Audit Collection Services

Audit Collection Services (ACS) is a feature found in SCOM to provide security event collection and reporting.

Functioning
Several dedicated components to ACS are either installed or activated in the SCOM platform.

An ACS Forwarder is a service present by default on a SCOM agent. If activated, it would collect the events of the Windows Security Log and forward them to a an ACS Collector.

An ACS Collector is a server role that can be optionally installed on a Management Server. It used to collect the security events sent by the ACS Forwarder. It processes them and store them in the ACS Database.

The ACS Database is a dedicated database hosted on a SQL Server instance. It is completely distinct of the Operational Database or Data Warehouse. Because of the massive size of the database (easily one terabyte or more), this component is usually installed on a dedicated server.

Usage
ACS is a valuable feature for organization interested in auditing security events generated in their IT environment. A few common scenarios are often envisioned by organizations:
 * Login events generated on Active Directory Domain Controller to audit if a security breach happened.
 * Security events generated on a critical folders to audit which users accessed, modified or deleted important files.
 * Any events generated by a third party application in the Windows Security event log.