SCOM 2012 SP1 – Install ACS

In our last post we installed SCOM and the Agent on several systems. Now we are going to install ACS to audit security events.

Install Audit Collection Services

Since Audit Collection Services (ACS) is not a part of the main SCOM installation, we have to install it separately.

NOTE: In a Production environment, ACS is normally implemented in a segregated space. The reason for this is because ACS is used to audit security and logons. Since the Administrator of SCOM will more than likely be a part of an Operations team, and have access to various Production/Non-Production servers, for security reasons, the ACS installation would be on a server that the Operations team would not have access to (since they would be among the logons being monitored/audited).

To start the installation, mount the SCOM ISO and run the setup.exe. From the splash screen, click the ‘Audit Collection Services’ link.

ACS Install 01.png

On the Welcome screen click Next.

ACS Install 02.png

Read the License Agreement, accept the agreement, and click Next.

ACS Install 03.png

On the Database Installation Options screen, choose whether you will create a new database or use an existing one. In our example, we will choose the ‘Create a new database’ option, and click Next.

ACS Install 04.png

On the Data Source screen, enter a new for the data source or accept the default, and then click Next.

ACS Install 05.png

On the Database screen, enter the database server name and instance name, and change the database name if you do not want to use the default. Since this is a lab environment, we will choose the ‘Database server running locally’ because we have SQL Server installed on the same server as SCOM. Make the appropriate choices, and then click Next.

ACS Install 06.png

For Database Authentication, we are going to choose the ‘Windows authentication’ option for our lab since it’s in its own domain. Read the information for each option, and make the applicable choice, and then click Next.

ACS Install 07.png

For the Database Creation Options, in a Production environment you would specify different disks for the database and log files, but since we are in a lab, we will chose the ‘Use SQL Server’s default data and log file directories’ and click Next.

NOTE: I believe, though am not 100% sure, that if when you first setup/install SQL Server and specify different disks for the database(s) and log(s), then choose the ‘use SQL default’ would be appropriate since the defaults would already be offloaded to appropriate separate disks.

ACS Install 08.png

On the Event Retention Schedule screen, you can specify the time for the database maintenance to occur, as well as the number of days to retain. This last option is very important, as in Production your organization may have some legal/security obligations to meet. However, just remember that the longer the retention, the more space the database will need. Usually, when planning ACS in a Production environment, most use the SCOM Sizing Helper Tool to know how large the database will be, and how much to plan for growth.

For our lab environment, we will accept the defaults and click Next.

ACS Install 09.png  

Make the appropriate selection for the Timestamp Format, and click Next. In our lab example, we will use ‘Local’.

ACS Install 10.png

On the Summary screen, review the selections and input, and click Next.

ACS Install 11.png

Immediately after you click Next from the Summary screen, you will be prompted for the SQL Server Login. By default it will assume the login for the account that is currently logged in. If this is accurate, just click OK.

ACS Install 12.png

Wait for the Installation Wizard to complete, which didn’t take too long in our small scaled-down environment.

ACS Install 13.png

Finally, the installation will complete. Click Finish.

ACS Install 14.png

Congratulations, you have now installed ACS! But there is still more to do. We need to setup reporting, and the event forwarder.

ACS Reporting
For ACS Reporting, you first need an instance of SQL Server Reporting Services (SSRS). If you have been following these guided series, we will be using the same SSRS instance that we originally setup/configured for SCOM Reporting, since we are in a lab environment.

For our process, we are going to be following the steps outlined in this TechNet article: http://technet.micro...y/hh299397.aspx.

First, we need to log onto the server that we will use for hosting the ACS reports. In our example, this is the same server that we installed SCOM on. From within that server, we need to create a temporary folder. We’ll create one on the root of C:\ and call it ACS (i.e. C:\ACS).

ACS Reporting 01.png

Mount the SCOM ISO, and navigate to \ReportModels\ACS (in my example it is D:\ReportModels\ACS\) and copy everything from this location into the temporary folder that we created.

ACS Reporting 02.png

Next, still within the mounted ISO, navigate to \SupportTools\ (in my example it is D:\SupportTools\AMD64\ReportingConfig.exe) and copy the ReportingConfig.exe file into the temporary folder that we created.

