monitoring and create a new state view, name ACS, choose to show data related to Agent. Then leave all default settings and click OK
  3. Click on you new state view, right-click on a agent and choose Health Service Tasks, Enable Audit Collection
  4. In the Run Task – Enable Audit Collection, verify your settings and click Run
  5. In the Task Status – Enable Audit Collection, verify that the task output is successfully and then click Close

Now you have enable audit collection on that machine, audit events are forwarded to your collector in realtime. You need to verify that the Operations Manager Audit Collection Service is running on your collector. Look in the services console to verify that.

The next set is to setup ACS reporting. It is in ACS reporting you will see the result of the collected data.

  1. Copy the X:\ReportModels\ACS directory from your installation source to a directory on your server, for example C:\ACS
  2. Copy the X:\SupportTools\ReportingConfig.exe from your installation source to the same directory
  3. Open a commando prompt and change to the C:\ACS directory
  4. Run the following commando: UploadAuditReports.cmd COOpsMgr http://coopsmgr/reportserver C:\ACS .COOpsMgr is my ACS db server and http://coopsmgr/reportserver is the URL to my reporting service and C:\ is where is saved the files. (There might be a couple of warnings… but you can verify the commando in the next step if you find all objects)
  5. Start Internet Explorer and open http://opsmgr/reports , click Audit Reports and then show details
  6. Click Db Audit
  7. Change “Connect using” to “Windows Integrated security”
  8. Verify that the connection string is pointing at your database after catalog and data source is pointing to your servername
  9. Click Apply and then go back to the Audit Reports folder (there is a link at the top of the page)
  10. Close Internet Explorer

You can now, or at least after a while, open ACS report in the Console and see collected data the ACS reports. The prefered way is to look at reports in the Console, not as in MOM 2005 where you used Internet Explorer and SQL Reporting Console (http://coopsmgr/Reports)

 

 


1 Comment

Comments are closed.