Solved: Monitoring of specific files and folders

remy06 · ‎08-19-2010

Hi,

I like to monitor certain folders(for eg. C:\myfolder) and its subfolders/files on a windows server. I've enabled "audit object access" and configure the C:\myfolder for auditing.

Currently I'm monitoring by searching event codes related to Object access auditing like "560, 562" etc..I've set up splunk to monitor wineventlog:security for this.

Am wondering if there are better alternatives to do this? I've tried using data input and monitor files and directories via splunk web but it doesnt seem to be informative.If there is an image file,then the event will show up with garbage text..

Have also tried using fschange but doesn't seem to work. Here is the sample:

[fschange:C:\myfolder]
index = main
recurse = false
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
pollPeriod = 60

Any idea what went wrong?Which is a better method for splunk to monitor files and folders?

ftk · ‎08-20-2010

Based on your comment, auditing is what you are looking for. Fschange will not be able to help you, as it does not log the username that performed an action on a file on Windows -- it only work correctly on Unix.

On windows you will want to define NTFS SACLs (Security Access Control Lists). These are the auditing entries you may be familiar with in NTFS. You will have to enable object access auditing in the local security policies of your servers (this can easily be done via group policy). Then you can enable auditing on a set of files or directories. This can be done manually, but if you have a standard set of auditing rules you may consider pushing them out via group policy as well. Here is a link that goes over these basics: http://articles.techrepublic.com.com/5100-10878_11-5034308.html

Once you have selected the types of accesses you want to audit (Read,Write, Create, Append, Delete, etc) you will start seeing events 560, 561, 562, 563, 564 and 567 logged. Check out http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx for more info on them. But basically you will see a 567 object access attempt logged first, then you can do a transaction based on the handle id to see what else was done to the object.

View solution in original post

ftk · ‎08-20-2010

Based on your comment, auditing is what you are looking for. Fschange will not be able to help you, as it does not log the username that performed an action on a file on Windows -- it only work correctly on Unix.

On windows you will want to define NTFS SACLs (Security Access Control Lists). These are the auditing entries you may be familiar with in NTFS. You will have to enable object access auditing in the local security policies of your servers (this can easily be done via group policy). Then you can enable auditing on a set of files or directories. This can be done manually, but if you have a standard set of auditing rules you may consider pushing them out via group policy as well. Here is a link that goes over these basics: http://articles.techrepublic.com.com/5100-10878_11-5034308.html

Once you have selected the types of accesses you want to audit (Read,Write, Create, Append, Delete, etc) you will start seeing events 560, 561, 562, 563, 564 and 567 logged. Check out http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx for more info on them. But basically you will see a 567 object access attempt logged first, then you can do a transaction based on the handle id to see what else was done to the object.

remy06 · ‎08-20-2010

I'm trying to monitor who does what at times like create files,delete files,write to files etc

ftk · ‎08-19-2010

CAn you please elaborate on what you mean by monitor files and folders? Are you trying to monitor the contents of the files, or just who does what changes at what times?

Monitoring of specific files and folders

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk