Getting Data In

How to audit files in Splunk monitoring security events in windows 2012 server.

Communicator

Hi Splunkers,

I need a help to audit some files in Microsoft Windows 2012, files like C:\Windows\System32\drivers\etc\hosts, .dlls and so on. In this moment I want to monitor the files, for example: Who deleted this file? Who changed this file?

I am having problem to understand security logs in Windows. Is there any way to solve my problem?
Do you have any idea about that?

Cheers!

0 Karma

Communicator

Hi Ahal_splunk,

I followed your first link, but Windows server 2012 did not generate audit data. I searched in microsoft blogs which suggest execute that command to solve the problem:

C:\Windows\system32>auditpol /set /subcategory:"file system" /success:enable /failure:enable,

then I collected the data to extract value. 🙂

I'd like to thank you for this links.

Cheers!

0 Karma