How to understand file audit output

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have audit on a Windows 2000 TS filesystem on a public file share, i'd like
to see if a user delete or modify a file. How do I read the security log?

In security log Event ID: 560 contain the information, but is hard to
understand.
Is there an easy way to understand from this log if the user has
open/delete/ or modify the file??

Regards,
Jan

Example:
--------------------------------
Object Open:
Object Server: Security
Object Type: File
Object Name: E:\gemensam\backuplogs\backup09.log
Handle ID: 928
Operation ID: {0,667228}
Process ID: 8
Image File Name: Server1$
Primary User Name: MyDomain
Primary Domain: (0x0,0x3E7)
Primary Logon ID: John
Client User Name: MyDomain
Client Domain: (0x0,0x56079)
Client Logon ID: DELETE
READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Accesses: -
Privileges: %16
Restricted Sid Count: %17
 
Back
Top