Tuesday, December 8, 2009

Audit Collection Services (ACS), ‘some’ searching and some useful links

Found myself digging deep in order to refresh/update my knowledge on this topic. Many good things are to be found on the internet. However, some less good or contradictory stuff as well. For instance, ‘old’ news like an article stating that ACS Reporting doesn’t support Windows Server 2008 (R2). But that is NOT true. With OpsMgr R2 it is supported out of the box, for OpsMgr SP1 additional reports need to be loaded.

Another shiny example is the calculating sheet for ACS DB sizing. Even though some sheets do look the same, the outcome is totally different, even though the same numbers (amount of servers and the time the data needs to be kept within the database) are being used in both sheets. As it turned out, the sheet with the highest outcome had the Events Per Second doubled, which is the result of a calculation.
image

For this calculation the number being used for Event Data (Target Environment) Machine Type Domain Controller turned out to be doubled:
image 

So I was a bit at a loss here. What to trust? Also, the servers (DCs) to be hit by an Audit Policy are going to be Windows Server 2008 (R2) based. And these servers do log a LOT more compared to Windows 2003 DCs. Of course, the script being referred to in the OpsMgr 2007 Performance and Scalability Guide can be run on a domain controller in the test environment. But then, no way 6000+ users are using the test environment. Nor do any LOBs run there, some of which are AD integrated. So the outcome of that script won’t be very useful either.

Hmm. Creating a script simulating 6000+ users where 4000+ log on/off 6 times a day? (The users here are very mobile and log on and off many times a day on different workstations through out the locations.) Could be done. But the time it takes to create it, test it, correct it and run it again takes a bit too much time.

The recently released OpsMgr R2 Sizing Helper sheet (has helped me on many occasions) didn’t help either. Not a single thing about ACS to be found in it. So I am still on a quest in order to get a clearer sight at the needed ACS DB size. However, during my search on the internet (and through my archives) I found some useful links about ACS. For instance:

  1. Auditing and Compliance in Windows Server 2008
    An online TechNet Magazine article about how Windows Server 2008 handles auditing with Windows Eventing 6.0. Very interesting article but the information about the size of the ACS DB is doubted by me. I mean, 150 DCs generating aprox. 140 events per second per DC with default retention settings of 14 days on the ACS DB, results in a DB size of 150 GBs in 14 days? When using these numbers in one of the mentioned sheets (the modest one!) I get a DB size of 1384 GBs… :
    image 
    And I even haven’t changed the Event Count /sec. It is still 20, not 140

  2. ACS Reporting and Windows 2008 (R2)
    An article about OpsMgr R2 ACS Reporting in conjunction with Windows 2008 (R2) and how to make OpsMgr SP1 ACS Reporting support Windows 2008 (R2). Special thanks to Graham Davies for this link.

  3. ACS Sizing Sheets
    Excel sheets to have a rough estimate about how big the size of the ACS DB must be. Found here and here, contained within the ACS Resource Kit offered by Secure Vantage.

  4. Online ACS Documentation
    Microsoft’s online TechNet Library about ACS. Updated on May 2009.

  5. System Center Central
    A good resource on OpsMgr. Also an article about the tools present in the ACS Resource Kit. Good posting! Special thanks to Pete Zerger.

  6. Security Audit Events for Windows 7 and Windows Server 2008 R2
    An Excel sheet with a list of all security audit events for Windows Server 2008 R2 and Windows 7.

  7. Video’s on ACS (and more)
    Secure Vantage has very useful information about ACS, also some video’s. Referred to as ACS Master Class Series.

The search to run a good trustworthy calculation on the needed size for the ACS DB continues. When I have found it, I’ll post about it.

Good advise:
when diving too deep into matters like these take a look at this old commercial
where John Cleese compares an portable computer with a dead fish… Helps to put the focus back. :)

No comments: