Audit vault vs auditing of access

Similar Messages

• Auditing failed access to files and folders in Windows Storage Server 2008 R2

  Hello,
  I've been trying to figure out why I cannot audit the failed access to files and folders on my server.  I'm trying to replace a unix-based NAS with a Windows Storage Server 2008 R2 solution so I can use my current audit tools (the 'nix NAS
  has basically none).  I'm looking for a solution for a small remote office with 5-10 users and am looking at Windows Storage Server 2008 R2 (no props yet, but on a Buffalo appliance).  I specifically need to audit the failure of a user to access
  folders and files they are not supposed to view, but on this appliance it never shows.  I have:
  Enabled audit Object access for File system, File share and Detailed file share
  Set the security of the top-level share to everyone full control
  Used NTFS file permissions to set who can/cannot see particular folders
  On those folders (and letting those permissions flow down) I've set the auditing tab to "Fail - Everyone - Full Control - This folder, subfolders and files"
  On the audit log I only see "Audit Success" messages for items like "A network share object was checked to see whether client can be granted desired access (Event 5145) - but never a failure audit (because this user was not allowed access by NTFS permissions).
  I've done this successfully with Windows Server 2008 R2 x64 w/SP1 and am wondering if anybody has tried this with the Windows Storage Server version (with success of course).  My customer wants an inexpensive "appliance" and I thought this new
  variant of 2008 was the ticket, but I can't if it won't provide this audit.
  Any thoughts? Any of you have luck with this?  I am (due to the fact I bought this appliance out of my own pocket) using the WSS "Workgroup" flavor and am wondering if this feature has been stripped from the workgroup edition of WSS.
  TIA,
  --Jeffrey

  Hi Jeffrey,
  The steps to setup Audit on a WSS system should be the same as a standard version of Windows Server. So please redo the steps listed below to see if issue still exists:
  Enabling file auditing is a 2-step process.
  [1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing
  for "Audit object access."
  [2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit
  - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.
  A similar thread:
  http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/da689e43-d51d-4005-bc48-26d3c387e859
  TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

• Audit object access

  Hello,  I am trying to understand "Audit object access",  I have it turned on and I am capturing all Success and Failures of every file share I have on our File Server.  
  However,  that is my issue.  I am capturing everything.   Is there a way to only capture certain file shares. I noticed that under the auditing tab,   its has "include inheritable auditing........"
  Example:
  In this example,  I want to capture successes and failures for all users who access Events and Images folders. 
  \\Server1\Share1\Data1\Common\Reports\Events
  \\Server1\Share1\Data1\Common\Apps
  \\Server1\Share1\Data1\Images
  Thank you for your help. . 

  Simply disable the current auditing on the root of your folders. Once done, enable it only on the folders you would like to audit.
  Reading such logs is usually a difficult task and time consuming. For that, it is recommended to use a third party tool with a UI for auditing. The one I usually recommend is Lepide Auditor for File Server: http://www.lepide.com/file-server-audit/
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• How to audit database access by IP address?

  Hello,
  In SQL 2008 R2 Enterprise is there a built-in mechanism to be able to audit and log the SQL loginname along with their IP addresses when they access a particular database? Most of the logins only have the role for db_datareader so I need to audit basically
  everyone that is connecting to the database and whether they are running select statements or not.
  Thank you.

  Dear Forum and All,
  I have working with Audit in SQL Server 2008. But my result cannot have HOST_NAME and IPADDRESS of Client.
  This is my code:
  Create Audit
  USE [master]
  GO
  CREATE
  SERVER AUDIT [Audit-20141206-090946_ControlEven]
  TO
  FILE
  FILEPATH = N'C:\Audit'
  ,MAXSIZE = 0 MB
  ,MAX_ROLLOVER_FILES
  = 2147483647
  ,RESERVE_DISK_SPACE
  = OFF
  WITH
  QUEUE_DELAY = 1000
  ,ON_FAILURE =
  CONTINUE
  GO
  Create Database Audit Specification
  USE [TESTAUDIT]
  GO
  CREATE
  DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-20141222-082141_Control]
  FOR SERVER AUDIT [Audit-20141206-090946_ControlEven]
  ADD (SELECT
  ON OBJECT::[dbo].[tblTesting]
  BY [public])
  GO
  This my result
  Event_Time|Session_ID|Server_Principal_Name|Statement|.......|.........
  But I need column HOST_NAME and IPADDRESS of Client in my result.
  Thank you for your cooperation and support.
  Best Regards,
  Mr. Pann Matak

• Re: Auditing Document Access?

