Aditing files

  • Thread starter Thread starter Erezp
  • Start date Start date
E

Erezp

Hi,

I want to audit some directories in my network. I want
only to monitor users access to files. I enable the
auditing policy and configured the audit on the directory
properties. after a week I got a giant log with allot of
information in it (80MB). I saved it to a file and query
it in EventcombMT.exe (from - RKT2003). the result was a
huge txt file that I open in excel. I noticed that only
the lines with the string "Object Type: File" are referred
to a real file. I made a small tool that removes the lines
without the string "Object Type: File". the result was
very small. should I search for another string since I
only want user access to files?

Thanks
 
Hi,

Well, the best thing I typically do is, on a test workstation, turn up some
auditing on a sample folder that I create. I then touch a file like what i
want to audit, and watch the logs to see what it throws.
This will show you exaclty what is shown when different actions are taken.

I typically do this for many things, not just auditing like this. It's the
best way to know what sort of an event is thrown.

Hope this helps!
~Eric
 
Back
Top