Object auditing: event log doesn't show which object is being audi

G

Guest

I'm attempting to setup auditing on my windows 2000 server. I'd like to know
when users access specific folders. This is to have proof, that users viewed
certain files or folders.
So I enabled object auditing in the local security settings first, and then
went to the specific folder and enabled auditing there to log successfull and
unsuccessful attempts to access this folder. The auditing is working,
however it never indicates the folder name being audited. If I setup
multiple folders, which I need to.... I'll never know which folder was access
by which user. Am I using the wrong type of audit? How can I resolve this?

Here is how I setup auditing at the folder level, under the auditing tab:
- I selected the groups I setup to allow access
- Then for specific audits, I tried a few different things, including
success and failures to list folder/read data, and a few other read options.
- I should also note that users are accessing these folders from the web.
The folders are secured so that attempts to access files in that directory,
prompt users for authentication.
 
S

Steven L Umbach

Auditing folders is tedious at best with the volume of records that will be
recorded particularly if you are auditing read/list. Take a look at your
Event ID number 560 to see if you see the folder name under "object name".
Below is an example from my computer of me accessing a folder named pix. You
also may find that the free utility Event Comb from Microsoft will help you
sift through the security log. You can use it to search for text strings
such as a folder/file or user name. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/7/2005
Time: 9:10:20 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Pix
Handle ID: 1820
Operation ID: {0,3708171}
Process ID: 1932
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0x1748E)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
R

Roger Abell

So, you are saying the information in the Description in the
audit event records is not filled in ? I've never seen that . . .
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing folder access 1
Audit object access 1
File auditing not working properly 1
Auditing / Event Log Entries... 4
Auditing file changes does not works 1
File Auditing confusion 2
windows xp pro auditing object access 1
Auditing ? 1

Top