  Hi guys,
  I know you can subscribe to a document to see who has checked out and checked in a document but is there a way to see who has read the document?
  Is there an audit trail for user access or other similar events?
  I have a requirement from a client to do the above for their procedures to make sure it is being read.
  Thanks in advance.

  Content Tracker component does track user access as well as many other types of information.
  Thanks sapan.

• Audit file access

  I want to audit file and folder access auditing on a windows 2008 server. I need to enable audit log all file activity by user such as read, copy, create, rename, deleted .
  Is there a way to see if an user access a specific file ?
  Thanks

  Hey please have a look at these link for the reference.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/b18ca99b-db07-4e2e-8f13-67d58a4d1c63/windows-2008-server-files-access-real-time-monitoring
  Moreover, you can start from the several links from here also
  http://technet.microsoft.com/en-us/library/dd408940%28v...
  http://technet.microsoft.com/en-us/sysinternals/bb89664...
  http://technet.microsoft.com/en-us/library/cc721946.asp...
  And the other option is you can opt for a third party tool such as Lepide Auditor For File Server. A file Server monitoring tool that would help you in case for a real time monitoring.Test the tool from the given link below.
  http://www.lepide.com/file-server-audit/
  Thanks.

• Audit Question - Access to SU01

  I have a question in regards to access to SU01.  We currently have a team to setup users and assign roles.  We are SOx regulated and have been questioned about having individual having this access.
  Does it make sense to have one user setting up the ID without any authorizations assigned and then another person add the roles?  We have compliance calibrator installed and no issues from that, but I am aware sometimes it is a business process decision from our auditors.
  To me this does not make sense to me at all.  Not sure if this would be the same for all our other applications either at this point including BW, IPC, XI, network access etc. etc. etc.

  Chris,
  This causes a lot of confusion and consternation across the industry. Having been on both sides of the fence from an audit perspective, I tend to take a pragmatic approach.
  The key issue is about being able to amend roles and assign to users. Wherever possible, this should be avoided. It is up to you how you manage that but if you have a situation whereby a single person can create a role / profile and assign it to a user they control, then you have a potential audit issue.
  You can split it in any way you like but you are basically trying to stop that SoD.
  Some choose to have a dedicated team who are able to create users but not create or assign authorisations, a separate team who can assign authorisations and not create users or roles and a third team who can only create roles but not create or assign to users.
  While that is ideal, it is not always practical so it is often somewhere in the middle.
  As long as your central team cannot amend the roles and authorisations that they are assigning (or assign super user access like SAP_ALL) without appropriate controls in place, then you can generally have a fairly reasonable discussion with your auditors.
  Simon

• Auditing full access mailbox members

  Greetings,
  I have an Exchange 2010 Organization, i have found a user got full access on another user's mailbox.
  Could you please tell me how can i know who grant him full access using auditing for example.
  Thanks 
  Redouane SARRA

  Hi,
  You can search the administrator audit logs to discover who made changes to organization, server, and recipient configuration. This can be
  helpful when trying to track the cause of unexpected behavior, to identify a malicious administrator, or to verify that compliance requirements are being met.
  Search-AdminAuditLog -Cmdlets Add-MailboxPermission -StartDate 01/24/2014 -EndDate 01/25/2014 -IsSuccess $true
  The Caller value of the command results is the user who grants him full access permission. For more information about
  Search the Administrator Audit Log, please refer to:
  http://technet.microsoft.com/en-us/library/ff459262(v=exchg.141).aspx
  Thanks,
  Winnie Liang
  TechNet Community Support

• Server Directory/File Access Security Auditing - Is This Possible on OSX Server?

  I am looking for a solution that will give me the ability to monitor/audit who access what file, when, and if possible,  give alerts to the "owner" of the directory/file or to the system admin when someone access something on our OSX file server.

  First of all lets call it Flash Media Interactive Server (adding Streaming becomes little confusing to readers as we have Flash Media Streaming Server) - both are FMS but two different edition.
  Now coming to FMIS, you can place all your video files in "streams" directory of application in the simplest configuration and then use Server-side API Class "Stream" to play them. When you use Stream class to play VOD files, it basically becomes live publish and is available as live stream. I will give you simple code snippet which will explain what i am saying above:
  var myStream;
  application.onAppStart = function(){
       myStream = Stream.get("livestream");
       myStream.onStatus = function(info){
            trace("Info code:"+info.code);
      myStream.play("mp4:myvod.f4v",0,-1,true);
  Now client will subscribe to live stream using stream name as "livestream" and it will basically get all the content of mp4:myvod.f4v
  Say if you save above code in file named main.asc and place it in application folder named "test" on FMS, you will need to copy "mp4:myvod.mp4" inside "streams" i.e. create "_definst_" folder or any instance name folder under "streams" folder of "test" and place the file there
  Hope this helps

