How to Deploy Audit Collection Services (ACS) in SCOM 2012
This article is a step by step tutorial how to deploy the SCOM 2012 Audit Collection Service (ACS).
The deployment has 3 parts:
- How to Install an ACS Collector and Database
- How to Enable ACS Forwarders
- How to Deploy ACS Reporting
Audit Collection Service (ACS) is used to collect records generated by an audit policy and store them in a centralized database. Using ACS, organizations can consolidate individual Security logs into a centrally managed database and can filter and analyze events using the data analysis and reporting tools provided.
ACS has the following components:
· ACS Forwarders
The service that runs on ACS forwarders is included in the Operations Manager agent. By default, this service is installed but not enabled when the Operations Manager agent is installed. After you enable this service, all security events are sent to the ACS collector in addition to the local Security log.
· ACS Collector
The ACS collector receives and processes events from ACS forwarders and then sends this data to the ACS database.
· ACS Database
The ACS database is the central repository for events that are generated by an audit policy within an ACS deployment.
This looks like the following:
For details have a look at:
Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908.aspx
Prerequisites
Following prerequisites:
· Collector:
MDAC (latest version), see:
HOW TO: Determine Whether MDAC Is Installed
https://support.microsoft.com/kb/292627
And / or
Learning Microsoft Data Access Components (MDAC)
https://msdn.microsoft.com/en-us/data/aa937703.aspx
· ACS Database
Microsoft SQL Server 2005 or SQL Server 2008 (R2)
· ACS Reporting
SQL Reporting, check if https://YourReportServerName/ReportServer works:
Note: You can deploy Audit Collection Services (ACS) Reporting on a supported version of Microsoft SQL Server Reporting Services (SSRS) instance. If System Center 2012 – Operations Manager Reporting has also been installed on the same SSRS instance, you can view the ACS Reports in the Operations console.
I have installed SQL/RS/Collector all on OR-OM12-1.
See for the details:
Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908.aspx
Deployment steps
Step 1 How to Install an ACS Collector and Database
The TechNet deployment guide you can find here:
How to Install an Audit Collection Services (ACS) Collector and Database
https://technet.microsoft.com/en-us/library/hh284670.aspx
The following steps describe how to install the ACS Collector and database on the computer that is designated as your ACS collector.
On the Operations Manager installation media, run Setup.exe , and then click Audit collection services :
On the Welcome page, click Next :
On the License Agreement page, read the licensing terms, click I accept the agreement :
On the Database Installation Options page, click Create a new database , and then click Next :
On the Data Source page, in the Data source name box, type a name that you want to use as the Open Database Connectivity (ODBC) data source name for your ACS database. By default, this name is OpsMgrAC :
On the Database page, if the database is on a separate server than the ACS collector, click Remote Database Server and change or leave the database name OperationsManagerAC :
On the Database Authentication page, select one of the authentication methods. If the ACS collector and the ACS database are members of the same domain, you can select Windows authentication , otherwise select SQL authentication :
On the Database Creation Options page, click Use SQL Server's default data and log file directories to use SQL Server's default folders, otherwise, click Specify directories :
On the Event Retention Schedule page, click Local hour of day to perform daily database maintenance, and in Number of days to retain events box type the number of days ACS should keep :
On the ACS Stored Timestamp Format page, choose Local or Universal Coordinated Time , formerly known to as Greenwich Mean Time :
Check if the summary is correct:
And install the collector:
Choose the server to login to SQL:
Let the wizard finish:
Click Finish when ready:
Check if the database is installed:
The collector is deployed now and the AdtServer Service is started:
Now we can enable the ACS Forwarders.
Step 2 How to Enable ACS Forwarders
The TechNet deployment guide you can find here:
How to Enable Audit Collection Services (ACS) Forwarders
https://technet.microsoft.com//library/hh272397.aspx
The following steps describe how enable the ACS forwarders.
In the Operations console, click Monitoring, Operations Manager , expand Agent Details , and then click Agent Health State :
In the details pane, click all agents that you want to enable as ACS forwarders. You can make multiple selections by pressing CTRL or SHIFT, and in the Actions pane, under Health Service Tasks , click Enable Audit Collection to open the Run Task - Enable Audit Collection dialog box:
Set task credentials or override for collector server if needed:
Run the Task:
And wait until success:
See if the AdtAgent services is started on the agent:
It is forwarding the security events now.
