Audit Collector na serveru Windows 2008

Pri instalaci komponent System Center Operations Manager 2007 na serveru Windows 2008, na nemž je spušten Windows Firewall, je zajišteno vytvorení pravidel pro príchozí pripojení (Inbound Rules) pro základní komunikaci, s jednou výjimkou. Chybí povolení príchozího pripojení TCP na port 51909, takže žádný ACS forwarder se nedokáže spojit s kolektorem. Rádku uvedenou v seznamu na posledním míste dodáme rucne:

Pokud si vypíšeme na serveru SCOM, kde je ACS kolektor (server FIUTONE), stav pripojení, máme v nejlepším prípade pripojen pouze lokální pocítac:

 netstat | findstr "51909"
  TCP    10.1.1.207:49291       FIUTONE:51909          ESTABLISHED
  TCP    10.1.1.207:51909       FIUTONE:49291          ESTABLISHED

Na serveru DC2, kde jsme spustili sber auditních záznamu (akce Enable Audit Collection), se objevují události 4369 v logu Operations Manager. Forwarder se pripojuje na správnou adresu i port, ale spojení se neuskutecní:

 Date and Time: 3.4.2009 10:13:12 
Log Name: Operations Manager 
Source: AdtAgent Generating 
Rule: Microsoft Audit Collection Services Forwarder Event Collection Rule 
Event Number: 4369 
Level: Warning 
Logging Computer: DC2 
User: NT AUTHORITY\NETWORK SERVICE

Description: 
Forwarder unsuccessfully tried to connect to the following collector(s): 
fiutone.sin.cz:51909, status: 0x79 (TCP connect), source: registry addresses tried:
10.1.1.207:51909

If the list of collectors is blank, then AdtAgent was unable to locate a collector. 

Common reasons for this message are: 
The machine(s) listed is not online 
AdtServer is not running on the machine(s) listed 
AdtServer on the machine(s) listed is not listening on the specified port 
TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism 
AdtServer on the machine(s) listed actively refused the connection (due to policy or current activity load)

Pravidlo doplníme nejlépe pomocí Server Manageru:

Server Manager / Configuration / Windows Firewall with Advanced Security / Inbound Rules | New Rule

Rule Type: Port,

Protocols and Ports | TCP | Specific local ports: 51909

Action: Allow the connection

Profile: Domain/Private/Public

Name: Operations Manager ACS (Forwarders)

Po restartu služby Adtagent (tj ACS Forwarder) na serverech se konecne sber záznamu z bezpecnostního logu zahájí. Kontrola pripojení (netstat | findstr "51909") ukáže pripojené servery, kde je aktivován sber. Pro detailní zjištení stavu systému ACS používám vedle pohledu v konzole SCOM / Monitoring / Microsoft Audit Collection Services také jednoduchý skript. Ten využívá nástroj príkazové rádky adtadmin. Skript se skládá ze dvou souboru ACS_Status.cmd a Parser_Stats.vbs:

 @echo off
rem      ACS_Status.cmd
echo.
echo WRITING ACTUAL STATUS (TXT FILE)
\windows\system32\security\adtserver\adtadmin -stats > Actual_Status.txt
cscript PARSER_STATS.VBS
echo.
echo CONNECTED FORWARDERS ARE:
type Connected_Forwarders.txt
echo.
echo -----------------------------------------------------

Výstupní soubor Actual_Status.txt je možné nacíst v Excelu (formát csv). Jednoduchý Visual Basic Script, který prevede výstup do citelné formy - Parser_Stats.vbs:

 Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTxtFR = objFSO.OpenTextFile("Actual_Status.TXT", ForReading)
Set objTxtFW = objFSO.OpenTextFile("Connected_forwarders.TXT", ForWriting, True)
'
' first line is Header
arrRecord = objTxtFR.Readline

i=1
Do While objTxtFR.AtEndOfStream <> True
     arrRecord = split(objTxtFR.Readline, ",",-1)
     wscript.echo " "
     wscript.echo "Value: " & arrRecord(0)
     wscript.echo "SID: " & arrRecord(1)
     wscript.echo "Name: " & arrRecord(2)
     wscript.echo "GrupID: " & arrRecord(3)
     wscript.echo "Version: " & arrRecord(4)
     wscript.echo "Connected: " & arrRecord(5)
     wscript.echo "Total Transmitted Events: " & arrRecord(6)
     wscript.echo "Total Size of Transmitted Events: " & arrRecord(7)
     wscript.echo "Recv Packet Count: " & arrRecord(8)
     wscript.echo "Recv Packet Size: " & arrRecord(9)
     wscript.echo "Seconds Since Connection: " & arrRecord(10)
     wscript.echo "Average Event Rate: " & arrRecord(11)
     wscript.echo "Current Event Rate: " & arrRecord(12)
     wscript.echo "Average time to collector(in ms): " & arrRecord(13)
     wscript.echo "Connect Time: " & arrRecord(14)
     wscript.echo "Last Action: " & arrRecord(15)
     wscript.echo "Disconnect Time: " & arrRecord(16)
     wscript.echo "---------------------------------------------------- " & i
     If arrRecord(5) > 0 Then
         objTxtFW.WriteLine(arrRecord(2))
     End If 
     i = i + 1
Loop

 Poznámka: popisuji stav, který je výsledkem procesu instalace a konfigurace systému, jak je popsána v seriálu zde.

Znacky Technorati: SCOM 2007,Audit,Windows 2008,VBS script

Comments

• Anonymous
  January 01, 2003
  PingBack from http://www.softophile.com/nejde-jen-o-software-audit-collector-na-serveru-windows-2008/