Object access

[Gray]

I've configured auditing and for some reason I'm only
seeing 560 events. Has anyone seen this before?
Settings:

NTFS:
Properties>security>advanced>Auditing tab
Everyone & domain users configured to audit all access
(pass and fail) for the directory.
Local secuirty policy:audit object access set to audit
success and failure.
Domain GPO: set to audit success and failure for object
access.

The only events in the event log are the 560 events.
Other events such as
561:audited object opened
562:audited object closed
etc... are not reported even though I've accessed the
objects using accounts with (and without) permissions.

thanks

 

[MSFT]

--------------------

Content-Class: urn:content-classes:message
From: "Gray" <[email protected]>
Sender: "Gray" <[email protected]>
Subject: Object access
Date: Mon, 3 Nov 2003 12:29:35 -0800
Lines: 21
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcOiSTIdmx2/i8ViR8uWekZmohAv0g==
Newsgroups: microsoft.public.win2000.security
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:14753
NNTP-Posting-Host: TK2MSFTNGXA13 10.40.1.165
X-Tomcat-NG: microsoft.public.win2000.security

I've configured auditing and for some reason I'm only
seeing 560 events. Has anyone seen this before?
Settings:

NTFS:
Properties>security>advanced>Auditing tab
Everyone & domain users configured to audit all access
(pass and fail) for the directory.
Local secuirty policy:audit object access set to audit
success and failure.
Domain GPO: set to audit success and failure for object
access.

The only events in the event log are the 560 events.
Other events such as
561:audited object opened
562:audited object closed
etc... are not reported even though I've accessed the
objects using accounts with (and without) permissions.

thanks

Hi Gray!

What exactly are you trying to find out via auditing? The lack of those events doesn't mean that something is wrong, but possibly, we may need to
reconfigure your audit settings.

Siddharth Sawkar
PSS Security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[gray]

The goal it to monitor access to sensitive files. The
audit settings should provide who accessed the files
configured for monitoring and the actions performed.
Unfortunatly all that is being reported is that they were
accessed (without any information regarding who or for
what purpose). When I access the files using both priv
and non-priv accounts I should have see those events in
the security logs. I'm working to find out why the events
are not being reported.

Thanks

-----Original Message-----

--------------------

Hi Gray!

What exactly are you trying to find out via auditing?

The lack of those events doesn't mean that something is
wrong, but possibly, we may need to