SCOM 2012 SP1 – Part 2: Audit Collection Services (ACS) Cross Platform Setup

In part 1 we installed the ACS collector, ACS reporting and enabled one Windows server to forward the events to the collector server ACS01. In this part we will install the cross platform part of ACS to collect the events from Linux systems.

Maybe we need to explain shortly how the cross platform ACS works. Because Linux has a different security logging behavior than Windows has, we need some sort of unifying the security events. Some sort of “transforming the information into the same format”. Ok, it works like that. A lot of security related events we are interested in are logged in /var/log/messages (e.g. for SUSE Linux computers). Rules from the SCOM 2012 SP1 management servers will pick these events up and write it into the Windows security event log of the management server which is currently responsible for monitoring the respective Linux server. In our scenario either MS01 or MS02 would have events from Linux01 or Linux02 in their security event log.

After those events are written to the Windows security event log they will be forwarded to the ACS collector server which is going to write those events into the ACS database.

In a flow chart it would look like this…


OK, how to configure this? Let’s have a look…

Enable Audit Collection

First we need to enable the forwarding service on the management servers which are in the Linux resource pool MS01 and MS02. Go to Operations Manager / Management Server / Management Server State dashboard. On the Management Server State view select both management servers and run Enable Audit Collection task on the right hand side…


Override the Collector Server value to and click Run…


Make sure the tasks run successfully…


This started the forwarder service on each management server…


Next we need to install the Audit Collection Services for UNIX/Linux on MS01 and MS02.

Setup Audit Collection Services for UNIX/Linux

Run setup.exe from your installation media SCOM2012SP1 on MS01 and select Audit Collection Services for UNIX/Linux…


Click Next…


Accept and click Next…


We will choose Current local time as a timestamp to store the events. There is no need to choose UTC in the scenario, click Next…


Hit Install…


Click Next to finish the installation…


Click Finish…


Since we have two management servers MS01 and MS02 which can receive data either from Linux01 or Linux02 we need to install Audit Collection Services for UNIX/Linux on both management servers.

Note: During the installation of Audit Collection Services for UNIX/Linux the local Group Policy gets modified in order to write to the Windows security event log. As you can see Audit object access is set to Success, Failure. This comes into play if you have domain policies set which could modify these settings.


Next, we need to import the management packs which contain all the discoveries and rules to collect the events from the Linux systems.

Install Cross Platform Management Packs

On your SCOM2012SP1 installation media there is a folder called ManagementPacks. In this folder there are 2 management packs we need for our scenario…



Go to the management pack import wizard and select both management packs and click install…


After we have successfully installed the MP, we need to enable the discoveries.

Enable ACS Endpoints

In your SCOM console go to Authoring / Object Discoveries and set the object scope to ACS Endpoint and SLES 11 ACS Endpoint…


Set the discovery Discover UNIX/Linux ACS Endpoint for the SUSE Linux Enterprise Server 11 Computer Group to Enabled = True. This will basically turn on the discovery. See the summary for this override…


It looks like that and saved it into a dedicated management pack…


Now we are going to configure how often the discovery should run. Because we are in a lab I set the discovery very low to 120 seconds instead 14400 (default) which would be fine in production…


The override looks like this and saved it into a dedicated management pack…


Cross Platform Rules SUSE Linux

Let’s resume what we did. We enabled the management server to forward events to the ACS collector. Then we installed the necessary management packs and enabled the ACS Endpoint discoveries. Now let’s have a look at the rules we have in the management pack. As I mentioned before these rules collect the events from the Linux server and write it into the management servers security event log…


Let’s pick one rule e.g. Deleting User rule. If we look at the properties we see some details about this rule…


On the Configuration tab we see some great details what this rule is going to do. E.g here it parses the /var/log/messages log for deleted account information…


If we look at the Override dialog we can see, that the rule will log an event 27005 if we delete a Linux account…


Pretty cool, huh? Well now we need just one more step, and this is to import the Cross Platform Audit Reports.

Import Cross Platform Audit Reports

Go to MS01 or MS02 and navigate to C:\Program Files\System Center Operations Manager Cross Platform ACS folder. This folder has been created during Audit Collection Services for UNIX/Linux installation…


Open an elevated command prompt and change into this C:\Program Files\System Center Operations Manager Cross Platform ACS directory. Next run the command:

UploadCrossPlatformAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the cross platform folder>”

In our example it will look like this…

UploadCrossPlatformAuditReports “MS01” “http://ms01/ReportServer&#8221; “C:\Program Files\System Center Operations Manager Cross Platform ACS”


You will be asked to confirm that you have ACS reports (2007 R2?!) previously installed before importing these cross platform reports. Confirm by typing “Y”.

Note: If you look close at the cmd output, it seems that the reports are still the same as in SCOM 2007 R2 Smiley.

Next go to the SCOM console and select the Reporting and verify that the Cross Platform Audit Reports node is available.


Now you have finished the cross platform installation and you are ready to test how things work.

I recommend after these installation steps checking at least the Application, Security and Operations Manager event log on each management server and see if there are any errors or warnings.

Let’s prepare for part 3…


  1. Pingback: SCOM 2012: Overview link blog - SysManBlog

  2. Pingback: SCOM ACS for Unix and Linux Servers - Working with System Center - Site Home - TechNet Blogs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s