• Auditing all users file access - too much information

  Hi, I have enabled a GPO With the following: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access -> Audit File System -
  Success on a file server.
  After that, I have enabled successful Create files/Create Folders on a folder for the built-in group Everyone.
  That part works fine, I can see when users are creating files on the folders. But I also get a lot of Extreme amounts of other events logged in the Security log, and everything is coming from the backup agent running on the server (NetBackup in this case).
  How come that a backup agent is creating the events like this? It makes filtering much harder afterwards. The business requirements is to audit Everyone who is adding files to a specific folder, not all the rest of the server. The server
  is Win2008 R2.
  Example:
  An attempt was made to access an object.
  Subject:
  Security ID: SYSTEM
  Account Name: FILESERVER01$
  Account Domain: MYDOMAIN
  Logon ID: 0x3e7
  Object:
  Object Server: Security
  Object Type: File
  Object Name: \Device\HarddiskVolumeShadowCopy58\Windows\winsxs\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.1.7601.18619_none_d4cab625fb3adf96\audiosrv.dll
  Handle ID: 0x3c4
  Process Information:
  Process ID: 0x1048
  Process Name: C:\Program Files\VERITAS\NetBackup\bin\bpbkar32.exe
  Access Request Information:
  Accesses: WriteAttributes

  Hi Steve,
  I feel your pain, I turned on logging on a file server and found the security log filling 4GB in a couple of hours. I think the key is being very selective about what you audit. I found this article useful and it had some powershell and ideas for helping
  make sense of the information overload - http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
  In my opinion though you really need a third party solution to make this viable, two I've looked at are
  Netwrix File Server Auditor and
  FileAudit which seem very similar in functionality and ease of use. These basically read in the event log to provide long term archive and reporting on it.
  Good luck,
  Tim

• Access level changes captured in Auditing ?

  Hi, do auditing capture Access level changes / modifications in the CMC and how i can access them.
  Need to know. Thanks. Toor.

  Thankyou for the replies. I kept the following coding in the Exits. The problem is that i kept the break-point in the three exits and after running ME22N,its entering first into Exit 16 and after checking the field(Check Box) in Customer Data Tab ,its entering  into Exit 17. But the zfield in I_EKPO is empty,the value 'X' is not reflecting here. Please suggest where i am doing wrong. I went through many SDN threads and i am unable to solve the issue.
  INCLUDE ZXM06TOP.
  data: gl_aktyp type c,
        gl_no_screen type c,
        gl_ekpo_ci like ekpo_ci,
        gl_ekpo like ekpo,
        gl_ucomm like sy-ucomm.
  data:  gt_ref_ekpo_tab type table of ekpo_tab.
  EXIT_SAPMM06E_016
  gl_aktyp = i_aktyp.
  gl_no_screen = i_no_screen.
  ekpo_ci  = i_ci_ekpo.
  gl_ekpo = i_ekpo.
  EXIT_SAPMM06E_017
  move-corresponding i_ekpo to gl_ekpo_ci.
  gl_ekpo = i_ekpo.
  EXIT_SAPMM06E_018
  e_ci_ekpo        = gl_ekpo_ci.
  if gl_ekpo_ci-zz_vend ne ekpo_ci-zz_vend.
    e_ci_ekpo-zz_vend = ekpo_ci-zz_vend.
    if gl_aktyp ne 'A'.
      e_ci_update = 'X'.
    endif.
  endif.
  Regards
  K Srinivas

• Auditing Access file & LogParser

  Hi everyone,
  I'm running a w2k3 and I need to audit success on files on a specific folder ... I activated auditing for the everyone group on this folder, and started to watch my logs ...
  I want to know exactly what user are doing with this files ( if they are opening, or working )... After some researches, it seems that 2k3 cant tell exactly what people are doing ... but 2K8 can ...
  I understand how the 560 Event ID works. Dont seem to be very accurate ... here are my doubts !
  Can you tell me if I'm right or not ?!
  I check the handle ID too... but it seems to be linked with the application that opens a file ... or not ... or randomly generated .. couldn't find any answer for this question of mine !
  Well, that's it !
  thanks all !

