After you’ve installed Reporting, you need to manually install the ACS reports. Create a folder called C:\Tools\Audit Reports. Copy the ACS folder and its contents from the ReportModels folder on the Operations Manager installation disk to C:\Tools\Audit Reports. Next, copy the ReportingConfig.exe file from the SupportTools folder on the installation disk to the ACS folder on the hard drive. Now, open a command prompt on your collector and change to the folder C:\Tools\Audit Reports\ACS. Run the following command:
UploadAuditReports.cmd
This command takes three arguments. The first is the name of the database server and database instance in the format server\instance. If you’re using the default instance, simply supply the server name. The second argument is the URL of the SSRS server. If you’re using a database instance, append a $ followed by the instance name to the URL. The third and last argument is the name of the ACS folder, for example, UploadAuditReports ACSDB http://ACSDB/ReportServer "C:\TOOLS\AUDIT REPORTS\acs".
You might receive some warnings when you run the command for two files in particular: audit.smdl and audit5.smdl. Ignore these warnings. Once the command has run, open your browser and navigate to http://reportserverurl/Reports. You should find a folder called Audit Reports, which contains several predefined reports. At this point, you need to perform some additional configuration steps.
When viewing the contents of Audit Reports, click the Show Details icon on the toolbar at the upper right of your screen. Scroll down the list of displayed items until you reach Db Audit, and click it. In the Connect using section, select Windows integrated security. At the bottom of the page, click Apply to make the change permanent.
Viewing ACS Reports for Event Log Auditing
Although the Operations Manager Operations Console has a Reporting button, which is used to configure Reporting and view limited information, you view all ACS reports in the browser. Open your browser and navigate to http://reportserverurl/Reports and click the Audit Reports folder.
Standard reports are organized by group and include access violations, account management events, forensic reports, planning, system integrity, and usage, as Figure 4 shows. Some reports will return all relevant data—for example, Access Violation - Unsuccessful Logon Attempts—whereas others require you to enter data such as a username (e.g., Usage - User Logon), as Figure 5 shows. You can specify the dates between which you want event details. Events in reports are generally shown in descending order, with more recent events displayed first. Remember that ACS will keep data for only 14 days by default, unless you changed that setting during installation. Remember also that the Date/Time timestamp for each entry is either the local time of the collector server or UTC, depending on the installation setting you selected.
Optimizing ACS
If you have several collectors, for scalability and fault-tolerance, you might need to visit each one to generate reports when looking for certain activity, for example failed logons and logoffs. You can minimize the number of visits you make to collectors by planning in advance which forwarders will connect to which collectors and by allocating collectors to a group of forwarders. One strategy might be to have all forwarders in a geographic location or Active Directory site and use only collectors dedicated to that group, reducing the likelihood that you’ll need to access reports on remote collectors.
One detail you should be aware of is that forwarders work in idempotent mode. If a forwarder doesn’t receive confirmation that its events have been recorded by a collector, it will resend the events to a failover collector, if one was configured. (Unfortunately, you can’t trace which events are resent; you need to manually inspect each and determine which are duplicates.) This means that the same event could be recorded by more than one collector. A forwarder might fail to receive confirmation for a number of reasons, such as collector failure or network problems. By locating your collectors near your forwarders, you can make it less likely that network issues will cause events to be recorded more than once, based on the assumption that local networks are more reliable than long-distance links.
Going Forward with ACS
ACS is extremely flexible, and you can configure it further to optimize it. Consult the Operations Manager online help for more information about ACS configuration settings. I also recommend you visit the Microsoft Management Team’s Blog at blogs.technet.com/smsandmom/archive/tags/ACS/default.aspx for the latest information about ACS, including sizing information. Once you start using ACS, you’ll appreciate how much easier it will make the task of managing and reporting Security event-log data.