ACS - A Potential Logging Solution?

OK, this is one of those posts for me - so you can stop reading this entry.

In an internal thread the other day, someone asked for potential logging options for a custom .NET app. I'm thinking about the typical answers like:

  • .NET options
    • System.Diagnostics
      • Trace
      • TraceListener
    • My.Application.Log for VB
  • Logging Blocks

I usually tell folks to go with Enterprise Library since I know it works, will keep up with the latest .NET features, has a good set of features, and I know that that team cares about success (not saying other don't, but I know these folks exist).

But, in this thread on logging solutions, a new answer was given that I had not heard of. ACS.

What? What is that?

Good questions. It's an acronym for "Audit Collection Service", a component of Microsoft System Center Operations Manager 2007, one of the Microsoft System Center family.  From an early TechNet article (SEPT 2006), "the audit collection service can collect and consolidate Windows® Security Log entries from across the entire enterprise. This should prove to make compliance and security solutions easier to implement."

One description I found dated July 2006 (ie. in the beta days for Operations Manager) says the following about ACS: Audit Collection, as the feature is called in Operations Manager, has the ability to extract and collect security logs from Windows operating systems and store them for later analysis and reporting. The extracted logs are stored in a separate Audit Collection database. Operations Manager will ship with several basic reports that can be used for the Audit Collection data, but the real power of Audit Collection is what it will provide partners in terms of an infrastructure to extend Operations Manager. Audit Collection can be used to produce various compliance reports, such as Sarbanes-Oxley. Audit Collection can also be used for security analysis, such as intrusion detection and unauthorized access attempts. Unlike security monitoring of individual systems, Audit Collection will allow administrators to see trends across many systems.

I did look to see if partners were utilizing this capability, and in fact they are.  Here is just one example - from Secure Vantage Technologies, pushing the "Audit Collection IT Auditors Pack":

Harness the wealth of security event data in Microsoft System Center. The new Audit Collection Service for System Center Operations Manager delivers the most powerful Windows security event collection system in the world, now it’s time to use it. Discover how you can identify any security scenario and monitor trends using System Center Operations Manager. Secure Vantage security solutions provide comprehensive operations and reporting, leveraging embedded knowledge guidance and usage scenarios to support your regulatory requirements for CoBITs, FISMA, HIPAA, ISO, OCC, PCI, SOX and others.

The IT Auditors Pack for ACS introduces Active Directory security scenario reporting designed by Microsoft Security MVP, Randy Franklin Smith. These reports provide direct visibility into audit control scenarios to support security investigations, auditing and risk management.

Then I saw that they have other products like the Audit Collection Forensic Analyzer, which "provides in-depth forensic analysis services for windows security events introducing advance analytics and investigative reporting capabilities".

Sounds good. I've not investigated the product myself. So, I'll ask Beth Patton, my local Infrastructure Architect Evangelist, for more help on this topic.

Side note - the System Center family is now comprised of: