How to understand file audit output


G

Guest

I have audit on a Windows 2000 TS filesystem on a public file share, i'd like
to see if a user delete or modify a file. How do I read the security log?

In security log Event ID: 560 contain the information, but is hard to
understand.
Is there an easy way to understand from this log if the user has
open/delete/ or modify the file??

Regards,
Jan

Example:
--------------------------------
Object Open:
Object Server: Security
Object Type: File
Object Name: E:\gemensam\backuplogs\backup09.log
Handle ID: 928
Operation ID: {0,667228}
Process ID: 8
Image File Name: Server1$
Primary User Name: MyDomain
Primary Domain: (0x0,0x3E7)
Primary Logon ID: John
Client User Name: MyDomain
Client Domain: (0x0,0x56079)
Client Logon ID: DELETE
READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Accesses: -
Privileges: %16
Restricted Sid Count: %17
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

showaccs output understanding 0
audit files 0
File permission audit 1
Auditing File Access 0
Auditing 0
Understanding file share and NTFS 1
Cannot enable file/folder auditing 0
Auditing problem 1

Top