T
TDM
I am completely confused on setting file auditing. I hope this does not
get too verbose. Logistics, Win2K Pro, SP4, all security updates applied via
windows update. Member of WORKGROUP, no domain account.
After googling till I am blue in the face, I came to the conclusion that
in order to audit file access, one needs to enable Object Access auditing
so I did. No problems here. I then enabled file auditing on /temp for
testing purposes, did some stuff in /temp and then looked at the security
log. Sure enough, the auditing was there, but so what a ton of other useless
banter about basically access to EVERY object on the system, be it a DLL,
a .EXE, you name it, it was there. To put it in more detail, just the simple
creation of a folder in /temp created a whopping 1.2MB log file. At this
rate,
the log file will fill up very fast, much faster than I would like. Then
turn back
on real time virus protection and the log file goes bonkers with object
accesses
from snortin Norton. I set the file size to 256MB and at this rate, I think
it will
fill up daily.
From what I read on google, I was under the impression that you HAD to
enable Object Access auditing to get file auditing which appears to be the
case from testing, but I dont want all the other useless information. Have I
missed something
here, done something wrong ?? I simply want to audit file access on specific
folders and forget all the other auditing. Any and all help is greatly
appreciated.
TIA
TDM
get too verbose. Logistics, Win2K Pro, SP4, all security updates applied via
windows update. Member of WORKGROUP, no domain account.
After googling till I am blue in the face, I came to the conclusion that
in order to audit file access, one needs to enable Object Access auditing
so I did. No problems here. I then enabled file auditing on /temp for
testing purposes, did some stuff in /temp and then looked at the security
log. Sure enough, the auditing was there, but so what a ton of other useless
banter about basically access to EVERY object on the system, be it a DLL,
a .EXE, you name it, it was there. To put it in more detail, just the simple
creation of a folder in /temp created a whopping 1.2MB log file. At this
rate,
the log file will fill up very fast, much faster than I would like. Then
turn back
on real time virus protection and the log file goes bonkers with object
accesses
from snortin Norton. I set the file size to 256MB and at this rate, I think
it will
fill up daily.
From what I read on google, I was under the impression that you HAD to
enable Object Access auditing to get file auditing which appears to be the
case from testing, but I dont want all the other useless information. Have I
missed something
here, done something wrong ?? I simply want to audit file access on specific
folders and forget all the other auditing. Any and all help is greatly
appreciated.
TIA
TDM