ACS doesn't provide alerting. However the answer to your question is seconds to milliseconds, for a health environment. Events are read and watermarked, and sent immediately over the wire to an ACS collector, which inserts it in the queue in memory, then compares it against a WMI filter, then either drops the event or inserts it in the ACS DB.
If you wrote a SCOM rule against the security event log, the answer would be similar.... the event is read, an alert is generated on the agent, and sent immediately from the agent to the management server, which writes the data to a database, which is presented in the SCOM console. This process takes a few seconds in most cases. From: [email protected] [mailto:[email protected]] On Behalf Of Sarbjit Singh Sent: Thursday, March 5, 2015 10:38 PM To: [email protected] Subject: [msmom] ACS real time update Greetings folks,. I have a request for auditing and alerting on files and folders changes on an application Windows server. Any changes (e.g. deletion of file) need to be alerted to group of users via email. I guess this can be achieved but what should the "REAL TIME" expectation be ? What would be the typical latency be from the moment an event is dropped into the security log on the Windows Server and this event is picked up by ACS in SCOM mgmt. ? Regards Sarbjit Singh
