Jump to content


  • 0
AdinE

SCOM 2012 SP1 in a LAB – Installation (Part F – Install ACS)

Question

In our last post we installed SCOM and the Agent on several systems. Now we are going to install ACS to audit security events.




Install Audit Collection Services


Since Audit Collection Services (ACS) is not a part of the main SCOM installation, we have to install it separately.



NOTE: In a Production environment, ACS is normally implemented in a segregated space. The reason for this is because ACS is used to audit security and logons. Since the Administrator of SCOM will more than likely be a part of an Operations team, and have access to various Production/Non-Production servers, for security reasons, the ACS installation would be on a server that the Operations team would not have access to (since they would be among the logons being monitored/audited).



To start the installation, mount the SCOM ISO and run the setup.exe. From the splash screen, click the ‘Audit Collection Services’ link.



ACS Install 01.png



On the Welcome screen click Next.



ACS Install 02.png



Read the License Agreement, accept the agreement, and click Next.



ACS Install 03.png



On the Database Installation Options screen, choose whether you will create a new database or use an existing one. In our example, we will choose the ‘Create a new database’ option, and click Next.



ACS Install 04.png



On the Data Source screen, enter a new for the data source or accept the default, and then click Next.



ACS Install 05.png



On the Database screen, enter the database server name and instance name, and change the database name if you do not want to use the default. Since this is a lab environment, we will choose the ‘Database server running locally’ because we have SQL Server installed on the same server as SCOM. Make the appropriate choices, and then click Next.



ACS Install 06.png



For Database Authentication, we are going to choose the ‘Windows authentication’ option for our lab since it’s in its own domain. Read the information for each option, and make the applicable choice, and then click Next.



ACS Install 07.png



For the Database Creation Options, in a Production environment you would specify different disks for the database and log files, but since we are in a lab, we will chose the ‘Use SQL Server’s default data and log file directories’ and click Next.



NOTE: I believe, though am not 100% sure, that if when you first setup/install SQL Server and specify different disks for the database(s) and log(s), then choose the ‘use SQL default’ would be appropriate since the defaults would already be offloaded to appropriate separate disks.



ACS Install 08.png



On the Event Retention Schedule screen, you can specify the time for the database maintenance to occur, as well as the number of days to retain. This last option is very important, as in Production your organization may have some legal/security obligations to meet. However, just remember that the longer the retention, the more space the database will need. Usually, when planning ACS in a Production environment, most use the SCOM Sizing Helper Tool to know how large the database will be, and how much to plan for growth.



For our lab environment, we will accept the defaults and click Next.



ACS Install 09.png



Make the appropriate selection for the Timestamp Format, and click Next. In our lab example, we will use ‘Local’.



ACS Install 10.png



On the Summary screen, review the selections and input, and click Next.



ACS Install 11.png



Immediately after you click Next from the Summary screen, you will be prompted for the SQL Server Login. By default it will assume the login for the account that is currently logged in. If this is accurate, just click OK.



ACS Install 12.png



Wait for the Installation Wizard to complete, which didn’t take too long in our small scaled-down environment.



ACS Install 13.png



Finally, the installation will complete. Click Finish.



ACS Install 14.png



Congratulations, you have now installed ACS! But there is still more to do. We need to setup reporting, and the event forwarder.




ACS Reporting

For ACS Reporting, you first need an instance of SQL Server Reporting Services (SSRS). If you have been following these guided series, we will be using the same SSRS instance that we originally setup/configured for SCOM Reporting, since we are in a lab environment.



For our process, we are going to be following the steps outlined in this TechNet article: http://technet.microsoft.com/en-us/library/hh299397.aspx.



First, we need to log onto the server that we will use for hosting the ACS reports. In our example, this is the same server that we installed SCOM on. From within that server, we need to create a temporary folder. We’ll create one on the root of C:\ and call it ACS (i.e. C:\ACS).



ACS Reporting 01.png



Mount the SCOM ISO, and navigate to \ReportModels\ACS (in my example it is D:\ReportModels\ACS\) and copy everything from this location into the temporary folder that we created.



ACS Reporting 02.png



Next, still within the mounted ISO, navigate to \SupportTools\ (in my example it is D:\SupportTools\AMD64\ReportingConfig.exe) and copy the ReportingConfig.exe file into the temporary folder that we created.



ACS Reporting 03.png



Now we need to run a command through an elevated command prompt. In Windows Server 2012 to do this, mouse over to the bottom left corner, which will cause the Start ‘square’ (not sure what the official name is) to appear. Right-click on the Start square, and click on ‘Command Prompt (Admin)’ to launch an Administrative Command Prompt.



ACS Reporting 04.png ACS Reporting 05.png



Next, you will need to change the directory to the temporary folder that we created. You will then have to run the following command: UploadAuditReports “<auditdbserver\instance>” “” “”. In our lab example the command line would be: UploadAuditReports "SCOM\SCOMSQL" "http://SCOM/Reports_SCOMSQL" "C:\ACS"



NOTE: The reporting server URL needs the reporting server virtual directory (ReportingServer_<InstanceName>) instead of the reporting manager directory (Reports_<InstanceName>).



