Audit who has accessed and modified files

Discussion in 'Business & Enterprise Computing' started by millsy_c, Dec 1, 2011.

  1. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    Hey all, looking for a solution for windows server which lets you log which users have accessed and modified files and directories.
    I'm aware you can do this through windows, but I've been asked to look around for alternatives too, apparently the windows one logs too much information (admittedly I am yet to have a play myself.
    So far I've found ChangeAuditor for Windows File Servers, but was wondering if anyone else here has done something similar and if so what they used? I'm still researching this so I'll update as I find programs.
     
  2. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
  3. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,413
    Location:
    Canberra
    Windows logs everything very well. That said, I'd only apply it to small folders, and not drive/share/server wide. Its very very explicit and the logs are in standard Event Viewer form. You'd really want a log parser for this if you were going to use it at length.

    What exactly is the driver for this requirement?

    Almost every single damned time i've seen this requested its because someone is editing shit they shouldn't be (or deleting files, or whatever) and can be solved with Permissions, removing/educating the person or simply making things read-only.
     
  4. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    It's a rarely used file (as in it's opened every few months), however when we tested logging the log was virtually impossible to read through or something (like I said I am purely doing the grunt work here :p)

    No wait apparently they want the drive now :lol:

    We can't lock it down any more unfortunately, I asked the same. I'm aware this seems kinda silly from the POV of someone who probably uses this windows tool but yeah.
     
    Last edited: Dec 1, 2011
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,413
    Location:
    Canberra
    Then i'd put the file in its own folder, and Audit that folder only...
     
  6. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    That makes perfect sense to me, I'd rather that option if it's my call, I'll see if it's possible.

    *edit*

    Apparently they want a whole HDD. I must have misheard
     
    Last edited: Dec 1, 2011
  7. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
  8. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,413
    Location:
    Canberra
    Yeah, that's going to suck using NTFS Auditing without some form of log parser and pushing event logs into a better DB (because watch your event log get full, very very very quickly).
     
  9. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    Yeah that was the issue
     
  10. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,413
    Location:
    Canberra
    Who is going to audit, review and purge the logs?
     
  11. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    Well that is why I'm chasing a software tool which will be able to automate a lot of this :)

    I'd imagine a lot of those tools simply hook into the existing reporting structure and do this for you
     
  12. abishop

    abishop Member

    Joined:
    Mar 26, 2002
    Messages:
    89
  13. bugayev

    bugayev Whammy!

    Joined:
    May 15, 2003
    Messages:
    4,096
    Location:
    Melbourne
    You could use splunk too, lots of system admins I know love it.
     
  14. Ding.Chavez

    Ding.Chavez Member

    Joined:
    Jul 27, 2001
    Messages:
    422
    Location:
    Sydney
    But be prepared for a quite a full on learning curve and LOTS of setup time.
     
  15. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    11,667
    Location:
    Canberra
    Still, what's the purpose of the auditing?

    - legal requirements? (there's probably a specific software tool to meet most legal reqs around)
    - tracking a malicious user/s? (permissions ARE the best way of dealing with this)
    - something else?
     
  16. SNip3D

    SNip3D Member

    Joined:
    Mar 30, 2003
    Messages:
    375
    Location:
    Sydney
    blame game.

    senior management needed file xyz team A was working on, file B has gone missing, someone shall have their ass kicked because i looked like a F not backing up my own file and not having a boring 45 minute keynote to bore investors.
     
  17. thetron

    thetron Member

    Joined:
    Dec 23, 2001
    Messages:
    8,167
    Location:
    Somewhere over the Rainbo
    Wouldn't bet better to have some wiki or sharepoint solution. Where you can have "mod power" control over content
     
  18. PodgeSSS

    PodgeSSS Member

    Joined:
    Jun 17, 2002
    Messages:
    1,236
    Location:
    The Moon
    Can any of these determine what files were copied from the server or client machine to a USB, CD etc ?
     
  19. eyeLikeCarrots

    eyeLikeCarrots Member

    Joined:
    Jan 1, 2002
    Messages:
    4,325
    Location:
    Canberra Is Shit Sex: Yes
    This - although our snare consultancy costs us a packet :-\
     
  20. ewok85

    ewok85 Member

    Joined:
    Jul 4, 2002
    Messages:
    8,074
    Location:
    Tokyo, Japan
    This usually crops up everytime a senior/longterm staff member leaves the company.

    "Can we see everything this person has done for the last 6 months?"

    "Can you show me every email this person has read/sent in the last 6 years?"

    "Can you ABC the XYZ this person did?"

    Then I show them the same basic software packages, the prices and what it actually entails (ginormous amounts of data basically) and they go "oh, that's ok..."

    :rolleyes:
     

Share This Page