ACS Reporting 03.png

Now we need to run a command through an elevated command prompt. In Windows Server 2012 to do this, mouse over to the bottom left corner, which will cause the Start ‘square’ (not sure what the official name is) to appear. Right-click on the Start square, and click on ‘Command Prompt (Admin)’ to launch an Administrative Command Prompt.

ACS Reporting 04.png ACS Reporting 05.png

Next, you will need to change the directory to the temporary folder that we created. You will then have to run the following command: UploadAuditReports “<auditdbserver\instance>” “” “”. In our lab example the command line would be: UploadAuditReports "SCOM\SCOMSQL" "http://SCOM/Reports_SCOMSQL" "C:\ACS"

NOTE: The reporting server URL needs the reporting server virtual directory (ReportingServer_<InstanceName>) instead of the reporting manager directory (Reports_<InstanceName>).

This creates a new data source called DB Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the ACS\Reports directory.

IMPORTANT: In order for the import to function properly make sure you have the .NET Framework 3.5 installed. If you have been following these guides, this will already be installed from when we installed SQL Server 2012.

ACS Reporting 06.png

Next, open Internet Explorer and navigate to the following URL: http:///Reports_, in our example it will be http://SCOM/Reports_ SCOMSQL.

ACS Reporting 07.png

Now click on the ‘Audit Reports’ directory folder, and then click the ‘Details View’ button in the top right corner.

ACS Reporting 08.png

Now click the DB Audit data source to open it.

ACS Reporting 09.png

Finally, under the ‘Connect Using’ selections, ensure that ‘Windows Integrated Security’ is selected, and click Apply.

ACS Reporting 10.png

You can now go into the SCOM console, under Reporting, and view the Audit Reports.

REMINDER: It is acceptable to have the Audit Reports accessible via the SCOM console in a lab environment. But in a Production environment your organization may have strict security policies that you are required to follow, which would include auditing of IT to be handled by some security department.

ACS Reporting 11.png

Congratulations, you have finished configuring/deploying ACS Reporting. But, there is still one last step we need to complete, the Event Forwarder.

ACS Event Forwarder
Now that we have ACS installed, and the Reporting configured, we can now turn on the Event Forwarder to start collecting security events.

We are going to follow the TechNet article here: http://technet.micro...y/hh272397.aspx. As stated by this article: “By default, the service needed for an agent to be an Audit Collection Services (ACS) forwarder is installed but not enabled when the Operations Manager agent is installed.” Therefore, in order to audit security events, you need to have the SCOM Agent installed on the system(s) first.

Log onto the SCOM server and open the SCOM console and click on the Monitoring pane. From there, navigate to Operations Manager > Agent Details > Agent Health State.

ACS Event Forwarder 01.png

In the details pane (the middle pane), in the Agent State area, select the system(s) that you want to enable Audit Collection on. When you select a system, in the right-hand Actions pane, under the Health Services Tasks, click the ‘Enable Audit Collection’ link.

ACS Event Forwarder 02.png  

This will launch the Enable Audit Collection task. From this window, you will need to enter the Collector Server for the Forwarder to report to. To do this, click the Override button.

ACS Event Forwarder 03.png

On the Override dialog, enter the FQDN of the Collector Server. In our lab example, we will enter the only Management Server in our environment (i.e. SCOM.SC.LAB). Enter the appropriate information and then click the Override button.

ACS Event Forwarder 04.png

The Enable Audit Collection dialog will now show the Collector Server that you just entered. At this point, you can also add a specific account to use within the Task Credentials section, or accept the defaults. Once you are ready to enable ACS, click the Run button.

ACS Event Forwarder 05.png

Once the task runs and completes successfully, the dialog will appear similar to the following. You can click Close.

ACS Event Forwarder 06.png

Congratulations, not only do you now have SCOM installed, along with Reporting; you additionally have setup ACS and enabled security auditing in your environment. 

I haven't decided what to do next for the series, but I believe I have covered all installation elements. The next series extension will be more configuration vs. installation. If anyone has any requests or suggestions, let me know.

SCOM 2012 SP1 – Configuration (Enable Notification Channels)

In our last post we imported Management Packs. Now we need to work with the data being collected by SCOM.

