jtgraphic
asked on
Windows 2003 Server File Access Auditing
Hello experts, I would like to set up auditing on a few specific files. I was wondering if someone would be willing to walk me through this process. The server I would like to configure is an active directory domain server, serving approximately 50 users. Thank you in advance.
check this link: http://support.microsoft.com/default.aspx?scid=kb;en-us;301640&sd=tech
ASKER
Is there a way to have the log emailed to me on a regular basis automatically from the server?
Okay, may be you can do this: you can set the log parser and save it as a CSV or a graph. it can be scheduled to run daily or weekly. Then you can have another script that is scheduled to run regualrly will email you the logs files.
ASKER
How do I save it as a graph?
ASKER
Also the log is filling at a very fast pace and not recording only the file I specified but all access
Script to email the audit logs. You can change this script to you requirements:
Ex: strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=imper sonate,(Se curity)}!\ \" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where" _
& " Logfile = 'Security' and Type = 'audit success'",,48)
On Error Resume Next
For Each objItem in colLoggedEvents
Set objEmail = CreateObject("CDO.Message" )
objEmail.From = "Security_Failure"
objEmail.To = "t...@test.com"
objEmail.Subject = "Security Failure For (" & "Libgonas02" & ")"
objEmail.Textbody = objItem.Message
objEmail.Configuration.Fie lds.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fie lds.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "10.32.81.80"
objEmail.Configuration.Fie lds.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fie lds.Update
objEmail.Send
Next
========================== ========== ========== ========== =====
Log parser is a tool that will save the event logs in text or graphical format. You need to install it on the machine. For more info on it:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
http://www.logparser.com/
Ex: strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=imper
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where" _
& " Logfile = 'Security' and Type = 'audit success'",,48)
On Error Resume Next
For Each objItem in colLoggedEvents
Set objEmail = CreateObject("CDO.Message"
objEmail.From = "Security_Failure"
objEmail.To = "t...@test.com"
objEmail.Subject = "Security Failure For (" & "Libgonas02" & ")"
objEmail.Textbody = objItem.Message
objEmail.Configuration.Fie
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fie
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "10.32.81.80"
objEmail.Configuration.Fie
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fie
objEmail.Send
Next
==========================
Log parser is a tool that will save the event logs in text or graphical format. You need to install it on the machine. For more info on it:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
http://www.logparser.com/
ASKER
What does the first line Ex: strComputer = "." do, It is generating an error on execution.
that is the computer name from which you are trying to get the the logs
ASKER
I can not get the script to email, what am I missing from the equation?
strComputer = "10.150.199.174"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=imper sonate,(Se curity)}!\ \" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where" _
& " Logfile = 'Security' and Type = 'audit success'",,48)
On Error Resume Next
For Each objItem in colLoggedEvents
Set objEmail = CreateObject("CDO.Message" )
objEmail.From = "Security_Failure"
objEmail.To = "brucec@msivt.com"
objEmail.Subject = "Security Failure For (" & "Libgonas02" & ")"
objEmail.Textbody = objItem.Message
objEmail.Configuration.Fie lds.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fie lds.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mail.msivt.com"
objEmail.Configuration.Fie lds.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fie lds.Update
objEmail.Send
Next
strComputer = "10.150.199.174"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=imper
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where" _
& " Logfile = 'Security' and Type = 'audit success'",,48)
On Error Resume Next
For Each objItem in colLoggedEvents
Set objEmail = CreateObject("CDO.Message"
objEmail.From = "Security_Failure"
objEmail.To = "brucec@msivt.com"
objEmail.Subject = "Security Failure For (" & "Libgonas02" & ")"
objEmail.Textbody = objItem.Message
objEmail.Configuration.Fie
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fie
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mail.msivt.com"
objEmail.Configuration.Fie
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fie
objEmail.Send
Next
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was the key, Thank you very much!
glad to help!!