Hi Splunkers,
I need a help to audit some files in Microsoft Windows 2012, files like C:\Windows\System32\drivers\etc\hosts, .dlls and so on. In this moment I want to monitor the files, for example: Who deleted this file? Who changed this file?
I am having problem to understand security logs in Windows. Is there any way to solve my problem?
Do you have any idea about that?
Cheers!
I'd suggest reading the following blog posts:
Hi Ahal_splunk,
I followed your first link, but Windows server 2012 did not generate audit data. I searched in microsoft blogs which suggest execute that command to solve the problem:
C:\Windows\system32>auditpol /set /subcategory:"file system" /success:enable /failure:enable,
then I collected the data to extract value. 🙂
I'd like to thank you for this links.
Cheers!