Thursday, September 8, 2016

OMS Solution ‘Security & Audit’ vs SCOM ACS: And The Winner Is OMS! (Thanks To Wei Hao Lim)

Some history of ACS
In all the years SCOM is available, as a side solution ACS (Audit Collection Services) is wrapped in it, enabling organizations to audit their IT systems and produce audit reports. By default this solution is disabled when SCOM is installed, but can be enabled and – after some additional configuration and installation of additional components – used.

On paper it’s awesome. But in real life ACS misses out on a lot of things, like (but not limited to):

  • No high availability. It can be achieved, but only as workarounds with the possibility of duplicate – or even worse – loss of data (I’ve done some pretty deep research when I wrote the chapter ‘Complex Configurations’ for System Center 2012 – Operations Manager Unleashed book, so I am pretty sure here Smile);
  • Monster sized ACS databases when the retention is set higher then the default of 14 days which isn’t enough for most customers I know. I’ve seen ACS databases of 4 TB!;
  • ACS Reports timing out because of the monster sized databases;
  • No archiving solution out of the box. For some time a 3rd party delivered this solution (Secure Vantage Technologies, SVT), but they asked outrageous prices so I never ever had a customer using it. And now SVT is no more.

As such, ACS never really took off and became (sadly) an obscure feature. Funny in it’s own way but never functioning well enough for enterprise environments (out of the box that is). One customer I know got it working but only with many additional customizations and programming, resulting in a non-supported custom solution…

And today ACS is still available, and will be available as well when SCOM 2016 sees the light. And yes, in the past years support for UX systems is added, as well the support for Windows Server 2008/2012 which uses other Event ID numbers for all their events, the security ones included.

But still, I don’t recommend it to any organization which is looking for a serious IT auditing solution. Period.

Back to the future and today
However, as we all know has Microsoft focused itself on the cloud en hybrid workloads. Their offering of cloud based services is huge. IaaS, PaaS and SaaS alike and many other forms as well.

One of those offerings is OMS, which is growing in functionality, capability and supportability by the month. Each functionality in OMS is available as a Solution. And one of them is Security and Audit:
image

And this Solution is very good AND very fast, simply because the backend – required to run the queries – is huge, far more bigger than any enterprise organization will ever have for it’s own.

Yes, this Solution collects a HUGE amount of data (also depending on how servers upload their data AND what kind of audit policies you’ve got in place). And the more data you upload, the more money you pay. But you know, security is key to many organizations, which should be reflected in the available budgets. And don’t underestimate the on-premise auditing solutions, requiring lots of hardware, maintenance, energy and so on. Also not very cheap Smile.

OMS solution ‘Security & Audit’ vs SCOM ACS
So here we are. We can choose for SCOM ACS with all the limitations, or for OMS (pay as you go) with the Solution Security and Audit. Where the latter can unleash enormous calculation power, helping you to drill through a mountain of data, like it’s nothing!

But wait! How about those queries? Because in ACS their are about 20+ pre canned Reports. Just click on them, fill out some fields and you’ve got yourself a nice auditing report (when the ACS database isn’t too big that is…).

In OMS however, even with the solution Security & Audit enabled, you still need to build some challenging queries in order to get back some valid auditing information. Ouch! For sure, the same solution contains some pre canned search queries as well, but still some additional effort is required when needing more detailed information, like the pre canned SCOM ACS Reports…

This is where Wei Hao Lim comes in
Some years ago I met Wei Hao Lim. His knowledge and skills amazed me, since he’s just a beast (in a positive way that is). Soon after I met him he joined Microsoft (they recognized his skills as well I guess Smile) in the role as Senior PFE. In that role he started blogging, where each posting is of very high quality. I’ve learned a lot from him.

In one of his latest posting he shares the OMS search queries, mapped to the pre canned SCOM ACS Reports! Which is awesome since these OMS search queries can be saved so you can use them another time far more easier.

So now all is complete!

Still using SCOM ACS? Time to move to OMS solution ‘Security & Audit’
So you’re using SCOM ACS and frustrated because of the limitations? Why not try OMS with a free data plan, enable the Security & Audit solution in order to experience the difference. And yes, visit Wei’s blog for the correct OMS search queries.

Please know this: When using OMS with the free data plan, the daily upload of data is capped to 500 MB. When the solution Security and Audit is enabled, and some servers are connected to OMS, their upload of data will exceed the 500 MB. So start small, and when adding more servers, change to a paid data plan since otherwise the collected data will have gaps, because of the dropped data, exceeding the daily limit of 500 MB based on the free data plan.

Credits
A big thanks goes out to Wei Hao Lim for sharing.

3 comments:

Unknown said...

Don't forget to account for bandwidth costs in your calculation. OMS is a better experience than ACS for sure, but OMS is far more expensive. ACS probably could have been fixed but Microsoft's mantra of "cloud first" got in the way. I don't see either taking off for many customers due to the high cost. It's a shame.

Warren Kahn said...

To be fair ACS is pretty much almost a 10 year old solution, it really should have seen a revamp by now with SysCtr 2016 on the way.

thx1200 said...

It's too bad because the amount of work that goes into setting up a reliable ACS solution is a lot less than a lot of other server products, but the complexity is high. Writing a sensible filtering query solves the large DB and bloat problem right there. HA is one of the biggest problems, but again with good filtering, the cache can handle short outages (less than a couple days) with no data loss. Better and more SSRS reports would have made it really great.

OMS suffers the same problem of huge amounts of data without filtering, so it's the same problem as ACS. However the query performance is better in that case because of the Azure infrastructure being beefy. Otherwise it's a solid solution.

From what I've seen though, it's just deceptively really expensive. If you are putting in the work to clamp down on data to reduce your OMS costs, you could have done the same for ACS and taken the same amount of time.

But as "Unknown" said above, the "cloud first" mantra gets in the way of customers. If ACS were developed into a more mature solution, it would be a great out of the box solution for a lot of shops. Heck, ideally, they'd have a way to collect into ACS, then push that directly into OMS for better reporting, archival, and more, if you wanted it. But Microsoft won't do that because it's all Cloud Only now, even if you have an on-prem or hybrid environment.