This creates a new data source called DB Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the ACS\Reports directory.



IMPORTANT: In order for the import to function properly make sure you have the .NET Framework 3.5 installed. If you have been following these guides, this will already be installed from when we installed SQL Server 2012.



ACS Reporting 06.png



Next, open Internet Explorer and navigate to the following URL: http:///Reports_, in our example it will be http://SCOM/Reports_ SCOMSQL.



ACS Reporting 07.png



Now click on the ‘Audit Reports’ directory folder, and then click the ‘Details View’ button in the top right corner.



ACS Reporting 08.png



Now click the DB Audit data source to open it.



ACS Reporting 09.png



Finally, under the ‘Connect Using’ selections, ensure that ‘Windows Integrated Security’ is selected, and click Apply.



ACS Reporting 10.png



You can now go into the SCOM console, under Reporting, and view the Audit Reports.



REMINDER: It is acceptable to have the Audit Reports accessible via the SCOM console in a lab environment. But in a Production environment your organization may have strict security policies that you are required to follow, which would include auditing of IT to be handled by some security department.



ACS Reporting 11.png



Congratulations, you have finished configuring/deploying ACS Reporting. But, there is still one last step we need to complete, the Event Forwarder.




ACS Event Forwarder

Now that we have ACS installed, and the Reporting configured, we can now turn on the Event Forwarder to start collecting security events.



We are going to follow the TechNet article here: http://technet.microsoft.com/library/hh272397.aspx. As stated by this article: “By default, the service needed for an agent to be an Audit Collection Services (ACS) forwarder is installed but not enabled when the Operations Manager agent is installed.” Therefore, in order to audit security events, you need to have the SCOM Agent installed on the system(s) first.



Log onto the SCOM server and open the SCOM console and click on the Monitoring pane. From there, navigate to Operations Manager > Agent Details > Agent Health State.



ACS Event Forwarder 01.png



In the details pane (the middle pane), in the Agent State area, select the system(s) that you want to enable Audit Collection on. When you select a system, in the right-hand Actions pane, under the Health Services Tasks, click the ‘Enable Audit Collection’ link.



ACS Event Forwarder 02.png



This will launch the Enable Audit Collection task. From this window, you will need to enter the Collector Server for the Forwarder to report to. To do this, click the Override button.



ACS Event Forwarder 03.png



On the Override dialog, enter the FQDN of the Collector Server. In our lab example, we will enter the only Management Server in our environment (i.e. SCOM.SC.LAB). Enter the appropriate information and then click the Override button.



ACS Event Forwarder 04.png



The Enable Audit Collection dialog will now show the Collector Server that you just entered. At this point, you can also add a specific account to use within the Task Credentials section, or accept the defaults. Once you are ready to enable ACS, click the Run button.



ACS Event Forwarder 05.png



Once the task runs and completes successfully, the dialog will appear similar to the following. You can click Close.



ACS Event Forwarder 06.png



Congratulations, not only do you now have SCOM installed, along with Reporting; you additionally have setup ACS and enabled security auditing in your environment.



I haven't decided what to do next for the series, but I believe I have covered all installation elements. The next series extension will be more configuration vs. installation. If anyone has any requests or suggestions, let me know.


  • Like 1

Share this post


Link to post
Share on other sites

7 answers to this question

Recommended Posts

  • 0

After completing this part none of my audit reports work, I get an error basically saying the database connection is failing.

 

I see the Audit and Audit5 reports in the audit reports from the SCOM console. I get this too from the report server URL, under audit reports when I test the connection.

 

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 25 - Connection string is not valid)

Share this post


Link to post
Share on other sites

  • 0

Hi rrasco,

 

Can you check the Data Source Connection as shown in this picture: http://www.windows-noob.com/forums/uploads/monthly_07_2013/post-20464-0-77846500-1373853724.png

 

Check the authentication is set appropriately.

 

Let us know.

Share this post


Link to post
Share on other sites

  • 0

Sorry, so does the error occur when you testing it from the Data Source screen in SSRS, or does it apply without issue and then give you an error when trying to access/use the reports in the SCOM console?

Share this post


Link to post
Share on other sites

  • 0

Can you check the options you chose during the install of ACS? Here's a screenshot of mine, which is working correctly.

 

SCOM_DBAudit.png

 

Remember that:

  • Data Source = SQL Server name (and if you're using a Named Instance, it would be ServerName\InstanceName)
  • Initial Catalog = ACS Database Name (supplied at time of ACS install)

Confirm the security settings as well, as you had 2 options during ACS install; "Windows Authentication" or "SQL Authentication".

Share this post


Link to post
Share on other sites

  • 0

Hi

After following your steps I'm getting this error while trying to run any audit report:

 

  • An error has occurred during report processing. (rsProcessingAborted)
    • Query execution failed for dataset 'dataSet'. (rsErrorExecutingCommand)
      • For more information about this error navigate to the report server on the local server machine, or enable remote errors

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.