Friday, November 8, 2013

SCOM 2012 - Deploying ACS

You may find yourself on an engagement where the client is more security conscious they might request that you set up Audit Collection Services. ACS provides a means to collect records generated by an audit policy and store them in a centralized database. By default, when an audit policy is implemented on a Windows computer, that computer automatically saves all events generated by the audit policy to its local Security log. This is true for Windows workstations as well as servers. In organizations that have strict security requirements, audit policies can quickly generate large volumes of events.

Installing ACS:
On the SCOM server you intend to install ACS go ahead and run the System Center executable as an administrator. You will see the familiar install launch screen. Click Audit Collection Services

Click Next

Accept the EULA and Click Next

Select Create a new database and Click Next

Leave this as the default and Click Next

For our purposes on this install we are going to use a existing database instance which is on a remote database server. Enter the machine name and instance. You can also change the name of the database if you wish. Click Next

We used Windows Authentication. Click Next

If you have specific directories you can modify them here, otherwise Click Next

You can adjust this to fit your needs. Keep in mind the longer you store ACS data the larger the database will grow. Click Next

Dealers Choice. Click Next

Click Next

The wizard will configure the ACS Collector.

After a time you will be prompted to log in with credentials that have access to the database instance.

 Success! Click Finish

You can log into your SQL server and validate that the database was created successfully.

On the SCOM server you will see the Operations Manager Audit Collection Service has been installed. It should be started at this point. If it is not, go ahead and start it.

Enable ACS Forwarders:
So now that the ACS install is finished we need to let our servers know that they should be forwarding security audit data to the ACS machine. Open up the Operations Manager console. In the Monitoring Space expand out Operations Manager, then Agent Details then click on Agent Health State. In the Agent State pane in the upper right, select the server you want to enable ACS on (you can select multiple servers by holding CTRL or SHIFT). In the task pane under Health Service Tasks Click Enable Audit Collection

You can modify the credentials used or just use the default Run-As account. Click Run

You can monitor the install progress. When the install is finished Click Close

You can validate that Audit Forwarding is running by logging into one of the client machines and checking for the service.

In the next segment we will cover configuring ACS Reporting

More to come!

If you like this blog give it a g+1

No comments:

Post a Comment