Install Audit Collection Services

Since Audit Collection Services (ACS) is not a part of the main SCOM installation, we have to install it separately.

NOTE: In a Production environment, ACS is normally implemented in a segregated space. The reason for this is because ACS is used to audit security and logons. Since the Administrator of SCOM will more than likely be a part of an Operations team, and have access to various Production/Non-Production servers, for security reasons, the ACS installation would be on a server that the Operations team would not have access to (since they would be among the logons being monitored/audited).

To start the installation, mount the SCOM ISO and run the setup.exe. From the splash screen, click the ‘Audit Collection Services’ link.

ACS Install 01

On the Welcome screen click Next.

ACS Install 02

Read the License Agreement, accept the agreement, and click Next.

ACS Install 03

On the Database Installation Options screen, choose whether you will create a new database or use an existing one. In our example, we will choose the ‘Create a new database’ option, and click Next.

ACS Install 04

 On the Data Source screen, enter a new for the data source or accept the default, and then click Next.

ACS Install 05

On the Database screen, enter the database server name and instance name, and change the database name if you do not want to use the default. Since this is a lab environment, we will choose the ‘Database server running locally’ because we have SQL Server installed on the same server as SCOM. Make the appropriate choices, and then click Next.

ACS Install 06

For Database Authentication, we are going to choose the ‘Windows authentication’ option for our lab since it’s in its own domain. Read the information for each option, and make the applicable choice, and then click Next.

ACS Install 07

For the Database Creation Options, in a Production environment you would specify different disks for the database and log files, but since we are in a lab, we will chose the ‘Use SQL Server’s default data and log file directories’ and click Next.

NOTE: I believe, though am not 100% sure, that if when you first setup/install SQL Server and specify different disks for the database(s) and log(s), then choose the ‘use SQL default’ would be appropriate since the defaults would already be offloaded to appropriate separate disks.

ACS Install 08

On the Event Retention Schedule screen, you can specify the time for the database maintenance to occur, as well as the number of days to retain. This last option is very important, as in Production your organization may have some legal/security obligations to meet. However, just remember that the longer the retention, the more space the database will need. Usually, when planning ACS in a Production environment, most use the SCOM Sizing Helper Tool to know how large the database will be, and how much to plan for growth.

For our lab environment, we will accept the defaults and click Next.

 ACS Install 09

Make the appropriate selection for the Timestamp Format, and click Next. In our lab example, we will use ‘Local’.

ACS Install 10

On the Summary screen, review the selections and input, and click Next.

ACS Install 11

Immediately after you click Next from the Summary screen, you will be prompted for the SQL Server Login. By default it will assume the login for the account that is currently logged in. If this is accurate, just click OK.

ACS Install 12

Wait for the Installation Wizard to complete, which didn’t take too long in our small scaled-down environment.

ACS Install 13

Finally, the installation will complete. Click Finish.

ACS Install 14

Congratulations, you have now installed ACS! But there is still more to do. We need to setup reporting, and the event forwarder.

Here is a video walk through of these steps:

ACS Reporting

For ACS Reporting, you first need an instance of SQL Server Reporting Services (SSRS). If you have been following these guided series, we will be using the same SSRS instance that we originally setup/configured for SCOM Reporting, since we are in a lab environment.

For our process, we are going to be following the steps outlined in this TechNet article:

First, we need to log onto the server that we will use for hosting the ACS reports. In our example, this is the same server that we installed SCOM on. From within that server, we need to create a temporary folder. We’ll create one on the root of C: and call it ACS (i.e. C:ACS).

ACS Reporting 01

Mount the SCOM ISO, and navigate to ReportModelsACS (in my example it is D:ReportModelsACS) and copy everything from this location into the temporary folder that we created.

ACS Reporting 02

Next, still within the mounted ISO, navigate to SupportTools (in my example it is D:SupportToolsAMD64ReportingConfig.exe) and copy the ReportingConfig.exe file into the temporary folder that we created.

 ACS Reporting 03

Now we need to run a command through an elevated command prompt. In Windows Server 2012 to do this, mouse over to the bottom left corner, which will cause the Start ‘square’ (not sure what the official name is) to appear. Right-click on the Start square, and click on ‘Command Prompt (Admin)’ to launch an Administrative Command Prompt.

