|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
File auditing not working properlyI have a Windows 2000 Server. I have turned on Object Access auditing
for success and failure. For an entire disk drive I turned on success and failure auditing for everyone for create files/write data, create folders/append data, list folder/read data. I then go into a folder on this drive, edit and save a file, check the security log, but nothing shows up there. Some object access auditing is occurring, as I get a lot of object access events 560 and 562, but nothing relating to the editing and saving tests I performed. Any help would be appreciated. Try auditing only a specific folder first so that you can see how it works
and then be sure to audit only folders you need to track. Auditing a whole drive will generate a huge amount of events. To help find pertinent events try using Event Comb and use it's ability for text searches to search for a file name, etc. Make sure your security log is large enough to keep the events you need. Usually you will find the filename under object name in Event ID 560 as shown in the example below. Steve Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 9/21/2006 Time: 12:11:28 AM User: STEVE-XP\Steve Computer: STEVE-XP Description: Object Open: Object Server: Security Object Type: File Object Name: D:\test\test.txt Handle ID: 2092 Operation ID: {0,1841040} Process ID: 1548 Image File Name: D:\WINDOWS\explorer.exe Primary User Name: Steve Primary Domain: STEVE-XP Primary Logon ID: (0x0,0x2F2D9) Client User Name: - Client Domain: - Client Logon ID: - Accesses: DELETE READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Show quoteHide quote "Akula" <Edwin.Garr***@UTSouthwestern.edu> wrote in message news:1158768381.288685.270020@h48g2000cwc.googlegroups.com... >I have a Windows 2000 Server. I have turned on Object Access auditing > for success and failure. For an entire disk drive I turned on success > and failure auditing for everyone for create files/write data, create > folders/append data, list folder/read data. I then go into a folder on > this drive, edit and save a file, check the security log, but nothing > shows up there. Some object access auditing is occurring, as I get a > lot of object access events 560 and 562, but nothing relating to the > editing and saving tests I performed. Any help would be appreciated. > 
Other interesting topics
MS issued advisory, current exploit potential
Unable to authenticate to untrusted domain NTLM v2 related issue Excessive computer account logon/logoff loggining on security log EFS Recovery Removing Sharing & Security tabs from the Group Policy Blue Screen after latest Sec Patches antivirus software questions Windows 2000 User/Group Windows Server 2000 and Terminal Server security issue Deny users the right to delete folders/subfolders |
|||||||||||||||||||||||
