Options

File Server Audit/log?

SouthSeaPirateSouthSeaPirate Member Posts: 173
in Off-Topic
We are running a file server with Server 2003. Nothing special, just hosts all the shares. I was wondering what I need to do to enable an audit of the server. Specificly to check what user deleted half the Marketing files, or accidentally dragged them into the schedules folder; I believe this makes the point. I know this can be done by changing a Security Policy on the server, but I dont know which policy nor how to view the audit once enabled. Obviously Im completely dark on this. Anyone know what Im trying to get at?
· Share on FacebookShare on Twitter

Comments

  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    This'll get you started:

    Configuring Audit Policies
    · Share on FacebookShare on Twitter
  • Options
    SouthSeaPirateSouthSeaPirate Member Posts: 173
    Thanks for the link. I believe this one is very clse to what Im looking for: "Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files." It does say success, falls short at read/write. Im thinking I would need something along the same lines but with Modify and Delete. Maybe Im wrong?
    · Share on FacebookShare on Twitter
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    There are audit policy objects for "Delete Subfolders and Files", and "Delete".
    · Share on FacebookShare on Twitter
  • Options
    SouthSeaPirateSouthSeaPirate Member Posts: 173
    So same concept. Hopefully 2003 is close enough for this document to help. We shall see tomorrow. Thanks +rep!
    · Share on FacebookShare on Twitter
  • Options
    SouthSeaPirateSouthSeaPirate Member Posts: 173
    Unfortunately this doesnt help. I need to see what is deleted, by whom...
    · Share on FacebookShare on Twitter
  • Options
    SouthSeaPirateSouthSeaPirate Member Posts: 173
    Anyone? Still at a loss here.
    · Share on FacebookShare on Twitter
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    SouthSeaPirate wrote: »
    Unfortunately this doesnt help. I need to see what is deleted, by whom...

    You either don't have it setup correctly or you're not looking at the correct logs. My audit logs shows who deletes an object.
    · Share on FacebookShare on Twitter
  • Options
    ChurritosChurritos Registered Users Posts: 1 ■□□□□□□□□□
    You'll probably need a third-party tool if you want to seriously audit changes to your file server-- the native logs don't offer any filtering of reporting capabilities. We had someone delete a ton of financial documents last year so we looked at NetWrix File Server Change Reporter and Quest ChangeAuditor for File Servers. Both are good tools and will send automated reports that will tell you who is deleting your files.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.