Step 3 How to Deploy ACS Reporting
The TechNet deployment guide you can find here:
How to Deploy ACS Reporting
https://technet.microsoft.com/en-us/library/hh299397.aspx
The following steps describe how to install the ACS Collector and database.
On the server that will be used to host ACS reporting create a (temp) folder C:\ACS:
On your installation media, go to \ReportModels :
acs and copy the directory contents to the temporary installation folder:
On your installation media, go to \SupportTools :
and copy the file ReportingConfig.exe into the temporary acs folder if not already there:
Open a Command Prompt window by using the Run as Administrator option, and then change directories to the temporary acs folder:
Run the following command:
UploadAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the copied acs folder>”
For example:
UploadAuditReports “myAuditDbServer\Instance1” “https://myReportServer/ReportServer$instance1” “C:\acs”
In my case:
UploadAuditReports OR-OM12-1 https://OR-OM12-1/ReportServer C:\ACS
This example creates a new data source called Db Audit , uploads the reporting models Audit.smdl and Audit5.smdl , and uploads all reports in the acs\reports directory :
Open Internet Explorer and enter the following address to view the SQL Reporting Services Home page. https://<yourReportingServerName>/Reports_<InstanceName>
In my case:
Click Audit Reports in the body of the page and then click Details View in the upper right part of the page:
Go to Audit Reports:
And choose Manage for the Db Audit data source :
In the Connect Using section, select Windows Integrated Security and click Apply:
Check if the Audit Reports are in the console:
And see if the reports work :
Now you can start configuring ACS using AdtAdmin.exe, see:
Audit Collection Services Administration (AdtAdmin.exe)
https://technet.microsoft.com/en-us/library/hh212727.aspx
You have installed ACS now!!
Thanks to Dirk van Coeverden (dirkv(at)microsoft.com)
Comments
Anonymous
January 01, 2003
Thank you.Anonymous
January 01, 2003
hi , tnx 4 this post. i have question : how can check forward event log work correctly ?Anonymous
January 08, 2013
So SQL 2012 is not supported for the ACS DB? The documentation is unclear in this regard, but does state that for the Configuration and DW DB's SQL 2012 is supported.Anonymous
January 09, 2013
According to: Collecting Security Events Using Audit Collection Services in Operations Manager technet.microsoft.com/.../hh212908.aspx It states: Microsoft SQL Server 2005 or SQL Server 2008. You can choose an existing or new installation of SQL Server. The Enterprise edition of SQL Server is recommended because of the stress of daily ACS database maintenance. It might have changed though since SP1 and this isn't updated according latest. Please keep eye on this article.Anonymous
January 09, 2013
For OM2012.SP1.RTM, ACS is supported on SQL 2012.Anonymous
January 10, 2013
The SQL requirements for ACS as listed here: Collecting Security Events Using Audit Collection Services in Operations Manager technet.microsoft.com/.../hh212908.aspx will be updated soon so it will comply with System Requirements: System Center 2012 SP1 - Operations Manager technet.microsoft.com/.../jj656654.aspxAnonymous
February 28, 2013
Thanks for this post. I have run into the following issues with my ACS reports. I am running Windows 2008 R2 for OS and SQL 2012 for my SQL server. My standard reports are working find however when I try to run a report for ACS I get the following error: An error has occurred during report processing. (rsProcessingAborte) Cannot create a connection to data source 'datasource1'. (rsErrorOpeningConnection) I have check and there are no firewalls blocking any ports.Anonymous
May 22, 2013
H I have an issue with MDAC. On the link you gave, the latest version of MDAC is 2.8 SP1, which won't install on Server 2008 R2. How do you get around that?Anonymous
July 25, 2013
Hi, its very help document, I am looking into trouble shooting ACS , like i am unable to get ACS reports, when i run ACS report, they are previously running. Now i am getting blanks reports. kindly share any link or steps to trouble shoot ACS. Thanks FaisalAnonymous
March 10, 2014
hi, tnx for this post,
i have question : how can check that forwarder working correctly ??Anonymous
June 06, 2014
Awesome writeup! Thankyou!Anonymous
August 26, 2014
Can we install the ACS collector in the Management server( SCOM Mgmt server)