OK, so we now have SCOM setup, have installed the Agent on systems to monitor, and imported Management Packs to help monitor at the technology platform level. But what do we do with the Alerts that are generated by SCOM? Well, if you are the SCOM Administrator (or you have granted other users access), you can look at the Alerts from the console. But, that means you’re assuming/relying on others to regularly check the console for Alerts. In my personal experience, that’s not really going to happen, thus we have Notification Channels.

Start by opening the SCOM console and navigate to the Administration space. You will notice a section called ‘Notifications’, and beneath that section, 3 other items: Channels, Subscribers, and Subscriptions.

Notifications 01.png

Channels
Start by right clicking on ‘Channels’ and selecting ‘New Channel’. From there select the type of channel you want to create. In this example we are going to create an ‘E-Mail (SMTP)’ channel.

Notifications 02.png

On the Description screen, you can accept the defaults for Channel Name and Description, unless you want to provide something specific. Make the applicable decision, and then click Next. 

Notifications 03.png

On the Settings screen, click the ‘+ Add’ button to enter an SMTP server. 

Notifications 04.png

Enter the server FQDN, Port Number, and the Authentication Method applicable to your environment, and then click OK.

Notifications 05.png

You will be returned to the Settings screen. On here you must enter a Return Address. Please note that this address does not need to be a real email address, so it literally can be anything (i.e. see my example). In a Production environment, you may want to enter a Distribution List for a specific team, but that is a decision you have to make for your implementation. Now click Next.

Notifications 06.png

On the Format screen, you can customize what the Email subject will display, along with the information provided in the email. Additionally, you can control the email Importance and Encoding.  
As an example, from my personal experience, for one SCOM implementation I created 4 different SMTP channels, one for each ‘zone’ (i.e. PROD, UAT, TST, DEV). For the DEV/TST zones, we set the Importance to Low, for UAT we left it at Normal, and for PROD we set it to High. This way when the various teams received the Alert emails (i.e. the SQL team), they could immediately identify which emails (and thus which Alerts) they needed to respond to immediately. Again, this is more of a design/configuration decision.

Make the applicable changes and click Finish.

Notifications 07.png

You will receive indication that the channel was successfully created. Click Close. 

Notifications 08.png

Back in the SCOM console your newly created channel will now appear. 

Notifications 09.png

Congratulations, now you have a channel setup. But, that still doesn’t get Alerts via email to your support team. For that, we need Subscribers. 


Subscribers
To send Alerts via email, SCOM needs email address to send to. So let’s now configure some Subscribers.

Start by right clicking on Subscribers and select ‘New Subscriber’.

Subscribers 01.png

The Notification Subscriber Wizard will start. On the Description screen it asks for a name, and even gives you the ability to look a user up in Active Directory. Note, as per the sentence on the screen, this is just to make it easier to identify.

Side Note: Did you notice the typo/spelling mistake? It says “indentify” and not “identify”.

Enter a name and then click Next.

Subscribers 02.png

On the Schedule screen, you can choose either to ‘Always send notifications’ or ‘Notify only during the specified times’. If you choose the second option, click the Add button to create the required schedule. For our example we are going to accept the default to ‘Always send notifications’. Make you choice and click Next.

Subscribers 03.png

If you want to specify a schedule, make the applicable changes on the prompt provided and click OK.

Subscribers 04.png

Now you need to add the email address that will be used for this Subscriber. Click the Add button.

Subscribers 05.png

This will cause another wizard to launch, the Subscriber Address wizard. Again you are prompted for a name, but only for the use of identification later, and does not factor into how the Notifications work. From my personal experience, on this screen I would add the users name so that I knew who it was for (i.e. in case from the email address it is not apparent). In my example, I used my own name, and entered “Ermie, Adin”. Make your decision and then click Next.

Subscribers 06.png

On the Channel screen, you need to specify the channel to use for Notifications for this individual. Click the down-arrow for the selection list.

Subscribers 07.png

In our example, since we only have an SMTP Channel setup/configured, we will choose ‘Email (SMTP)’. You will also be required to supply a Delivery Address for use with the selected channel. Make the appropriate selection and enter the required information and then click Next.

