Archive

Archive for the ‘Audit Collection Services’ Category

Audit Collection Services Reports only show the last 42 days worth of data

January 11, 2011 1 comment

There was a very interesting thread on the forums some time ago about ACS reports only ever displaying the last 42 days worth of data. It transpires that you need to modify DbCreatePartition.sql and DeletePartition.sql as there is a hard coded select statement that returns only the “TOP 42” (last 42) partitions.

http://social.technet.microsoft.com/Forums/en-US/operationsmanagerreporting/thread/490c9c39-be73-4b92-aa25-0ccd3d66dc15/

Advertisements

ACS Forwarder Connects and Disconnects

November 8, 2010 Leave a comment

I came across this problem on a customer site recently:
http://blogs.technet.com/b/operationsmgr/archive/2010/05/12/solution-the-acs-forwarder-in-operations-manager-2007-may-frequently-log-connection-and-disconnection-events.aspx

Thanks to the blog article all was resolved quickly and relatively painlessly!

ACS Collector (AdtServer) fails to start

September 8, 2010 Leave a comment

This came up on the technet forums a couple of days ago. I’ll give the answer first and then the full error message – I hadn’t personally seen this problem before and it doesn’t look like a permissions problem from the error but the resolution was to

  • Check that the ACS database had been created
  • And then also check that there was a login for NT Authority\Network Service that is the database owner for the ACS database.

In this case, there was no login to SQL for the service account used by the ACS Collector and this seemed to cause the error. Manually creating the login and asssinging it to be the owner of the OperationsManagerAC database and then reinstalling ACS solved the problem.

Error Messages

While trying to install the Audit Collection Services on the Management Server the installation fails with the following output:
Find Source Folder: Success
Create Target Folder: Success
Install ACS: Success
Create AdtServer Service: Success
Write AdtServer Registry Parameters: Success
Write Password: Success
Register Application Log: Success
Register Performance DLL: Success
Register MOF File: Success
Create Data Source: Success
Create Database: Success
Create Database Tables: Success
Create Database Stored Procedures: Success
Create Database Login: Success
Configure Database Time Format: Success
Start AdtServer Service: Failure (0x00000002)
The service seems to start if I do it manually but immediately stops.
In the Operations Manager event log these events pop up in this order:
Event Type: Information
Event Source: AdtServer
Event Category: None
Event ID: 4609
Date: 9/2/2010
Time: 1:22:55 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: XXXXXXXXXX
Description:
AdtServer is starting up.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: AdtServer
Event Category: None
Event ID: 4660
Date: 9/2/2010
Time: 1:22:55 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: XXXXXXXXXX
Description:
AdtServer encountered the following problem during startup:
Task: Load Certificate
Failure: Certificate for SSL based authentication could not be found. SSL authentication will be disabled
Error: 0x00000002
Error Message:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: AdtServer
Event Category: None
Event ID: 4677
Date: 9/2/2010
Time: 1:22:55 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: XXXXXXXXXX
Description:
AdtServer encountered the following problem during startup:
Task: Open Admin Server
Failure: An error occured during creation of the RPC server for admin connections
Error: 0x00000002
Error Message:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: AdtServer
Event Category: None
Event ID: 4612
Date: 9/2/2010
Time: 1:22:55 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: XXXXXXXXXX
Description:
AdtServer shutdown complete.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

ACS Event Transformation Demystified

March 30, 2010 Leave a comment

I came across this blog link via Layne on the technet forums. It is excellent information on ACS:
http://blogs.msdn.com/ericfitz/archive/2008/02/27/acs-event-transformation-demystified.aspx

Using OpsMgr to alert on security events

January 21, 2010 Leave a comment

If you want to use Operations Manager to alert on windows security events then Secure Vantage offer some great value management packs. But if you are only interested in a couple of event ids then you can easily do this yourself:

First determine the windows event id you need:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Then create a rule or monitor to alert on the eventid. I actually prefer to use a rule rather than a monitor as there is no “healthy” event id to reset the monitor. You can use a timed reset monitor but you risk missing alerts as no new alerts will be generated while the monitor is in an “unhealthy” state.
http://blogs.technet.com/operationsmgr/archive/2009/05/12/opsmgr-2007-how-to-get-alert-for-domain-group-membership-changes.aspx

Update – Kevin Holman has also posted a blog article on this at http://blogs.technet.com/b/kevinholman/archive/2010/04/12/using-opsmgr-for-intrusion-detection-and-security-hardening.aspx

Audit Collection Services – unusual problems

August 2, 2009 Leave a comment

The ACS Forwarder seems to have a dependency on the DNS Service – it did cause problems in one environment I was working in.

Additionally, Joseph Chan of Microsoft has stated that “At a minimum, Adtagent needs to be running as Network Service (to communicate with the collector) with SeAuditPrivilege right (to read the security event log)”

Audit Collection Services on Windows 2008 – Report Problem

July 9, 2009 Leave a comment

Daniele Grandini has found that the “Usage_-_User_Logon” ACS report doesn’t seem to work for Windows 2008 DCs and has posted a fix:
http://nocentdocent.wordpress.com/2009/06/11/are-opsmgr-2007-r2-acs-reports-broken/