Re: HELP - File Auditing

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 03/01/03


From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Sat, 1 Mar 2003 09:19:22 -0500


This is a remote possiblity if multiple computers are having this problem,
but the security event log could be corrupt... try clearing the log using
the Event Viewer GUI. I've had this problem myself. The log size might
also be set to be too big. More information:

http://securityadmin.info/faq.htm#auditing

"Cameron Frasnelly" <networkmanage@premierwestbank.com> wrote in message
news:#tcgyY33CHA.2404@TK2MSFTNGP09.phx.gbl...
> We have performed all of the below on many servers with no results... I am
> an MCSE and I have had several other seasoned technicians look at this...
> Any more ideas would be appreciated!
>
> "Todd Beebe" <todd@turillion.com> wrote in message
> news:05f501c2df75$2a773ba0$2f01280a@phx.gbl...
>
>
> Enabling either success or failure event auditing does
> not automatically trigger any new "object access" audit
> events to be logged. Auditing must be enabled on
> individual objects for audit events to be logged.
>
> To enable auditing on a file/directory do the following:
>
> 1. Start Explorer
> 2. Right click on the file/directory you want to audit,
> and from the context menu select properties
> 3. Select the Security tab and click Auditing
> 4. If you have selected a directory, check the "replace
> auditing on subdirectories"
> 5. Click the Add button and add the user(s) who you wish
> to audit by selecting and clicking Add. When finished
> adding users, click OK
> 6. Select the events you wish to audit and then click OK
>
> Once you enable auditing on specific objects (files,
> directories, registry keys) you should begin to see audit
> events logged to the Eventlog.
>
> Regards,
>
> Todd Beebe, CISSP
>
> >-----Original Message-----
> >We have "Audit Object Access" set to effective success
> and failure on all of
> >our servers. All servers are (and have been) part of
> our domain. The
> >servers have had these settings for many days now. We
> still are unable to
> >get file auditing to log anything at all... any help
> would be appreciated...
> >we received the below from MS support.... GPEDIT.msc
> shows the proper
> >effective settings and it has been many days now...
> >
> >Thanks for your time.
> >++++++++++++++++++++++++++++++++++
> >Hi Cameron,
> >
> >Did that server join a domain? If you open the
> GPEDIT.msc in that server,
> >what the effective setting is for the following:
> >Local Computer Policy\Computer Configuration\Windows
> Settings\Security
> >Settings\Local Policies\Audit Policy\Audit object access
> >
> >At the same time, because the changes that you make to
> your computer's
> >audit policy setting take effect only when the policy
> setting is propagated
> >(or applied) to your computer, complete one of the
> following steps to
> >initiate policy propagation:
> >
> >1. Type "secedit /refreshpolicy machine_policy"
> (without the quotation
> >marks) at the command prompt, press ENTER, and then
> restart the computer.
> >
> >2. Wait for automatic policy propagation, which occurs
> at regular
> >intervals that you can configure. By default, policy
> propagation occurs
> >every eight hours.
> >
> >Regards,
> >
> >Jeff Qiu
> >jefffqiu@online.microsoft.com
> >Online Support Professional
> >Microsoft Corporation
> >
> >This posting is provided Ħ°AS ISĦħ with no warranties,
> and confers no
> >rights.
> >
> >--------------------
> >>Reply-To: "Cameron Frasnelly"
> <networkmanage@premierwestbank.com>
> >>From: "Cameron Frasnelly"
> <networkmanage@premierwestbank.com>
> >>Subject: Auditing File Deletion NOT WORKING
> >>Date: Wed, 26 Feb 2003 13:57:43 -0800
> >>microsoft.public.win2000.security
> >>
> >>Hi there,
> >>
> >>We have object access success / failure turned on at
> the group policy level
> >>and on a specific server. We then turn auding for file
> deletion on for
> >>Everyone on a specific folder and apply to files and
> folders beneath it.
> >>Before deleting a file (just for testing) we check to
> make sure auditing is
> >>applied to it... it is. We then delete the file and
> receive no event in
> >any
> >>log for its deletion. We were expecting an event
> 564... but none.
> >>
> >>win2k server with sp3 and all the latest patches
> >>
> >>Any ideas would be greatly appreciated.
> >>
> >>Cameron
> >>
> >>
> >>
> >
> >
> >.
> >
>
>

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003


Relevant Pages

  • Re: audit object access failure.
    ... If you're a member of a domain, make sure that domain policy isn't ... auditing for the user that you wish to audit on this object. ... > Audit account logon events ...
    (microsoft.public.win2000.security)
  • RE: Enabling Auditing for files and folders
    ... > I understand that you want to audit files and folders on SBS 2K3, ... > have created "Local Computer Policy" in Group Policy Object Editor. ... Now you are in the Default Domain Controller Security Setting. ... Go to Security tab, click Advanced, go to Auditing Tab. ...
    (microsoft.public.windows.server.sbs)
  • Re: HELP - File Auditing
    ... We have performed all of the below on many servers with no results... ... Enabling either success or failure event auditing does ... individual objects for audit events to be logged. ... >audit policy setting take effect only when the policy ...
    (microsoft.public.win2000.security)
  • Re: Print Auditing
    ... Setup auditing on the Print Queue itself. ... Only configure successful writes to the queue, ... > Event Type: Success Audit ... >>> administrator to turn on auditing using Group Policy Editor. ...
    (microsoft.public.windows.server.security)
  • Re: Question on Audit Policy
    ... domain controller policy level. ... access auditing where you have to enable auditing for file/folder, etc.], ... > security policy for Audit directory service access ...
    (microsoft.public.win2000.security)