You are browsing the archive for audit collection service.

Avatar of alkin

by alkin

Security Auditing & ACS Optimization Session recording

3:40 am in Uncategorized by alkin

On September 16th we got a session on Security Auditing & ACS Optimization by Jeremiah Beckett from Securevantage.

 

Jeremiah has recorded the session for us so that you can watch it. It’s condensed into about 1/3 original time, 30min, but covers all content and includes demo. Jeremiah added also theire ACS Resource Kit .

 

[evid:technet:622]

Many Many thanks to Jeremiah!

 

Grtz,

Alexandre Verkinderen

http://scug.be/blogs

Avatar of alkin

by alkin

Changing the ACS DataRetention Period for Opsmgr

1:23 pm in Uncategorized by alkin

Changing the Audit Collection Service DataRetention Period (based on the info found on the technet site)

Operations Manager grooms, or removes, data from its various databases at regular configurable intervals. For the Operations database, this is done in the Operations console. For the ACS database, these settings are configured during setup with a default value of 14 days. This means that every day, all database partitions (and their data) that are older than 14 days are dropped or deleted. Because of the volume of data that ACS can accumulate, 14 days is not an unreasonable setting. However, some companies might need to retain data for longer periods and they must have already planned for that when making the sizing and performance calculations for their environment. You can change the retention period for the ACS data by following this procedure.

To Change the ACS Data- Retention Period

1. Log on to the computer running SQL Server that hosts the ACS database with an account that has administrative rights to the ACS database.

2. Open the SQL Server Management Studio tool, and connect to the database engine.

3. Expand the Databases folder, and select the OperationsManagerAC database.

4. Right-click to open the context menu and select New Query….

5. Run the following query to see what your retention period is: SELECT * FROM dtConfig

clip_image002

Look for row 6. The result contains the days to retain + 1

6. In the Query pane, type the following, where number of days to retain data + 1 equals the number of days you want to pass before data that has aged past that point is deleted. For example, if you want to retain data for 30 days, type 31

USE OperationsManagerAC UPDATE dtConfig SET Value = <number of days to retain data + 1> WHERE Id = 6 and then click the Execute button on the toolbar. This will run the query and then open the Messages pane, which should read (1 row(s) affected).

clip_image004

7. To view the new setting, delete the previous query text from the Query pane and enter SELECT * FROM dtConfig. This will open the Results pane below the Query pane.

8. Look at the value in the sixth row; it should now equal the value you entered for <number of days to retain data + 1>.

9. Restart the Operations Manager Audit Collection Service for this to take effect.

 

Greetz,

Alkin

http://scug.be/blogs

 

Avatar of alkin

by alkin

ACS noise filter

2:55 pm in Uncategorized by alkin

When you install ACS you will get a ton of events! Not all events are relevant for your environment. Securevantage has written a nice noisefilter guide. This guide introduces noise filters for Windows Servers 2000 & 2003 Security Events.

 

Also interesting is the  Secure Vantage Security Auditing Reference List: Over 1300 Windows security events and settings with interactive links to Randy Franklin Smiths online security wiki.

The Service Account Authentication Success filter provides an example of how to filter specific user accounts or  patterns within a user account name like admin or sys on logon. These are commonly used to filter service accounts that run on all systems frequently such as antivirus or backup programs. Please note this is for ‘Success’ activity only, all Logon failure activity should be collected.

image

 

Run adtamin:

AdtAdmin.exe /getquery

Result: Current query: ‘select * from AdtsEvent’

image

 

Next, set the query to drop the “sys” and “adm” logons:

AdtAdmin.exe /setquery /query:”Select * from AdtsEvent where NOT ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND(EventID = 528 OR EventID = 540 OR EventID = 680))”

 

check your query by running AdtAdmin.exe /getquery. the result should be:

Current query: “Select * from AdtsEvent where NOT ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND(EventID = 528 OR EventID = 540 OR EventID = 680))”

 

Now all these events will be dropped before they enter the acs database.

 

Greetz,

Alexandre Verkinderen

http://scug.be/blogs/scom

 

Avatar of alkin

by alkin

How to Deploy Operations Manager 2007 ACS Reporting

7:11 pm in Uncategorized by alkin

Audit Collection Services (ACS) reporting can be installed in two configurations.

  • A Microsoft SQL Server 2005 Reporting Services (SRS) SP1 or SP2 instance with Operations Manager Reporting already installed. A benefit of this is the ability to view ACS Reports in the Operations Console.
  • A SRS instance without Operations Manager Reporting installed.

