Getting Data In

Monitoring of specific files and folders

remy06
Contributor

Hi,

I like to monitor certain folders(for eg. C:\myfolder) and its subfolders/files on a windows server. I've enabled "audit object access" and configure the C:\myfolder for auditing.

Currently I'm monitoring by searching event codes related to Object access auditing like "560, 562" etc..I've set up splunk to monitor wineventlog:security for this.

Am wondering if there are better alternatives to do this? I've tried using data input and monitor files and directories via splunk web but it doesnt seem to be informative.If there is an image file,then the event will show up with garbage text..

Have also tried using fschange but doesn't seem to work. Here is the sample:

[fschange:C:\myfolder]
index = main
recurse = false
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
pollPeriod = 60

Any idea what went wrong?Which is a better method for splunk to monitor files and folders?

0 Karma
1 Solution

ftk
Motivator

Based on your comment, auditing is what you are looking for. Fschange will not be able to help you, as it does not log the username that performed an action on a file on Windows -- it only work correctly on Unix.

On windows you will want to define NTFS SACLs (Security Access Control Lists). These are the auditing entries you may be familiar with in NTFS. You will have to enable object access auditing in the local security policies of your servers (this can easily be done via group policy). Then you can enable auditing on a set of files or directories. This can be done manually, but if you have a standard set of auditing rules you may consider pushing them out via group policy as well. Here is a link that goes over these basics: http://articles.techrepublic.com.com/5100-10878_11-5034308.html

Once you have selected the types of accesses you want to audit (Read,Write, Create, Append, Delete, etc) you will start seeing events 560, 561, 562, 563, 564 and 567 logged. Check out http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx for more info on them. But basically you will see a 567 object access attempt logged first, then you can do a transaction based on the handle id to see what else was done to the object.

View solution in original post

ftk
Motivator

Based on your comment, auditing is what you are looking for. Fschange will not be able to help you, as it does not log the username that performed an action on a file on Windows -- it only work correctly on Unix.

On windows you will want to define NTFS SACLs (Security Access Control Lists). These are the auditing entries you may be familiar with in NTFS. You will have to enable object access auditing in the local security policies of your servers (this can easily be done via group policy). Then you can enable auditing on a set of files or directories. This can be done manually, but if you have a standard set of auditing rules you may consider pushing them out via group policy as well. Here is a link that goes over these basics: http://articles.techrepublic.com.com/5100-10878_11-5034308.html

Once you have selected the types of accesses you want to audit (Read,Write, Create, Append, Delete, etc) you will start seeing events 560, 561, 562, 563, 564 and 567 logged. Check out http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx for more info on them. But basically you will see a 567 object access attempt logged first, then you can do a transaction based on the handle id to see what else was done to the object.

remy06
Contributor

I'm trying to monitor who does what at times like create files,delete files,write to files etc

0 Karma

ftk
Motivator

CAn you please elaborate on what you mean by monitor files and folders? Are you trying to monitor the contents of the files, or just who does what changes at what times?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...