Extending ACS beyond security logs

As you may know the Audit Collection Service is a OpsMgr module aimed at collecting security events from the Windows Security Log. Everything is written in the security log can be collected near realtime and consolidated in a central sql repository. With the release of the xplat modules for ACS, last December, ACS is now able to collect audit events from the xplat supported platforms. This addition, together from a generic syslog solution from SecureVantage, promises to make ACS a building block for many compliance and auditing solutions, at least for Windows centric shops. Alas many and many windows application are not able to write their security records in the security log, many of them are using other event logs. A few examples, SQL Server writes to the application log (only SQL 2008 Enterprise has an auditing module that writes in the security log), ASP.Net based app, IIS, IAS (writes in the system log), Oracle audit trials, …

Understandably without the ability to collect *all* security events the solution fall shorts as a comprehensive repository of auditing data. For this reason Progel (alias Fabrizio with a little help of mine) has written a commercial product that is able to translate virtually every event in any event log into a security event. Once the security event is written to the Security Log it is collected by ACS in the usual way. What started as a minor effort, at least that was what we thought,  turned out to be a little more complex. We had to write a service that needs to be reliable  and not resource intensive. We had to manage events backlog on startup, be sure not to loose any event, manage event logs wrapping and so on.

The Progel Security Log Gateway is currently supported in ENU and ITA locales for the following Windows applications:

  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2008
  • Microsoft Oracle 10g
  • Microsoft Exchange 2003
  • Microsoft Exchange 2007
  • Microsoft IAS on Windows Server 2003
  • ASP.NET 2.0, 3.0, 3.5 based applications

The supported platforms start with Windows 2003 Service Pack 2.

Supported means we actually tested it, but the PSLG is potentially able to manage other applications in other locales via modifications of its xml configuration files where all the parsing rules are listed.

– Daniele

This posting is provided "AS IS" with no warranties, and confers no rights.

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: