In the past, I’ve talked about a forthcoming Microsoft tool called Audit Collection Services (ACS). It’s a useful tool that stores all the events from all your Windows Server 2003, Windows 2000 Server, and Windows XP Professional Security logs in one central Microsoft SQL Server database. It’s been in development since 2001 and in beta since about early 2003 (yes, you read that right), and Release Candidate 2 (RC2) has been out since December 2004 or January 2005, if I recall.
What's the hang-up? As far as I can see, ACS works pretty well. Unfortunately, Microsoft has had a change of plans. According to Microsoft's Eric Fitz's "What is up with Audit Collection Services?" blog entry, dated November 9, 2005, Redmond decided not to release ACS as a standalone tool after all. Instead, ACS is going into the next release of Microsoft Operations Manager (MOM). In other words, you have to pay for it.
This is terrible news on several levels. First, ACS was a good idea and a much-needed tool. Ever since Bill Gates had his early-2002 epiphany about the importance of Windows security, Microsoft has been talking a lot about making Windows easier to secure, and the company has lived up to some of that talk with Software Update Services (SUS), Windows Server Update Services (WSUS), and many of the security-oriented innovations built into XP Service Pack 2 (SP2) and 2003 SP1.
But this one was essential.
Every OS has some way of logging important events, messages, errors, and warnings. But these days, many computers are on networks, and the notion that someone should individually visit each networked system to collect and aggregate those logs is ludicrous. A quick perusal of Microsoft’s marketing material will turn up many feature-level comparisons between Windows and UNIX with—predictably—the apparent result that Windows clocks UNIX every time. Let us, then, take a moment and compare a particular feature: Let’s look at UNIX event logging versus Windows event logging, and let's consider the concept of syslog servers.
UNIX's counterpart to the Windows event viewer is its syslog data. And sure, left to itself, any UNIX or Linux system stores its events locally. But every UNIX or Linux variant that I know of offers the option to store those syslog entries on a centralized server. This isn't rocket science. Events are small pieces of data, and shooting events over the network from every Windows system in your network to some centralized SQL Server machine isn't going to degrade the network. Put simply, the lack of some kind of tool to centralize event logs in Windows has been one of the most obvious holes in Windows, an open sore that makes security audit event logging almost pointless.
Do any third-party tools fill this gap? Sure, and I might use one if I didn't mind spending money on something that, by all rights, should be at part of the OS. Similarly, after purchasing Windows, I probably wouldn't appreciate having to buy a program that copies files. But suppose I did want to spend money for an event-log aggregator. What options would I have? Imagine you're a software company looking to build that killer app, that must-have add-on that would put your kids through graduate school. Seems to me, a high-quality event-log aggregator—with the right feature set, fit and finish, UI, scripting functionality—would do fairly well. Would you build one?
Of course you wouldn’t! Who in their right mind would do all that work when it’s been common knowledge for 4 years that Microsoft has been working on a free Security log aggregator? I’m exaggerating, of course. You'll find several third-party aggregator tools out there, and some are probably quite good, although they’re a bit expensive. With more competition, that pricing would change, but with Microsoft depressing the market for aggregators for years, we haven't seen that competition, so who knows? Perhaps forcing someone to have MOM before he or she can get ACS might sell a few copies of MOM. Perhaps Microsoft has decided that security can be a profit center. That's just sad.
So, farewell, ACS. I’ll miss you. The bad guys won't miss you, that's for sure. They'll have an easier time probing users' systems. But I'll miss you.