using GFI Languard - Log File Access, deletion and other


I have installed GFI for a trial and I am trying to see if it does what I need to do :

1. Log user Login and Logout (as well as Lockouts)
2. File Access information (opening a shared file, copying it, deleting it ... ... anything possible)
3. Printer access (document printing on special printers)
4. all kinds of other stuff that I found out the software does ...

however I seem to have difficulties logging File access information.

I have several shared folders that I want to log access requets (during normal times and outside normal times) but it does not seem to work ??

what do I need to check to make sure it works ??

also Is it possible to do the same for printers ??
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi Matanquay,

I dont think it logs access to the shares, just enumerates the rights and current access?

Finds all shares on your network
GFI LANguard N.S.S. enumerates all shares on your network, including administrative and printer shares (C$, D$, ADMIN$) and shows you who has access to the share. Use this feature to:

Check if permissions of shares are set correctly
Check whether a user is sharing his/her whole drive with other users
Prevent anonymous access to shares
Ensure that startup folders or similar system files are not shared as this could allow less privileged users to execute code on target machines.

Rich RumbleSecurity SamuraiCommented:
You are reffering to GFI's SELM, I use the LanGuard Network Security Scanner so much I forget they make other products!)
You have to be sure you've enabled the logging you need first, SELM will only alert you when those events occur, and if they are not being logged, SELM can't see them occur.
The default log setting of windows do not include the logging of files/folders.

You might also want to try their System Integrity Monitor, geared more specifically for file access.  I knwo it doesn't help with SELM, but it is worth a look. :-)

More information and a free copy of the product are available at
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

matanguayAuthor Commented:
SniperG : I checked the address and i dont see a product named SYSTEM INTEGRITY MONITOR .. .. .. ..

Richrumble : thihs is good. however can you please guide me as of which events I should monitor for that ??

Paul : I know my shares and accesses are ok .. .. I just want to have logs for when people leave the company .. .we have a small problem of data theft ... since the company has a high turnover rate this is making the risk even higher .. ..

Rich RumbleSecurity SamuraiCommented:
You can't log what people do with the files through the event logs, but you can log when they are accessed using them. Perhaps the tool that SniperG eluded to will do that, I've not used it. However googling it reveals that it's much like "tripwire" and monitors only changes or deletions of files, and I can't see that it log's who did what...

On a workstation there are only like 9 types of events to monitor, and there are many many events under each heading, however, all you can do is turn on the success/failure (or both) of those 9 event types or catagories. Account logon vents, account managment, directory service access, logon events, object access, policy change, privilege use, process tracking and system events.
Since M$ has no grainular control, you must use a parser like SELM or Snare to help you sift through all of the stuff you don't need, but will still be audited because of the lack of grainular controls.

That PDF explains how SELM works, here is an excerpt
Note that Windows logs potential, not definite, changes: Object audit events are trapped at the
time an application opens the object for the requested types of access. For example, a user
might open a Word document for read and write access but simply close the document without
making any changes. In that case, Windows will log an open event (event ID 560) and a close
event (event ID 562) to show that the user opened the object for write access.

matanguayAuthor Commented:
this is actually all I need . I need to have the info of who accesses what files .. ..

we noticed that people when they steal information they almost never stop to a few good files .. they always try and take as much as they want to they will check files they have never even checked before .. .. therefore making it easier to reaise a flag .. ..

if I use EVENT 560 and 562 will it reveal what file was accessed ??
Rich RumbleSecurity SamuraiCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.