Re: File Auditing Question

Thanks! I'll take a look at that!

Remember the days when Microsoft products behaved as expected? Wait! Did I
just dream that? :)

db

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1sidnRWdlcvpUTPYnZ2dnUVZ_qqrnZ2d@xxxxxxxxxxxxxx
What you see is normal when you enabling auditing of object access and yes
many many seemingly unrelated events are recorded. What I do is use the
free Event Comb from Microsoft to search the security log and it can
search for text strings that could be a file name or action such as
delete. When auditing object access you want to audit the minimum needed
objects, for the minimum needed permissions you want to track, and for the
minimum users avoiding everyone, etc.

Steve

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8639 --- Event Comb


"The Watcher" <here@xxxxxxxx> wrote in message
news:umdRRhnOHHA.4244@xxxxxxxxxxxxxxxxxxxxxxx
This sounds like a simple request but I can't get it to work...

I'd like to start auditing some files so I decided to do a test audit on
a single file first. These are the steps I followed;
1. In Local Security Settings under Audit Policy I set Audit object
access to Success,
2. From the Security tab of the Properties dialog I went to Advanced -->
Auditing and added myself, successful, List Folder/Read Data.

After setting these I open the file (Read Data) and then checked the
event log under Security and what did I find...
Lots and lots of access events - none of which were for the file I
specified. Instead the events were for all the executables for the
windows I interacted with (Explorer, notepad, etc.)

So I figured there must be some default auditing set for these items but
there were none in the auditing tab for those files. Just to be sure I
went to the level of the drive, set the auditing to blank, and replaced
them for the entire drive. Then reset it for the one file I wanted to
audit. When I looked in the Event Viewer what did I find...

The same thing! The file I wanted to audit shows nothing and everything I
don't want to audit filling the log!

What gives? Did I goof somewhere?

db





.

Relevant Pages

  • Re: XPP on Domain - can I make Directories private - even from Admin?
    ... You must enable Auditing for the machine. ... You must specify what to audit. ... Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box. ...
    (microsoft.public.windowsxp.general)
  • Re: Deleting shortcuts when they are for a C: program
    ... Nothing to do with security works in Home but if you boot to safe mode security becomes available. ... Maybe auditing becomes available too. ... Set auditing for just this file. ... You must specify what to audit. ...
    (microsoft.public.windowsxp.general)
  • Re: Autoexec.nt file missing?
    ... you can't enable Auditing on a computer running Home Edition. ... You must specify what to audit. ... example, a file, folder, registry key, printer, and so forth-that has its ...
    (microsoft.public.windowsxp.newusers)
  • Re: File Auditing Question
    ... I'd like to start auditing some files so I decided to do a test audit on ... In Local Security Settings under Audit Policy I set Audit object ... Auditing and added myself, successful, List Folder/Read Data. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: auditing
    ... Enable auditing of account management will log the creation and changes to ... You can audit Directory Service access to audit OU's. ... This security setting determines whether to audit each event of account ... For specific instructions about how to configure auditing policy settings, ...
    (microsoft.public.win2000.active_directory)