File auditing not working properly

[Akula]

I have a Windows 2000 Server. I have turned on Object Access auditing
for success and failure. For an entire disk drive I turned on success
and failure auditing for everyone for create files/write data, create
folders/append data, list folder/read data. I then go into a folder on
this drive, edit and save a file, check the security log, but nothing
shows up there. Some object access auditing is occurring, as I get a
lot of object access events 560 and 562, but nothing relating to the
editing and saving tests I performed. Any help would be appreciated.

 

[Steven L Umbach]

Try auditing only a specific folder first so that you can see how it works
and then be sure to audit only folders you need to track. Auditing a whole
drive will generate a huge amount of events. To help find pertinent events
try using Event Comb and use it's ability for text searches to search for a
file name, etc. Make sure your security log is large enough to keep the
events you need. Usually you will find the filename under object name in
Event ID 560 as shown in the example below.

Steve

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 9/21/2006
Time: 12:11:28 AM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\test\test.txt
Handle ID: 2092
Operation ID: {0,1841040}
Process ID: 1548
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0x2F2D9)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.