topic Many 4663 Win Events for the same file in Getting Data In

Many 4663 Win Events for the same file

mgaleti — Mon, 05 Dec 2011 16:55:23 GMT

Dear Colleagues,

I am configuring Splunk to listen my File Server in the WMI Security Events.
Splunk is listening well.

I turned on Audit, for example, in one file from my TI folder.

When I open one file (inside this test folder), change it and close I can see, inside Windows Event log, not 1 or 2 or 3 events 4663 but 80 or 90 events !!!!

Do you have some idea about this ? What is happening ? Do you have this too ??

Thanks
Galeti

Re: Many 4663 Win Events for the same file

rovechkin_splun — Sun, 22 Jan 2012 22:43:51 GMT

Are you using windows explorer to do the test? The explorer does multiple calls into directory and file itself, first to show it to you and then open it (e.g. using notepad). Since audit check is done at Win32 API level it will generate multiple events. Explorer may also do periodic refresh of the directory, which also causes audit events to be logged.

You can use ProcessMonitor from sysinternals to see details of file access.