File Auditing confusion


T

TDM

I am completely confused on setting file auditing. I hope this does not
get too verbose. Logistics, Win2K Pro, SP4, all security updates applied via
windows update. Member of WORKGROUP, no domain account.

After googling till I am blue in the face, I came to the conclusion that
in order to audit file access, one needs to enable Object Access auditing
so I did. No problems here. I then enabled file auditing on /temp for
testing purposes, did some stuff in /temp and then looked at the security
log. Sure enough, the auditing was there, but so what a ton of other useless
banter about basically access to EVERY object on the system, be it a DLL,
a .EXE, you name it, it was there. To put it in more detail, just the simple
creation of a folder in /temp created a whopping 1.2MB log file. At this
rate,
the log file will fill up very fast, much faster than I would like. Then
turn back
on real time virus protection and the log file goes bonkers with object
accesses
from snortin Norton. I set the file size to 256MB and at this rate, I think
it will
fill up daily.

From what I read on google, I was under the impression that you HAD to
enable Object Access auditing to get file auditing which appears to be the
case from testing, but I dont want all the other useless information. Have I
missed something
here, done something wrong ?? I simply want to audit file access on specific
folders and forget all the other auditing. Any and all help is greatly
appreciated.

TIA

TDM
 
Ad

Advertisements

S

Steven L Umbach

That is pretty much how auditing of folders/files works. You will get a LOT
of events. Try to audit the bare minimum of folders for bare minimum of
permissions from bare number of users - avoid auditing the everyone/users
group. If you want to see if an unathorized user is trying to delete a
folder for instance, just audit permission to delete instead of every
permission. If you want to see who has accessed a folder, just audit read,
etc. You still will have a lot of events, though you can use filter view or
dunp to a spreadshett for further analysis. --- Steve
 
Ad

Advertisements

T

TDM

Steven,

Thanks for the reply. Can you reccommend a third party solution that
will more closely match what I want ?? I have to wonder what M$ was
thinking when they developed thier auditing. It seems to me it would have
be much easier to develop a more usable solution.

Again, thanks.

TDM
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top