Re: Object auditing: event log doesn't show which object is being audi
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/08/05
- Previous message: M. Ioco: "Object auditing: event log doesn't show which object is being audi"
- In reply to: M. Ioco: "Object auditing: event log doesn't show which object is being audi"
- Next in thread: Roger Abell: "Re: Object auditing: event log doesn't show which object is being audi"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 7 Jul 2005 21:15:55 -0500
Auditing folders is tedious at best with the volume of records that will be
recorded particularly if you are auditing read/list. Take a look at your
Event ID number 560 to see if you see the folder name under "object name".
Below is an example from my computer of me accessing a folder named pix. You
also may find that the free utility Event Comb from Microsoft will help you
sift through the security log. You can use it to search for text strings
such as a folder/file or user name. --- Steve
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/7/2005
Time: 9:10:20 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Pix
Handle ID: 1820
Operation ID: {0,3708171}
Process ID: 1932
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0x1748E)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"M. Ioco" <MIoco@discussions.microsoft.com> wrote in message
news:56DF8B4C-9838-430F-9109-833E49C691F2@microsoft.com...
> I'm attempting to setup auditing on my windows 2000 server. I'd like to
> know
> when users access specific folders. This is to have proof, that users
> viewed
> certain files or folders.
> So I enabled object auditing in the local security settings first, and
> then
> went to the specific folder and enabled auditing there to log successfull
> and
> unsuccessful attempts to access this folder. The auditing is working,
> however it never indicates the folder name being audited. If I setup
> multiple folders, which I need to.... I'll never know which folder was
> access
> by which user. Am I using the wrong type of audit? How can I resolve
> this?
>
> Here is how I setup auditing at the folder level, under the auditing tab:
> - I selected the groups I setup to allow access
> - Then for specific audits, I tried a few different things, including
> success and failures to list folder/read data, and a few other read
> options.
> - I should also note that users are accessing these folders from the web.
> The folders are secured so that attempts to access files in that
> directory,
> prompt users for authentication.
>
- Previous message: M. Ioco: "Object auditing: event log doesn't show which object is being audi"
- In reply to: M. Ioco: "Object auditing: event log doesn't show which object is being audi"
- Next in thread: Roger Abell: "Re: Object auditing: event log doesn't show which object is being audi"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
