In Italy we have a new law that imposes auditing of administrative logons. ACS is the right solution and it can be integrated with log from heterogeneous systems directly (H2 2009 on the xplat supported platforms) or via Secure Vantage syslog gateway (if the target platform is able to deliver security logs through syslog). We have several customers that are using ACS but every one of them developed custom reports so they’re not using out of the box report. Since we had no issue report we assumed everything worked fine. One of the out of the box reports in ACS addresses one of the law requirements: “Usage_-_User_Logon”. Alas when I tried to use the report for Windows Server 2008 servers it didn’t return any data, even if eventid 4624 (logon on in Windows 2008) is included in the report filter. It turned out the developer added the eventid 4624 but completely missed the fact that the logging in user is registered in the TargetUser property rather than the Primary User property as it was in 2003.
Once again, guys: if it is not tested it doesn’t work. :-)
I don’t know if other reports are affected by the same issue, I just attach the corrected report in case anyone has hit the same issue. Usage%7C_-%7C_User%7C_Logon.rdl
September 2010 update – repro steps for the team
- turn on logon user auditing on Windows 2008 / 2008 R2 server
- Install the ACS agent
- logon to the server and check the security event log for event id 4624
- run the Usage_-_User_Logon report
- no data is returned even if the event has been collected
This posting is provided "AS IS" with no warranties, and confers no rights.