ACS Reporting 04

ACS Reporting 05

Next, you will need to change the directory to the temporary folder that we created. You will then have to run the following command: UploadAuditReports “<auditdbserverinstance>” “” “”. In our lab example the command line would be: UploadAuditReports “SCOMSCOMSQL” “http://SCOM/Reports_SCOMSQL” “C:ACS”

NOTE: The reporting server URL needs the reporting server virtual directory (ReportingServer_<InstanceName>) instead of the reporting manager directory (Reports_<InstanceName>).

IMPORTANT: If you encounter the following error: “CreateSRSDataSource: Exception Invalid URI: The URI scheme is not valid“, the solution is simple (although it took some searching to find). Thanks goes to ThoughtsOnOpsMgr‘s blog for detailing the simple solution.

SOLUTION: Remove the quotes (” “) unless the path/file name has a space in it. So, my lab example would literally be: UploadAuditReports SCOMSCOMSQL http://SCOM/Reports_SCOMSQL C:ACS.

This creates a new data source called Db Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the acsreports directory.

IMPORTANT: In order for the import to function properly make sure you have the .NET Framework 3.5 installed. If you have been following these guides, this will already be installed from when we installed SQL Server 2012. ACS Reporting 06

Next, open Internet Explorer and navigate to the following URL: http:///Reports_, in our example it will be http://SCOM/Reports_ SCOMSQL.

ACS Reporting 07

Now click on the ‘Audit Reports’ directory folder, and then click the ‘Details View’ button in the top right corner.

ACS Reporting 08

Now click the DB Audit data source to open it.

ACS Reporting 09

Finally, under the ‘Connect Using’ selections, ensure that ‘Windows Integrated Security’ is selected, and click Apply.

 ACS Reporting 10

You can now go into the SCOM console, under Reporting, and view the Audit Reports.

REMINDER: It is acceptable to have the Audit Reports accessible via the SCOM console in a lab environment. But in a Production environment your organization may have strict security policies that you are required to follow, which would include auditing of IT to be handled by some security department.

ACS Reporting 11

Congratulations, you have finished configuring/deploying ACS Reporting. But, there is still one last step we need to complete, the Event Forwarder.

Here is a video walk through:

ACS Event Forwarder

Now that we have ACS installed, and the Reporting configured, we can now turn on the Event Forwarder to start collecting security events.

We are going to follow the TechNet article here: As stated by this article: “By default, the service needed for an agent to be an Audit Collection Services (ACS) forwarder is installed but not enabled when the Operations Manager agent is installed.” Therefore, in order to audit security events, you need to have the SCOM Agent installed on the system(s) first.

Log onto the SCOM server and open the SCOM console and click on the Monitoring pane. From there, navigate to Operations Manager > Agent Details > Agent Health State.

ACS Event Forwarder 01

In the details pane (the middle pane), in the Agent State area, select the system(s) that you want to enable Audit Collection on. When you select a system, in the right-hand Actions pane, under the Health Services Tasks, click the ‘Enable Audit Collection’ link.

 ACS Event Forwarder 02

This will launch the Enable Audit Collection task. From this window, you will need to enter the Collector Server for the Forwarder to report to. To do this, click the Override button.

 ACS Event Forwarder 03

On the Override dialog, enter the FQDN of the Collector Server. In our lab example, we will enter the only Management Server in our environment (i.e. SCOM.SC.LAB). Enter the appropriate information and then click the Override button.

 ACS Event Forwarder 04

The Enable Audit Collection dialog will now show the Collector Server that you just entered. At this point, you can also add a specific account to use within the Task Credentials section, or accept the defaults. Once you are ready to enable ACS, click the Run button.

ACS Event Forwarder 05

Once the task runs and completes successfully, the dialog will appear similar to the following. You can click Close.

ACS Event Forwarder 06

Congratulations, not only do you now have SCOM installed, along with Reporting; you additionally have setup ACS and enabled security auditing in your environment.

Here is a video walk through: