SCOM 2012 SP1 – Part 1: Audit Collection Services (ACS) Setup

SCOM 2012 SP1 has been released and I was wondering how the setup behalves and how the look and feel is going to be. Therefore, I decided to play around with Audit Collection Services and write a 4 part blog series about it. Cool, huh?

This 4 part series is going discusses in part 1 how to install ACS collector and reporting. In part 2 we are going to setup the ACS configuration for cross platform in our case SUSE Linux Enterprise Server 11.2 and also the cross platform reports. Part 3 is more like “do I see what I expect to see” thing and part 4 a collection of useful resources.

Part 1 – Basic ACS setup for Windows servers (forwarders) and reporting
Part 2 – ACS setup for Linux servers (forwarders) and cross platform reporting
Part 3 – Testing the cross platform event logging
Part 4 – ACS useful resources and tools

Before we can start we need to build a small environment consisting out of 6 servers (!). Because I was somewhat limited in resources the roles couldn’t be assigned as they should in an production environment. The role assignment was as follows:

  • 2 SUSE Linux Enterprise Server 11.2
    • Linux01.bigfirm.com
    • Linux02.bigfirm.com
  • 1 SCOM 2012 SP1 management server
    • MS01.bigfirm.com
    • SQL Server 2012 SP1
    • SQL Server Reporting Services
  • 1 SCOM 2012 SP1 management server
    • MS02.bigfirm.com
  • 1 SCOM 2012 SP1 management server
    • ACS01.bigfirm.com
    • ACS role installed
  • 1 Windows Server 2012 domain controller
    • DC01.bigfirm.com

To better visualize the role assignment and topology I drew the scenario in Visio…

Scenario

Maybe a few words to the scenario. Everything is installed on Windows Server 2012 and I used the latest SCOM 2012 SP1 release for testing. I installed SQL Server 2012 SP1 on the first management server (MS01) and also setup the databases into the default SQL instance. The reason was that I didn’t have much more resources left in my lab to install a dedicated SQL server. Remember this is just a test scenario never do it this way in a production environment.

First I installed all the management servers, databases and reporting. Just a plain SCOM 2012 SP1 setup. I am not going to show how to install all this stuff because there are enough resources out on the internet. Next, I created a dedicated resource pool for the Linux monitoring (members MS01 and MS02) and deployed the SCOM agents to the Linux01 and Linux02 server. How to do that, see one of my older posts. Verify that all event logs of the management servers MS01, MS02 and ACS01 are in good shape and the health status of MS01, MS02, ACS01, Linux01 and Linux02 is healthy in the SCOM console. If everything look o.k. you are ready for setting up ACS.

ACS Collector Setup

Note, ACS01 is at this very moment a regular SCOM management server the only difference to MS01 und MS02 is that it is not a member of the Linux Resource Pool.

For Installing the ACS role on ACS01.bigfirm.com mount the SCOM2012SP1 ISO file on ACS01 and run setup.exe, click Audit collection services…

1

Click Next…

2

Accept and click Next…

3

Create a new database, click Next…

4

Because there is no reason to change the DSN for the ODBC connection we leave the default…

5

As at the beginning mentioned I installed SQL Server on my first management server MS01, therefore I set MS01.bigfirm.com as database server name and leave the Database name for the ACS database as its default, click Next…

6

Because we are in a single-domain forest we can use Windows authentication…

7

In a production environment you would dump the ACS database files on separate disks because they need very fast spindles and a lot of space for best performance, which you could specify here. Because I don’t have any special requirements or needs I dump it into the default SQL Server directories, click Next…

8

Decide when the database maintenance should run, I leave the schedule as its default and specify to keep events for 30 days. It is best to choose a time when there is no or not much activity going on, click Next…

9

As I have all systems in the same time zone and don’t need to have UTC time I just going to use Local for my timestamp, click Next…

10

Check the Summary and everything is ok, click Next…

11

After you click Next you are going to be asked for the SQL Server login, click OK…

12

After a few moments you will be looking at this successful confirmation dialog…

 13

You just have finished the basic ACS setup. Next we are going to install the ACS reports for Windows(!).

ACS Reporting (for Windows)

The prerequisites for ACS reporting is, that you have SQL server reporting services (SSRS) installed. This could be either a separate SSRS instance or you are going to use the same SSRS instance you are using for the rest of the SQL reports. We are going to use the same instance for all reports.

First we need to copy all the necessary files locally to our C:\ drive. Create on your C:\ drive on ACS01 a folder called C:\acs. Navigate on the SCOM2012SP1 installation media to the directory e.g. D:\ReportModels\acs. Copy all the files from D:\ReportModels\acs to C:\acs…

image

On ACS01 open an elevated command prompt and change to the C:\acs directory and run the following command:

UploadAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the copied acs folder>”

in my example it would be like this…

UploadAuditReports “MS01” “http://ms01/ReportServer&#8221; “C:\ACS”

22

Note: In order for the import to function properly make sure you have .Net Framework 3.5 installed.

Next, open a web browser and type e.g. http://ms01/Reports and verify that the Audit Reports folder has been created. Click on Detailansicht (German) or Details View (English) in the upper right corner…

23

Go to DB Audit and look at the properties…

24

Verify that Windows integrated security is selected…

25

As a last check go into the SCOM console and check the reporting section if all the Audit Reports appear…

image

You just installed the basic ACS role and reports. Next, we just need to enable the forwarding services on one of the Windows computers…

Enabling Forwarding

Navigate to Operations Manager view and select the Agent Health State dashboard. In the Agent State view select an agent e.g. DC01 and click on the right side the task Enable Audit Collection. This will configure the service on DC01 for forwarding all security related events to the ACS collector…

33

Override the Collector Server value to your collector server e.g. ACS01.bigfirm.com and hit OK…

34

Make sure the task ends successfully…

35

That’s it you have finished the ACS installation for collecting Windows security events from DC01. Of course if you want to have more events collected from other servers, just go ahead and run the task again for the servers of your choice…

At this moment ALL security events get dumped into the ACS database. Of course we don’t want that in production but stay tuned we will fix that later…

4 Comments

  1. Pingback: SCOM 2012: Overview link blog - SysManBlog

  2. Hi Stefan,

    I followed your steps – but I see no one has a solution when one get the error:
    The application threw exception: CreateSRSDataSource: Exception The request failed with HTTP status 404: Not Found…

    Could you please advise on how to get this working.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s