T
The Watcher
This sounds like a simple request but I can't get it to work...
I'd like to start auditing some files so I decided to do a test audit on a
single file first. These are the steps I followed;
1. In Local Security Settings under Audit Policy I set Audit object access
to Success,
2. From the Security tab of the Properties dialog I went to Advanced -->
Auditing and added myself, successful, List Folder/Read Data.
After setting these I open the file (Read Data) and then checked the event
log under Security and what did I find...
Lots and lots of access events - none of which were for the file I
specified. Instead the events were for all the executables for the windows I
interacted with (Explorer, notepad, etc.)
So I figured there must be some default auditing set for these items but
there were none in the auditing tab for those files. Just to be sure I went
to the level of the drive, set the auditing to blank, and replaced them for
the entire drive. Then reset it for the one file I wanted to audit. When I
looked in the Event Viewer what did I find...
The same thing! The file I wanted to audit shows nothing and everything I
don't want to audit filling the log!
What gives? Did I goof somewhere?
db
I'd like to start auditing some files so I decided to do a test audit on a
single file first. These are the steps I followed;
1. In Local Security Settings under Audit Policy I set Audit object access
to Success,
2. From the Security tab of the Properties dialog I went to Advanced -->
Auditing and added myself, successful, List Folder/Read Data.
After setting these I open the file (Read Data) and then checked the event
log under Security and what did I find...
Lots and lots of access events - none of which were for the file I
specified. Instead the events were for all the executables for the windows I
interacted with (Explorer, notepad, etc.)
So I figured there must be some default auditing set for these items but
there were none in the auditing tab for those files. Just to be sure I went
to the level of the drive, set the auditing to blank, and replaced them for
the entire drive. Then reset it for the one file I wanted to audit. When I
looked in the Event Viewer what did I find...
The same thing! The file I wanted to audit shows nothing and everything I
don't want to audit filling the log!
What gives? Did I goof somewhere?
db