  Hi,
  Based on my test, Windows 2k3 records exactly what people are doing. Please refer to the following Windows 2k3 record.
  If you didn’t get this event, it may because policy "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access" was not configured. Enable this policy and test.
  For your reference:
  Audit object access
  http://technet.microsoft.com/en-us/library/cc776774(WS.10).aspx
  Event Type:    Success Audit
  Event Source:    Security
  Event Category:    Object Access
  Event ID:    560
  Date:        6/1/2009
  Time:        4:40:10 PM
  User:        GT\administrator
  Computer:    GTDC02
  Description:
  Object Open:
       Object Server:    Security
       Object Type:    File
       Object Name:    C:\newsid
       Handle ID:    1268
       Operation ID:    {0,8119592}
       Process ID:    2468
       Image File Name:    C:\WINDOWS\explorer.exe
       Primary User Name:    administrator
       Primary Domain:    GT
       Primary Logon ID:    (0x0,0xA0674)
       Client User Name:    -
       Client Domain:    -
       Client Logon ID:    -
       Accesses:    SYNCHRONIZE
              ReadData (or ListDirectory)
       Privileges:    -
       Restricted Sid Count:    0
       Access Mask:    0x100001
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  Thanks.
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Auditing File and Folder Access Denied Attempts

  The company I work for wants to be able to review audit logs to see where people have failed to gain access to particular folders or files on a server, that is part of a DFS. I have enabled Auditing Object Access with Failures, and I have added the Everyone
  group to Auditing on the folder, in which it audits all failures. However, when I review the Security Log to see those failed attempts to access a file, for example, I get a log of a success to the user who attempted to open the file, when in actuality, he
  failed to open the file because he did not have rights to open it.
  What am I doing wrong, or is this how Microsoft has auditing setup?

  Yes, myself and a nother technician have been unable to get this to work in a test environment or the real environment. We've created new users with nothing more than Domain User membership, and only list rights to the folder, which is how the real production
  folder is setup. We still do not get failure notices when the attempt to access a file they don't have rights to access.
  It does however, tell them on the client end that they have been denied access. It just doesn't show in the log.

• A few questions about auditing

  Hi all,
  I am new to auditing, my manager asked me to make a report on how our database is audited including audit levels, tables and users audited etc. After some research I found about AUD$ table and views associated with it. I also found about table auditing(session/access) but I could not make any clear ideas out of these info. Also I made some tests and I could not get any assuring results. First I want to tell you what I did:
  I enabled auiditing on the fnd_user table(test instance, 9.2.0.8) on select and update using TOAD. However after making many selects and updates I can not find any audit info in either audit trail or AUD$ table and views using it. After this I turned on all other statements'(alter, delete, grant etc.) auditing and switched between ACCESS and SESSION but to no good. What am I missing, why is there no trail of these actions?
  Second, I have been inspecting the AUD$ table, there is recent data in it which consists of drop and truncate info mostly. I used a query to determine which objects have auditing enabled but there are none other than the fnd_user which I just enabled. What makes this data to be populated in the AUD$ table and how can I alter this?
  Lastly, what are the possibilities of efficient auditing on the tables, users and schemas I want?
  Any advices will be most appreciated.
  Thanks and regards
  Burak

  Hi,
  Thanks for the fast replies.
  The output of show parameter audit is:
  NAME TYPE VALUE
  audit_file_dest string ?/rdbms/audit
  audit_sys_operations boolean FALSE
  audit_trail string NONE
  transaction_auditing boolean TRUE
  audit_trail is not boolean, what are the values it can get? transaction_auditing is enabled, how can I make use of this, and what are the differences between the three types of auditing?
  Also I will be very happy if someone could tell me what populates the data in AUD$ table although the auditing is disabled?
  Thanks and regards
  Burak

• Share Auditing not working on Server 2012 R2

  I have configured Auditing on one of our shares and have configured it like this: http://i.imgur.com/fgQp0A8.png
  However, when I create a folder on this share or delete one. Nothing is written to the security log. Am I doing something wrong? I read on this post (http://social.technet.microsoft.com/Forums/en-US/231f8918-3de8-46bd-8872-f5106f7fe8fa/audit-deleted-files-server-2012?forum=winserversecurity)
  that you need to enable some local security policies so I have enabled this: http://i.imgur.com/uOP7f4d.png
  What am I doing wrong?
  Thanks for you help!
  Brian

  Hi Brian,
  Is this server in Active Directory domain? Did we enable the Audit Object Access policy for this server?
  Besides, after enabling audit object access, to audit accessing a share folder, try the following steps:
  Right click the folder, and choose Properties
  Under Security tab, click Advanced
  Under Auditing tab, Add the principal and edit the access permissions you want to audit
  Hope it helps.
  Best regards.
  Frank Shen