Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

What is up with Audit Collection Services?

What is up with Audit Collection Services?

  • Comments 1

A lot of you have been asking me to write about Audit Collection Services (ACS, which some of you might know as MACS).

For those of you unfamiliar with ACS, it's a client-server application to collect, normalize and store large volumes of security event log data from large numbers of machines, and to make the normalized data easily available for near-real-time analysis via WMI or after-the-fact analysis via SQL queries.  (A single ACS collector was designed to collect in near-real-time from up to 20,000 concurrent machines, and handle volumes in excess of 2,000 events per second sustained).  We use 8 ACS collectors in production here at Microsoft, storing a quarter billion events per day, and often collecting and processing many times that number of events.

The project was started in 2001 in the Windows Core Security group here at Microsoft.  We finished what we intended to build last year, but during the time it took us to build it there were a number of external changes which affected the project- changes in Windows management and organization, and the rise of web services.

It took us a while to sort out what to do with ACS in light of these changes.  In the end we decided that it fit better with our Operations Manager product (MOM) than with Windows where we originally developed it.  My team is working with them to include the ACS code in the next version of MOM, and to keep all of our ACS scenarios intact while gaining the advantages that MOM provides such as data warehousing and reporting.

We are also making a change to the ACS protocol to allow convergence of our different event collection technologies in the future.  The protocol is web-services based but is not textual XML over HTTP.  We'll retain the tight, stingy bandwidth use that you've come to expect from ACS, but all of our technologies will interoperate in the future.

So now the FAQ:
Q1: How can I get ACS?
A1: You can't.  Please don't ask.  The beta program is not accepting new testers at this time although we will continue to work with our existing testers.

Q2: When can I get ACS?
A2: When the next version of MOM ships, but I don't know the date.  ACS integration will be for the beta 2 release in the spring.

Q3: How much will it cost?
A3: Licensing terms haven't been set yet.

Please understand that I get a LOT of questions about ACS- sometimes a dozen or more per day- and that I don't have time to answer individual questions about the project at this time.  I'm working closely with the MOM team and I promise that we'll publish new information when the time is right.  ACS is not dead :-)

Best regards,
Eric

Comments
Page 1 of 1 (1 items)
Leave a Comment
  • Please add 6 and 1 and type the answer here:
  • Post