![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
theweaselkingGeek Pop Quiz, access Auditing on Server 2K8 edition.
I have a shared folder. Inside the shared folder are a number of folders, each with a separate access list.
I want to audit ONE of the folders. Only one. I want my auditing to be, basically, exactly the kind of information it *claims* I can get by opening Security-> Advanced -> Audit: Log WHO accesses which file, and when.
The catch is, I can't find a way for the Audit settings on the folder to make even the slightest bit of difference. If I just set those, it doesn't audit a damn thing, and that's by design for some stupid reason.
I need to set a Group Policy in order to turn on auditing, then the Audit lists on the folders will be listened to. Right? Well, wrong.
As soon as I set Object Access auditing, I get tens of thousands of irrelevant events being logged every minute. audit successful Object Access? Well, gee, OF COURSE that means I need a log entry for every packet accepted by Windows Firewall!
So, turn that off. Go into Advanced Audit Control policy, and hey, that looks like what I want! Detailed File Auditing! That's EXACTLY what I need, right?
Well, kind of. It does log exactly what I want to log - who accessed which file and when, who made changes, who deleted, etc.
But it does so for *every file in the share*, regardless of the individual object settings.
And it does so for every single permission check - so if I open a folder, it logs separately that I tried to Read the folder, then that I tried to get permission to list directory contents, then I got permission to see each individual file, and.....
Basically, it opens a couple of DOZEN log lines for looking at a single folder. And it COMPLETELY ignore the actual Auditing settings on the folder.
But that's Local Audit Policy - what happens when I turn on Directory Service Audit Policy instead? Well, I get *hundreds* of logon/logoff events as sysvol and Kerberos do their thing behind the scenes running the domain, and, regardless of the individual folder audit settings, I get no useful information about the folders.
So my problem is this: I want it to audit ONLY the files and folders where I have specifically set auditing rules. I want it to log ONLY those events that I have specified, in the Auditing tab of the Security menu of the specific folder.
I don't want it to record anything else.
There HAS to be a way to tell the Security log to listen to the folder audit settings (which I haven't managed - it's all folders or no folders, not specified folders) and there HAS to be a way to tell the Security log that I do want it to record object access, but only SOME KINDS of object access.
Terrifyingly, I've hit a "Samba would be WAY easier" stage, since Samba would be recording separate per-user access logs and those would be really simple to pull apart and recombine into a single "all access entries involving this folder" log. And, for bonus points, it wouldn't be generating roughly 250MB/hr of logs when it finally coughs up the bare minimum I want.
So:
1. How do you make Windows listen to the Audit settings for a shared folder?
2. If 1 is impossible, how do I audit access to the files in a specific shared folder? Third-party software? Which stuff?
I have a shared folder. Inside the shared folder are a number of folders, each with a separate access list.
I want to audit ONE of the folders. Only one. I want my auditing to be, basically, exactly the kind of information it *claims* I can get by opening Security-> Advanced -> Audit: Log WHO accesses which file, and when.
The catch is, I can't find a way for the Audit settings on the folder to make even the slightest bit of difference. If I just set those, it doesn't audit a damn thing, and that's by design for some stupid reason.
I need to set a Group Policy in order to turn on auditing, then the Audit lists on the folders will be listened to. Right? Well, wrong.
As soon as I set Object Access auditing, I get tens of thousands of irrelevant events being logged every minute. audit successful Object Access? Well, gee, OF COURSE that means I need a log entry for every packet accepted by Windows Firewall!
So, turn that off. Go into Advanced Audit Control policy, and hey, that looks like what I want! Detailed File Auditing! That's EXACTLY what I need, right?
Well, kind of. It does log exactly what I want to log - who accessed which file and when, who made changes, who deleted, etc.
But it does so for *every file in the share*, regardless of the individual object settings.
And it does so for every single permission check - so if I open a folder, it logs separately that I tried to Read the folder, then that I tried to get permission to list directory contents, then I got permission to see each individual file, and.....
Basically, it opens a couple of DOZEN log lines for looking at a single folder. And it COMPLETELY ignore the actual Auditing settings on the folder.
But that's Local Audit Policy - what happens when I turn on Directory Service Audit Policy instead? Well, I get *hundreds* of logon/logoff events as sysvol and Kerberos do their thing behind the scenes running the domain, and, regardless of the individual folder audit settings, I get no useful information about the folders.
So my problem is this: I want it to audit ONLY the files and folders where I have specifically set auditing rules. I want it to log ONLY those events that I have specified, in the Auditing tab of the Security menu of the specific folder.
I don't want it to record anything else.
There HAS to be a way to tell the Security log to listen to the folder audit settings (which I haven't managed - it's all folders or no folders, not specified folders) and there HAS to be a way to tell the Security log that I do want it to record object access, but only SOME KINDS of object access.
Terrifyingly, I've hit a "Samba would be WAY easier" stage, since Samba would be recording separate per-user access logs and those would be really simple to pull apart and recombine into a single "all access entries involving this folder" log. And, for bonus points, it wouldn't be generating roughly 250MB/hr of logs when it finally coughs up the bare minimum I want.
So:
1. How do you make Windows listen to the Audit settings for a shared folder?
2. If 1 is impossible, how do I audit access to the files in a specific shared folder? Third-party software? Which stuff?
(no subject)
Date: 2010-07-05 06:59 pm (UTC)(no subject)
Date: 2010-07-05 07:00 pm (UTC)(no subject)
Date: 2010-07-05 07:06 pm (UTC)(no subject)
Date: 2010-07-05 07:26 pm (UTC)(no subject)
Date: 2010-07-07 01:42 pm (UTC)For bonus points do you have an opinion about SF and the Stack Overflow family?