The installation procedures for ACS Reporting do not differ, but the application of access control is different. By deploying ACS Reporting on the same SQL Server 2005 Reporting Services instance as your Operations Manager 2007 Reporting, the same role-based security applies to all reports. This means that ACS Reporting users need to be assigned to the Operations Manager Report Operator Role to access the ACS reports.

In addition to membership in the Operations Manager Reporting Role, ACS report users must also be assigned db_datareader role on the ACS database (OperationsManagerAC) in order to run ACS reports. This is requirement is independent of the presence of Operations Manager Reporting

If you choose to install ACS Reporting independently of Operations Manager Reporting, you can also use SRS security to secure the reports. See the SQL Server 2005 Books Online Reporting Services Tutorials, Setting Permissions in Reporting Services for more information.

 

I installed my ACS reporting on the same instance as my scom reports.

Before You Start

Deploy ACS as described in my previous post before setting up ACS reporting.

 

1. The Root Management Server for your management group must be installed and ACS must be configured, on either the RMS or a management server. For more information, see About Audit Collection Services (ACS) in Operations Manager 2007.

2. An instance of Microsoft SQL Server 2005 Reporting Services must be installed on the target computer.

3. During this procedure, you need to be logged on as member of Operations Manager Report Operator user role.

4. IIS must be installed on the hosting system. IIS will have already been installed if you are co-locating with a Reporting Server.

5. You need to have access to the ACS database.

6. You need the Operations Manager 2007 installation media.

Deploying ACS Reporting

 

1. Logon to the server that will be used to host ACS reporting as a user that is an administrator of the SRS instance.

2. Create a temporary folder, such as C:\acs.

3. On your installation media, go to \ReportModels\acs and copy the directory contents to the temporary installation folder.

There are two folders (Models and Reports) and a file named UploadAuditReports.cmd.

4. On your installation media, go to \SupportTools and copy the file ReportingConfig.exe into the temporary acs folder.

image

 

5.Launch a Command Prompt window and change directories to the temporary acs folder.

6. Run the following command.
UploadAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the copied acs folder>”
For example: UploadAuditReports “myAuditDbServer\Instance1” “http://myReportServer/ReportServer$instance1” “C:\acs”

This example creates a new data source called Db Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the acs\reports directory.

Note

The reporting server URL needs the reporting server virtual directory (ReportingServer$<InstanceName>) instead of the reporting manager directory (Reports$<InstanceName>).

image

7. Open Internet Explorer and enter the following address to view the SQL Reporting Services Home page. http://<yourReportingServerName>/Reports$<InstanceName>

image

8. Click Audit Reports in the body of the page and then click Show Details in the upper right part of the page.

9. Click the Db Audit data source.

10. In the Connect Using section, select Windows Integrated Security and click Apply.

image

 

image

 

That’s it!

 

Greetz,

Alexandre Verkinderen

http://scug.be/blogs/scom

Avatar of alkin

by alkin

Installing Audit Collection Services ( ACS )

7:05 pm in Uncategorized by alkin

I’m going to make some procedures for ACS. First I’m going to install the audit collection services, after that I’m going to deploy the ACS reporting and last but not least enable the acs forwarding on the agents. I’m going to use the info on the technet site as a basis.

 

The ACS database runs on Microsoft SQL Server 2005. The Audit Collection Services Collector Setup wizard creates the ACS database on an existing installation of Microsoft SQL Server 2005. To complete the installation procedure, you must be a member of the local Administrators group on both the ACS collector and the ACS database computers as well as a database administrator on the ACS database. As a best practice for security, consider using Run As to perform this procedure.

 

To install an ACS collector and an ACS database

1. Insert the Operations Manager 2007 CD in the Management Server that you selected to be the ACS collector.

2. On the root of the CD, double-click SetupOM.exe. In the Install section, click Install Audit Collection Server. The Audit Collection Services Collector Setup wizard starts.

3. On the Welcome page, click Next.

image

4. On the License Agreement page, read the licensing terms and then click I accept the agreement. Click Next.

5. On the Database Installation Options page, click Create a new database and then click Next.image

6. On the Data Source page, type a name that you want to use as the Open Database Connectivity (ODBC) data source name for your ACS database in the Data Source Name box. By default, this name is OpsMgrAC. Click Next.

 image

7. On the Database page, if the database is on a separate server than the ACS collector, click Remote Database Server and then type the computer name of the database server that will host the database for this installation of ACS. Otherwise, click Database server running locally.

image

8. In the Database server instance name field, type the name of the database that will be created for ACS. If you leave this field blank, the default name is used. In the Database name field, the default database name of OperationsManagerAC is automatically entered. You can select the text and type in a different name or leave the default name. Click Next.

