What's the comparison between SCOM Audit Collection Service and other logging solution?

If we already have SCOM 2012 R2 infrastructure without ACS implementation, do we need to consider any other logging solution like ELK (Elasticsearxh, Logstash, and Kibana) or should we go for ACS? If yes, what are plus points of ACS?

By the way, we want to collect our Security events like file server and AD objects auditing,
LVL 2
A1opusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
ACS is different from SIEM which the ELK. ACS is limited to Windows Security event (though it can still read other Host OS syslog in Solaris/AIX/Linux/Unix) while ELK or SIEMS achieve the ability to normalize multiple event streams so that data formats and time stamps conform to a standardized format before being stored in a database. Those data is then correlated and analyzed further. ACS do not go to that deep depth extent than other SIEM. ACS may be a good fit especially if they already have SCOM deployed though it does not collect data from network infrastructure devices. SCOM can monitor ACS performance too which further leverage on what you already have.

Some consideration for use case if really wanted a full fledged SIEM will be covering areas like
>Data volume and throughput - How many devices and events per second to be monitored?
>Storage requirements - How much data growth and expansion for a regular checks e.g. daily/weekly/monthly/yearly basis?
>Data retention - How long to keep the data esp for regulatory requirements?
>Device & application support - What other more devices and applications to support in future?
>Forensic quality data - Will foresee data used for legal submission as a chain of custody requirement?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
A1opusAuthor Commented:
@btan,

So, if we meet the following points, you are recommending ACS for time being:

1. Windows infrastructure
2. We want to monitor Windows security events only
3. We already have a robust SCOM 2012 R2 environment.

Right?
btanExec ConsultantCommented:
Yes that is what ACS is supposed to do as core function with its necessary setup of collectors to into its central log for oversight. This is already spelled out in https://technet.microsoft.com/en-us/library/hh212908.aspx
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.