I went to TechEd for the first time in Amsterdam in 2004. One of the cool things I heard about was a product in the works called Audit Collection Services. This was going to be a free download from Microsoft (like WSUS) that would be an intelligent version of Syslog for Microsoft products. Intelligent? Have a look at the security logs on a Windows box when auditing is enabled and tell me if you can figure things out. MS’s developers identified the important messages that allowed you to track those events and would gather them into a dedicated and centralised SQL database in near real time.
We waited and waited but nothing got released. Nobody was talking. Then the news came out: it was going to be in the next version of Microsoft Operations Manger (we were still at MOM 2005 at the time) and not a free download. I first got to play with Systems Center Operations Manager 2007 while it was in beta back in 2006. ACS was one of the components I was most interested in. I listened to a MS webcast and immediately got scared. They had no way to calculate how big the database for ACS would be. It’s still a dedicated database, allowing auditors and security officers to have sole access.
Think about this for a moment. Every network is different. Some networks have normal amounts of user activity. Some more and some less. Some networks are Internet facing and are attacked a lot and some are quietly isolated. There was no real way to calculate the disk requirements without significant empirical data. All MS could say was that they used terabytes of disk every month, 8 I think (I could be wrong with that number – it was 2 years ago).
I’ve just read that a SCOM MVP called Pete Zerger has built a ACS requirements calculator using guesstimates. According to the MOM Team blog, it looks pretty accurate compared to customer data that they are familiar with.
ACS is a really cool tool. If you’re using SCOM 2005 and need some sort of security central logging or auditing solution then it just makes so much sense to enable it. Have a read about Audit Collection Services and see what you think.
Credit: Pete Zerger.