Note

To display a list of SQL Server Instances, click Start, point to Programs and Microsoft SQL Server 2005, and then click SQL Server Management Studio on the database computer. Under Server name, click Browse for more and then expand Database Engine. All databases are listed as server name\database name.

9. On the Database Authentication page, click to select one authentication method. If the ACS collector and the ACS database are members of the same domain, you can select Windows authentication; otherwise, select SQL authentication and then click Next.

Note

If you select SQL authentication and click Next, the Database Credentials page displays. Enter the name of the user account that has access to the SQL Server in the SQL login name box and the password for that account in the SQL password box, and then click Next.

image

10. On the Database Creation Options page, click Use SQL Server’s default data and log file directories to use SQL Server’s default folders. Otherwise, click Specify directories and enter the full path, including drive letter, to the location you want for the ACS database and log file, for example C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data. Click Next.

11. On the Event Retention Schedule page, click Local hour of day to perform daily database maintenance. Choose a time when there is the amount of expected security events are low. During the database maintenance window, database performance will be impacted. Type the number of days ACS should keep events in the ACS database before the events are removed during database grooming in Number of days to retain events. The default value is 14 days. Click Next.

image

12. On the ACS Stored Timestamp Format page, click to choose Local or Universal Coordinated Time, formerly known to as Greenwich Mean Time, and then click Next

image

13. The Summary page displays a list of actions that the installation program will perform to install ACS. Review the list, and then click Next to begin the installation.

Note

If a SQL server login dialog box displays and the database authentication is set to Windows authentication, click the correct database and verify that the Use Trusted Connection check box is checked. Otherwise click to remove the check and enter the SQL login name and password. Click OK.

image

14. When the installation is complete, click Finish.

image

Check in the opsmgr console if your collector is healthy.

image

 

That’s it!

 

Greetz,

Alexandre Verkinderen

http://scug.be/blogs/scom

Avatar of alkin

by alkin

Join us for Security Auditing & ACS Optimization

9:16 am in Uncategorized by alkin

clip_image002clip_image004

Join us for

Security Auditing & ACS Optimization

Learn how your organization can maximize their investment in System Center to support security and regulatory compliance auditing requirements using Operations Manager and the Audit Collection Service (ACS). This is a great opportunity to learn about the latest in partner solutions that extend ACS to provide centralized security event management featuring ACS administration, security alerting, data archiving, multi-collector reporting, syslog event collection and better support for regulatory compliance needs including EUDPD, ISO27000, SOX, PCI and many others.

Event Agenda:

  • 17h30: Registrations
  • 18h00: Pizzas !
  • 18h30: SCUG.be (Alexandre Verkinderen)
    • Welcome & Introductions
  • 18h45: SecureVantage (Jeremiah Beckett)
    • Audit Collection Service Overview
    • Security Management & Auditing with Secure Vantage Compliance Security Suite for System Center
    • Case Study Review – Information Services Firm Enhances Compliance & Optimizes Data Center
    • Open Q&A
    • Attendee Raffle
  • 20h30: Drink/networking @ The Pole

 

WHEN – September 16 2008

Time: 3hr

WHERE – Dolmen, Huizingen: map

RegistrationRegistration Link   PLACES ARE LIMITED

 

PDF


So if YOU are involved with security, compliance or systems management in your organization, come hear the latest information about the solutions available to help you mitigate your IT risks while improving your audit and reporting capabilities to support regulatory compliance efforts with Microsoft System Center technologies.

About Secure Vantage Technologies
Move to the next generation of enterprise security management with the Secure Vantage Compliance Security Suite for Microsoft System Center.  Take advantage of hundreds of audit scenarios, advanced forensics and unmatched offline archiving capabilities for Windows security events, group policy, service and application configurations — even your Unix/Linux syslogs. Fully customizable, Secure Vantage solutions include extensive context-sensitive expertise & guidance providing System Center support for CoBITs, ISO, FISMA, HIPAA, PCI, SOX, and other regulations, natively.  www.securevantage.com

clip_image008clip_image009

Visit Us On TwitterVisit Us On Linkedin