File Server Auditing
-
What the best way to setup File Server Auditing? Our main file server is Server 2012.
I want to have a easy to read log that tells me everytime the user makes a change (saves, deletes, renames, moves a folder, etc.
-
Start by enabling file share auditing.
-
@DustinB3403 is right. I just filter by event ID. I'd be interested to see if anyone is doing it differently though.
-
@DustinB3403 @wirestyle22 Does that mean I have to read the whole log just to get infomation about 1 users, or 1 folder? I am looking for something easy, like PrintLogger by PaperCut
-
Readability is a big one for me
-
@aaronstuder said in File Server Auditing:
Readability is a big one for me
Zabbix might work for this.
-
@aaronstuder said in File Server Auditing:
@DustinB3403 @wirestyle22 Does that mean I have to read the whole log just to get infomation about 1 users, or 1 folder? I am looking for something easy, like PrintLogger by PaperCut
I just filter the results
-
@aaronstuder said in File Server Auditing:
@DustinB3403 @wirestyle22 Does that mean I have to read the whole log just to get infomation about 1 users, or 1 folder? I am looking for something easy, like PrintLogger by PaperCut
Send the logs to Loggly, ELK or Splunk.
-
@scottalanmiller This is windows
-
Anyone have a good guide? I see a bunch, but I want a good one
-
@aaronstuder said in File Server Auditing:
@scottalanmiller This is windows
I know. That's why I advised the above.
-
@scottalanmiller said in File Server Auditing:
@aaronstuder said in File Server Auditing:
@scottalanmiller This is windows
I know. That's why I advised the above.
Technically, the below
-
@MattSpeller said in File Server Auditing:
@scottalanmiller said in File Server Auditing:
@aaronstuder said in File Server Auditing:
@scottalanmiller This is windows
I know. That's why I advised the above.
Technically, the below
Above for the default view.
-
For enabling the audit settings, please refer to:
Configuring Audit Policies
http://technet.microsoft.com/en-us/library/dd277403.aspx
Apply or modify auditing policy settings for a local file or folder
https://technet.microsoft.com/en-us/library/cc771070(v=ws.11).aspx
-
Had enabled auditing in my server. I filter based on my notes:
- 4663 - Attempt was made to an object.
- 4660 - An object was deleted
- 5140 - A network share object was accessed.
- Filter using the code 4663 then on result, find the file.
However, logs do tend to get big. Initially, I have configured it to a max of 13GB but has now adjusted to 5.24GB for a week of logs
-
I've read about Netwrix as well, however I'm critical on those I install on my servers
Topic in SW:
https://community.spiceworks.com/topic/1967683-free-file-auditing-software -
@vhinzsanchez said in File Server Auditing:
I've read about Netwrix as well, however I'm critical on those I install on my servers
Topic in SW:
https://community.spiceworks.com/topic/1967683-free-file-auditing-softwareI've just started using Netwrix on my file servers, seems to work really well and doesn't have much overhead. It can email alert if there are a large number of changes. Fully searchable and can use SQL as a database backend if you have one already setup. If not it uses I believe an access database (don't hold me to that).
It uses the window auditing log to get info about the changes which means its trying to engineer anything new in and will setup the auditing for you on install.
Was really quick to setup and come in fairly cheap
Goes back to lerking...
-
@akp982 said in File Server Auditing:
@vhinzsanchez said in File Server Auditing:
I've read about Netwrix as well, however I'm critical on those I install on my servers
Topic in SW:
https://community.spiceworks.com/topic/1967683-free-file-auditing-softwareI've just started using Netwrix on my file servers, seems to work really well and doesn't have much overhead. It can email alert if there are a large number of changes. Fully searchable and can use SQL as a database backend if you have one already setup. If not it uses I believe an access database (don't hold me to that).
It uses the window auditing log to get info about the changes which means its trying to engineer anything new in and will setup the auditing for you on install.
Was really quick to setup and come in fairly cheap
Goes back to lerking...
Whoa, we were just talking about you too!
-
@akp982 said in File Server Auditing:
@vhinzsanchez said in File Server Auditing:
I've read about Netwrix as well, however I'm critical on those I install on my servers
Topic in SW:
https://community.spiceworks.com/topic/1967683-free-file-auditing-softwareI've just started using Netwrix on my file servers, seems to work really well and doesn't have much overhead. It can email alert if there are a large number of changes. Fully searchable and can use SQL as a database backend if you have one already setup. If not it uses I believe an access database (don't hold me to that).
It uses the window auditing log to get info about the changes which means its trying to engineer anything new in and will setup the auditing for you on install.
Was really quick to setup and come in fairly cheap
Goes back to lerking...
Interesting. I should play around with that.
-
@akp982 said in File Server Auditing:
@vhinzsanchez said in File Server Auditing:
I've read about Netwrix as well, however I'm critical on those I install on my servers
Topic in SW:
https://community.spiceworks.com/topic/1967683-free-file-auditing-softwareI've just started using Netwrix on my file servers, seems to work really well and doesn't have much overhead. It can email alert if there are a large number of changes. Fully searchable and can use SQL as a database backend if you have one already setup. If not it uses I believe an access database (don't hold me to that).
It uses the window auditing log to get info about the changes which means its trying to engineer anything new in and will setup the auditing for you on install.
Was really quick to setup and come in fairly cheap
Goes back to lerking...
How much use is this without the "who" functionality?