Windows Server 2012 R2 File Auditing...thingy
-
@LAH3385 said:
How can I set up audit on a share drive? Just to see what have been delete, move, edit, create, etc. I am tasked to create a daily report on one specific folder where they suspect someone is messing with it.
In the security settings you can turn on auditing. In the same area that you give permissions to shared files and folders. You have to select what you want it to audit.
-
@scottalanmiller said:
Shared drive? Are you asking "how is this done" or are you asking "I'm used to this when it is not shared, but now it is shared, what changes?"
We have a folder where anyone can put anything in it. Think of it like a junk yard. I don't know why we have it but we have it.
@wirestyle22 said:
@LAH3385 said:
How can I set up audit on a share drive? Just to see what have been delete, move, edit, create, etc. I am tasked to create a daily report on one specific folder where they suspect someone is messing with it.
In the security settings you can turn on auditing. In the same area that you give permissions to shared files and folders. You have to select what you want it to audit.
What user or group do I add it? How does it works?
-
@LAH3385 said:
@scottalanmiller said:
Shared drive? Are you asking "how is this done" or are you asking "I'm used to this when it is not shared, but now it is shared, what changes?"
We have a folder where anyone can put anything in it. Think of it like a junk yard. I don't know why we have it but we have it.
@wirestyle22 said:
@LAH3385 said:
How can I set up audit on a share drive? Just to see what have been delete, move, edit, create, etc. I am tasked to create a daily report on one specific folder where they suspect someone is messing with it.
In the security settings you can turn on auditing. In the same area that you give permissions to shared files and folders. You have to select what you want it to audit.
What user or group do I add it? How does it works?
YOURDOMAIN\Domain Users
You basically go into event viewer and click on system. You will see those events there. Look up event ID's for what you specifically want to audit and you can filter just those events.
-
@wirestyle22
Is it wise to put authenticate users for auditing? -
@LAH3385 said:
@wirestyle22
Is it wise to put authenticate users for auditing?You're selecting what users you want to audit. You want to audit all of your users correct? @scottalanmiller can you hop in here and tell me if I'm missing something?
-
@wirestyle22
yes. everyone. so do I use domain/users? -
@LAH3385 said:
@wirestyle22
yes. everyone. so do I use domain/users?That is what I do, but let's see if Scott (or someone else that may know something I don't) has something to add before you make changes.
-
Calling for backup. Dirty Matt and the Boys (hoping you get this reference) @Dashrender @MattSpeller @dafyre
-
@wirestyle22 said:
Calling for backup. Dirty Matt and the Boys (hoping you get this reference) @Dashrender @MattSpeller @dafyre
I do not get the reference.
I haven't done auditing in close to a decade - so I'm not sure without trying.
-
@wirestyle22 For sure it'll be some screwy folder permissions thing at which point I'd rather poke myself in the eye. Wonder if there's FOS software for this yet.
-
@MattSpeller said:
@wirestyle22 For sure it'll be some screwy folder permissions thing at which point I'd rather poke myself in the eye. Wonder if there's FOS software for this yet.
I think what I said is accurate
-
@wirestyle22 said:
@MattSpeller said:
@wirestyle22 For sure it'll be some screwy folder permissions thing at which point I'd rather poke myself in the eye. Wonder if there's FOS software for this yet.
I think what I said is accurate
Easy enough to test - @LAH3385 I'd setup a small folder to try and see how it works
-
@LAH3385 Yeah. Test it and see. I'm 99% sure this will work.
-
Yea. What makes it bad is that it goes and creates a whole bunch of Windows Event Viewer logs. I'd not leave it enabled on many folders without a specific reason.
-
@dafyre said:
Yea. What makes it bad is that it goes and creates a whole bunch of Windows Event Viewer logs. I'd not leave it enabled on many folders without a specific reason.
Only over x amount of time right? A few days I believe.
-
Beside This kind of Auditing.. is there any other way to audit a folder using third party application? I tested it out and it generated way too many event logs.
-
@LAH3385 said:
Beside This kind of Auditing.. is there any other way to audit a folder using third party application? I tested it out and it generated way too many event logs.
If you only need it to run for a few days, then this should be fine...
I don't know of any other utilities that will work for this.
-
@LAH3385 said:
Beside This kind of Auditing.. is there any other way to audit a folder using third party application? I tested it out and it generated way too many event logs.
Not really. This is what I do.
-
@dafyre said:
@LAH3385 said:
Beside This kind of Auditing.. is there any other way to audit a folder using third party application? I tested it out and it generated way too many event logs.
If you only need it to run for a few days, then this should be fine...
I don't know of any other utilities that will work for this.
He wants to run it for months.. or forever. Not much of an audit.. more like report. He wants to know EVERYTHING going on in the folder. I just don't know how to put the result into a report at this amount.
-
@LAH3385 said:
@dafyre said:
@LAH3385 said:
Beside This kind of Auditing.. is there any other way to audit a folder using third party application? I tested it out and it generated way too many event logs.
If you only need it to run for a few days, then this should be fine...
I don't know of any other utilities that will work for this.
He wants to run it for months.. or forever. Not much of an audit.. more like report. He wants to know EVERYTHING going on in the folder. I just don't know how to put the result into a report at this amount.
Okay, but you mean have logs constantly being generated and then stored...forever? To be referenced forever?