Subscribers 08.png

On the Schedule screen, you can create a schedule (exactly like the option we had before) but this is specific for the user that you are adding. This may seem confusing right now, because, aren’t we already adding a user as a subscriber? Yes, but you can use the Subscriber option like an email distribution list.

For example, the very first Subscriber ‘Name’ that you enter could be the name of a team, like say “SQL Team”. You can then use the Subscriber Address wizard to add the individual team members email addresses.

You may have to try some different configurations to find the right combination that will work for you. Make applicable configurations and then click Finish.

Subscribers 09.png

Back on the Notification Subscriber Wizard, which is where you will be after clicking Finish on the Subscriber Address wizard, click Finish.

Subscribers 10.png

The wizard will then go off and create the Subscriber, and you will receive confirmation once it is complete. Click Close.

Subscribers 11.png

Returning to the SCOM console you will now see your Subscriber that you created.

Subscribers 12.png

You now have Channels setup, and Subscribers to send to, but you still need a trigger to send the Notifications. We are now going to configure the final piece, Subscriptions. 


Subscriptions
OK, we now need a way to trigger SCOM to send Alert notifications to our Subscribers. We do this through Subscriptions.

Start by right clicking on Subscriptions and select ‘New Subscription’.

Subscriptions 01.png

On the Description screen, create a name for the Subscription. For example, from my personal experience, I would create a subscription based on zone and technology (i.e. PROD – SQL Alerts). Enter a name, and click Next.

Subscriptions 02.png

On the Criteria screen, you can modify the conditions that will trigger the Alert to be sent to the Subscribers via the Subscription.

NOTE: This guide does not cover the vast and complex options on Condition customization. I would recommend searching online if you need help, and best of all, try different options.

Make your customizations and then click Next.

Subscriptions 03.png

On the Subscribers screen, click the Add button.

Subscriptions 04.png

From here, you can search for any existing Subscribers you have already created. Select them (you can add more than one), press Add, and then click OK.

Subscriptions 05.png

Your added Subscribers will now appear in the list. Click Next.

Subscriptions 06.png

Now you can add the Channels to use for this Subscription. Click the Add button.

Subscriptions 07.png

Similar to the Subscribers search, you can search for Channels. Find the Channel(s) you want to add, click the Add button, and then click OK.

Subscriptions 08.png

You Channel(s) will now be displayed in the list. Notice that on this screen you can also customize a delay in notifications being sent out. Why would you want to have a delay? Here’s an example from my personal experience.

Imagine that you are part of an Operations team that is on-call and paged when there are issues with Production servers. You have a Subscriber/Subscription setup specifically for paging. When a system that is being monitored by SCOM loses its ability to communicate with the Agent installed, it throws an Alert about the Agent being unreachable. SCOM also attempts to ping the system to confirm that there is an issue with either just the SCOM Agent, or if the system is in fact down. If ICMP is blocked in the environment, even if there is only an issue with the SCOM Agent, the “Server down” Alert will still be generated. This will then cause the individual to be paged to respond.

This sounds fine, and normally it is. However, sometimes SCOM can lose connectivity with the Agent for one reason or another, though it may only last a few minutes (i.e. network bandwidth, backups running, etc.). If there is no delay in sending notifications, then even if SCOM loses connectivity for a moment, someone will be paged. If there is a delay enabled, and SCOM loses connectivity to the Agent and that connection is re-established within the delay timeframe, then no notification/paging will occur.

I speak from personal experience, being paged multiple times in a night, just because SCOM lost connectivity to the Agent; not that the server(s) were actually down!

Make applicable changes, and click Next.

Subscriptions 09.png

Review the information on the Summary screen, and then click Finish.

Subscriptions 10.png

You will receive confirmation that the Subscription was created successfully, then click Close.

Subscriptions 11.png

Back in the SCOM console, your Subscription will now be present.

Subscriptions 12.png

Excellent, you now have SCOM setup to notify individuals of Alerts based on any customizations you need.


That concludes the Configuration Guides for System Center 2012 Operations Manager (at least for what I can think of for now).
If anyone has any questions or suggestions on what they need help with, or would like a guide on, please message me.
Đăng ký: Bài đăng (Atom)