• Article

How to Deploy Audit Collection Services for UNIX/Linux

 

Updated: May 13, 2016

Applies To: System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager

This procedure describes the steps to deploy Audit Collection Services for UNIX/Linux to enable security event collection and reporting for monitored UNIX and Linux computers.

In this Topic

  • Prerequisite Configuration

  • Installing Audit Collection Services for UNIX/Linux

  • Importing UNIX and Linux ACS Management Packs

  • Installing ACS Reports for UNIX/Linux

  • How to Enable Audit Collection Services for UNIX/Linux

Prerequisite Configuration

Before deploying Audit Collection Services for UNIX/Linux, ACS and ACS Reporting must be deployed and configured. See the following topic for information on deploying and configuring Audit Collection Services.

Installing Audit Collection Services for UNIX/Linux

ACS for UNIX and Linux must be installed on each Management Server that manages UNIX or Linux computers. Complete this procedure for each required management server.

  1. From a command prompt or the Run menu, launch Services.msc. Find the System Center Audit Forwarding service, and set the service start to Automatic. Start the service.

  2. From the Operations Manager setup splash screen, select Audit Collection Services for UNIX/Linux from the Optional Installations section.

  3. On the first page of the ACS for UNIX/Linux setup wizard, click Next.

  4. Accept the terms of service, and then click Next.

  5. Select Audit Data Time Zone, and then click Next.

  6. On the Ready page, click Install.

  7. On the ACS Audit Events page, click Next.

  8. Click Finish.

    Note

    By default, events cannot be written directly to the Windows Security Event log.  During installation, a local group policy is modified to allow the Cross Platform Audit Collection Services module to write to the Windows Security Event log.

    The policy is found at Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit object access {Success, Failure}.  If group policy is overriding the local policy, it may be necessary to modify this group policy setting on the domain.

Importing UNIX and Linux ACS Management Packs

Audit Collection Services Management Packs for each required UNIX or Linux operating system must be imported for UNIX/Linux ACS event collection. To import UNIX and Linux ACS Management Packs, follow this procedure:

  1. In the Operations console, click the Administration node.

  2. Right-click Management Packs, and then click Import Management Packs.

  3. In the Import Management Packs Wizard, select Add.

  4. Select Add from Disk.

  5. Browse to the \ManagementPacks folder of the Operations Manager installation media.

  6. Select ACS management packs appropriate for the UNIX-based and Linux-based computers you are monitoring. The ACS management packs have file names that begin with: Microsoft.ACS.

  7. Select Open.

  8. Select Install to start the import process.

  9. When the import is complete, click Close.

Installing ACS Reports for UNIX/Linux

  1. Log on to the server that will be used to host ACS reporting as a user that is an administrator of the SSRS instance.

  2. Create a temporary folder, such as C:\acs.

  3. From a server with Audit Collection Services for UNIX/Linux installed, copy the ACS reports to your temporary folder. The ACS reports can be found in the Program Files directory. For example: C:\Program Files\System Center Operations Manager Cross Platform ACS\Cross Platform Audit Reports.

  4. Open a Command Prompt window by using the Run as Administrator option, and then change directories to the temporary acs folder.

  5. Run the following command.

    UploadCrossPlatformAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the copied ACS folder>”

    For example:

    UploadCrossPlatformAuditReports “myAuditDbServer\Instance1” “http://myReportServer/ReportServer$instance1” “C:\acs”

How to Enable Audit Collection Services for UNIX/Linux

After Audit Collection Services for UNIX/Linux has been installed, it must be enabled in order for events to be collected.

  1. In the Operations Console, click Authoring.

  2. Click Object Discoveries.

  3. Search for ACS.

  4. Right-click Discover UNIX/Linux ACS Endpoint.

  5. Select Overrides -> Override the Object Discovery -> For all objects of class -> UNIX/Linux Computer.

    Note

    As an alternative to enabling for all UNIX/Linux Computers, you can select individual computers and groups.

  6. Select the Enabled check box.

  7. In the Enabled Value list, select True.

  8. In the Management Pack list, verify that the custom override management pack you created is selected.

  9. Click OK.