Are OpsMgr 2007 R2 ACS reports broken?


In Italy we have a new law that imposes auditing of administrative logons. ACS is the right solution and it can be integrated with log from heterogeneous systems directly (H2 2009 on the xplat supported platforms) or via Secure Vantage syslog gateway (if the target platform is able to deliver security logs through syslog).  We have several customers that are using ACS but every one of them developed custom reports so they’re not using out of the box report. Since we had no issue report we assumed everything worked fine. One of the out of the box reports in ACS addresses one of the law requirements: “Usage_-_User_Logon”. Alas when I tried to use the report for Windows Server 2008 servers it didn’t return any data, even if eventid 4624 (logon on in Windows 2008) is included in the report filter. It turned out the developer added the eventid 4624 but completely missed the fact that the logging in user is registered in the TargetUser property rather than the Primary User property as it was in 2003.

Once again, guys: if it is not tested it doesn’t work. :-)

I don’t know if other reports are affected by the same issue, I just attach the corrected report in case anyone has hit the same issue. Usage%7C_-%7C_User%7C_Logon.rdl

September 2010 update – repro steps for the team

  1. turn on logon user auditing on Windows 2008 / 2008 R2 server
  2. Install the ACS agent
  3. logon to the server and check the security event log for event id 4624
  4. run the Usage_-_User_Logon report
  5. no data is returned even if the event has been collected

image

 

– Daniele

This posting is provided "AS IS" with no warranties, and confers no rights.

Advertisements
  1. #1 by Steve Burkett on June 11, 2009 - 4:12 pm

    Hi Daniele, have you got any links to information on this new Italian law? Wondering if our Milan office is now breaking the law! Gulp!

    • #2 by Daniele Grandini on June 11, 2009 - 4:55 pm

      Hi Steve,
      here is the link (http://www.garanteprivacy.it/garante/doc.jsp?ID=1577499) the deadline is June 30th, auditing must be collected for logons to systems that directly or indirectly are managing personal and sensitive data. The entire law is about privacy, but your Italina colleague will find all the informations the need at link above. Not every business is affected by this law.
      Regards
      Daniele

      • #3 by Alex on June 17, 2009 - 10:46 am

        Hi,

        I read the law but I\’m not sure what events really have to be collected. What reports did your customers develop? Do you have any (english) links which explain the law?

        Thanks Alex

      • #4 by Daniele Grandini on June 22, 2009 - 6:31 pm

        Hi Steve,
        since this is an Italian law I don’t have any english translation on hand. Regarding the administrators auditing the law mandates the collection of only logon/logoff events to systems and DBMS used to process sensitive data. The law doesn’t mandate any report at all, but our customers developed reports to answer questions like: from where (workstation) and when this user accessed the protected systems, which administrative operations has been performed on this user, who was logged on at this exchange 2003 mailbox (best effort), and so on. But again the law doesn’t prescribe any report, it just ask for data.

  1. Audit Collection Services on Windows 2008 – Report Problem « Microsoft Systems Center

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: