Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Enable File Auditing in Windows

Enable File Auditing in Windows

Table of contents
Created by James Nielsen, last modified by Craig O’ Neill on Jul 04, 2016

Views: 1,348 Votes: 1 Revisions: 6

Overview

File auditing in Windows allows monitoring of events related to users accessing, modifying, and deleting sensitive files and folders on your network. To maximize the value of this type of auditing, only enable file auditing on a file server where a LEM Agent is installed, and only for the specific files and folders you want to monitor. Enabling file auditing on a large number of files or folders will result in an unnecessary number of log events on the LEM appliance.

Environment

  • All LEM versions running on Windows

Steps

  1. Enable object auditing in Windows:
    1. Open Administrative Tools > Local Security Policy.
    2. Expand Local Policies and click Audit Policy in the left pane.
    3. Select Audit object access in the right pane, and then click Action > Properties.
    4. Select Success and Failure.
    5. Click OK.
    6. Close the Local Security Policy window.
  2. To enable file auditing on a file or folder in Windows:
    1. Locate the file or folder you want to audit in Windows Explorer.
    2. Right-click the file or folder and then click Properties.
    3. Click the Security tab.
    4. Click Advanced.
    5. Click the Auditing tab.
    6. If you are using Windows Server 2008, click Edit.
    7. Click Add.
    8. Enter the name of a user or group you want to audit for the selected file or folder, and click Check Names to validate your entry. For example, enter Everyone.
    9. Click OK.
    10. Select Success and Failure next to Full control to audit everything for the selected file or folder.
    11. Optionally, clear Success and Failure for unwanted events, such as:
      • Read attributes
      • Read extended attributes
      • Write extended attributes
      • Read permissions
    12. Click OK in each window until you are back at the Windows Explorer window.
    13. Repeat these steps for all files or folders you want to audit.

 

 

Last modified

Tags

Classifications

Public