Audit who has accessed and modified files

Hey all, looking for a solution for windows server which lets you log which users have accessed and modified files and directories.
I'm aware you can do this through windows, but I've been asked to look around for alternatives too, apparently the windows one logs too much information (admittedly I am yet to have a play myself.
So far I've found ChangeAuditor for Windows File Servers, but was wondering if anyone else here has done something similar and if so what they used? I'm still researching this so I'll update as I find programs.

 

Found this one here, AUAudit Plus, looks pretty good as well

 

Windows logs everything very well. That said, I'd only apply it to small folders, and not drive/share/server wide. Its very very explicit and the logs are in standard Event Viewer form. You'd really want a log parser for this if you were going to use it at length.

What exactly is the driver for this requirement?

Almost every single damned time i've seen this requested its because someone is editing shit they shouldn't be (or deleting files, or whatever) and can be solved with Permissions, removing/educating the person or simply making things read-only.

 

It's a rarely used file (as in it's opened every few months), however when we tested logging the log was virtually impossible to read through or something (like I said I am purely doing the grunt work here )

No wait apparently they want the drive now

We can't lock it down any more unfortunately, I asked the same. I'm aware this seems kinda silly from the POV of someone who probably uses this windows tool but yeah.

 

Then i'd put the file in its own folder, and Audit that folder only...

 

That makes perfect sense to me, I'd rather that option if it's my call, I'll see if it's possible.

*edit*

Apparently they want a whole HDD. I must have misheard

 

I have found these so far


*ChangeAuditor for Windows File Servers - Quest Software
http://www.quest.com/changeauditor-for-windows-file-servers/

*AUAudit Plus, this one looks pretty neat
http://www.manageengine.com/product...-file-server-auditing-access-permissions.html

*IS Decisions File Audit
http://www.isdecisions.com/products/fileaudit/features.htm

*Netwrix file server auditing
http://www.netwrix.com/file_server_auditing_change_reporting_freeware.html

 

Yeah, that's going to suck using NTFS Auditing without some form of log parser and pushing event logs into a better DB (because watch your event log get full, very very very quickly).

 

Yeah that was the issue

 

Who is going to audit, review and purge the logs?

 

Well that is why I'm chasing a software tool which will be able to automate a lot of this

I'd imagine a lot of those tools simply hook into the existing reporting structure and do this for you

 

We use File system Auditor here.

http://www.scriptlogic.com/products/filesystemauditor/

Quite useful and has some nice reports

 

You could use splunk too, lots of system admins I know love it.

 

But be prepared for a quite a full on learning curve and LOTS of setup time.

 

Still, what's the purpose of the auditing?

- legal requirements? (there's probably a specific software tool to meet most legal reqs around)
- tracking a malicious user/s? (permissions ARE the best way of dealing with this)
- something else?

 

blame game.

senior management needed file xyz team A was working on, file B has gone missing, someone shall have their ass kicked because i looked like a F not backing up my own file and not having a boring 45 minute keynote to bore investors.

 

Wouldn't bet better to have some wiki or sharepoint solution. Where you can have "mod power" control over content

 

Can any of these determine what files were copied from the server or client machine to a USB, CD etc ?

 

This - although our snare consultancy costs us a packet :-\

 

This usually crops up everytime a senior/longterm staff member leaves the company.

"Can we see everything this person has done for the last 6 months?"

"Can you show me every email this person has read/sent in the last 6 years?"

"Can you ABC the XYZ this person did?"

Then I show them the same basic software packages, the prices and what it actually entails (ginormous amounts of data basically) and they go "oh, that's ok..."