Getting Data In

How do I monitor file/directory access with splunk on windows fileserver?

krusty
Contributor

Hi,

as you can see I'm new to splunk and I need some tips to find a solution for my problem.
I have to monitor different directory's on our windows file server for file access/modification/deletion.

First I checked out the fschange oportunity of splunk. At the beginning everything looks fine but then I saw that no user information are included. So fschange isn't the right solution for my problem.

Then I looked at the answers page on splunk web but I could not find any help.

I know that the eventcodes 560,564,567 the right eventcode are but I have no idea how to create a search query to find out the user who delete/access/edit a file.

Could anybody tell me if it's possible to find out with splunk the user who delete/access/edit a file?
If it's possible can anybody give me some tips?

Thanks

edit:
I have created the following search query but it seems that the result isn't correct.

host="srvXXX" EventCode=562 OR EventCode=560 OR EventCode=564 OR EventCode=567 NOT (User=*Batchuser* OR User=*SYSTEM*) | transaction Handle_ID | stats values(Object_Name) AS Object by User
Tags (1)
0 Karma

dart
Splunk Employee
Splunk Employee

Hi krusty,

You can use startswith and endswith on your transaction to ensure the transactions get closed:

| transaction Handle_ID Process_ID startswith="EventCode=560" endswith="EventCode=562" | 

see also the docs on transaction

0 Karma

krusty
Contributor

Hi dart,

I checked the parameters startswith and endswith but I have the problem, that this only works if an event starts with eventid 560 and ends with id 562. But if between this two events are many events with 567 it seems that this doesn't work.
I will check this on monday morning and come back to you.

Thanks.

0 Karma

krusty
Contributor

Hi dmaislin_splunk,

thanks for your answer.
Next week i will test it and come back to you.
But i have read in the documentation that only on unix the fschange tool will display the user information.

By the way I have created the following query.

source="WMI:WinEventLog:Security" EventCode=560 OR EventCode=562 OR EventCode=567 NOT User="NT AUTHORITY\\SYSTEM" | transaction Handle_ID Prozess_ID | stats values(Object_Name) AS Object by User

With this query i got to many files in my output. I think I have to use the transaction parameter like maxspan or maxevents to specialized the output. It seems that there are more Handle_ID's and Prozess_ID's with the same values.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Try using fschange again, using search "source=fschange". I set it up and tested it and I get uid, gid, etc. This was on my Mac, but the same info should work on Windows too. Here is my result of me creating a file in /etc called touch.cfg.

Tue Dec 20 08:16:28 2011 action=update, path="/etc/touch.cfg", isdir=0, size=90, gid=0, uid=502, modtime="Tue Dec 20 08:16:08 2011", mode="rw-r--r--", hash=, chgs="mod time "

inputs.conf (Using Whitelist and Blacklist)
[filter:whitelist:configs]
regex1 = touch.cfg

[filter:blacklist:else]
regex1 = .?

[fschange:/etc]
sourcetype=touch
recurse = true
pollPeriod = 60
followLinks = false
signedaudit = false
fullEvent = true
filters = configs,else

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...