locked
Audit Logs on Exchange and AD RRS feed

  • Question

  • Hi,

    I would like to ask regarding enabling the audit logs on both AD and our exchange system knowing that we have SCOM 2012 R2:

    1. What is the impact on the performance of the servers/databases?
    2. What is the impact on the storage consumption after enabling the audit logs on both systems? And what is the expected increase annually?
    3. What is expected after enabling the audit logs? And what is the main purpose for it.
    4. Can we get real-time alerts for certain changes in the AD or exchange after enabling the audit logs? i.e. changing the membership of certain security group on AD.
    5. What tools or system can be used to take out those logs to a separate log server for future reference?
    Thanks in advance
    Tuesday, March 14, 2017 7:28 PM

Answers

  • The purpose of  the auditing is usually for Compliance or for Security Investigations. After you have enabled the Auditing. If you want to Collect the Security Events from your AD and Exchange Servers then you would need SCOM ACS to be installed. Please refer to following article for ACS Capacity Planning

    https://technet.microsoft.com/en-us/library/hh212872(v=sc.12).aspx

    With ACS you can generate the reports based on your security Events.

    For real time alerts you will need to create Alert Generating Rules though. Please be careful in setting these as lots of audit events can be generated so you dont want your SCOM to get overwhelmed with these events. So before setting up monitor see how many events are being generated.

    Also you can use Windows Event Forwarding. you can read more about it at below blog

    https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/


    Thanks, Samer Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!


    • Edited by Samer87 Wednesday, March 15, 2017 6:17 AM
    • Proposed as answer by Elton_Ji Thursday, March 16, 2017 9:16 AM
    • Marked as answer by AhmadJY Friday, March 17, 2017 7:00 AM
    Wednesday, March 15, 2017 6:13 AM

All replies

  • The purpose of  the auditing is usually for Compliance or for Security Investigations. After you have enabled the Auditing. If you want to Collect the Security Events from your AD and Exchange Servers then you would need SCOM ACS to be installed. Please refer to following article for ACS Capacity Planning

    https://technet.microsoft.com/en-us/library/hh212872(v=sc.12).aspx

    With ACS you can generate the reports based on your security Events.

    For real time alerts you will need to create Alert Generating Rules though. Please be careful in setting these as lots of audit events can be generated so you dont want your SCOM to get overwhelmed with these events. So before setting up monitor see how many events are being generated.

    Also you can use Windows Event Forwarding. you can read more about it at below blog

    https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/


    Thanks, Samer Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!


    • Edited by Samer87 Wednesday, March 15, 2017 6:17 AM
    • Proposed as answer by Elton_Ji Thursday, March 16, 2017 9:16 AM
    • Marked as answer by AhmadJY Friday, March 17, 2017 7:00 AM
    Wednesday, March 15, 2017 6:13 AM
  • Hi Sir,

    >>Can we get real-time alerts for certain changes in the AD or exchange after enabling the audit logs?

    Using ACS, organizations can consolidate individual Security logs into a centrally managed database and can filter and analyze events using the data analysis and reporting tools provided by Microsoft SQL Server. With ACS, only a user who has specifically been given the right to access the ACS database can run queries and create reports on the collected data.

    If your environment contains too many ACS forwarders for a single ACS collector, you can install more than one ACS collector. Each ACS collector must have its own ACS database.

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 16, 2017 9:16 AM