Windows 2003 Server File Access Auditing

Hello experts, I would like to set up auditing on a few specific files. I was wondering if someone would be willing to walk me through this process. The server I would like to configure is an active directory domain server, serving approximately 50 users. Thank you in advance.
jtgraphicAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jtgraphicAuthor Commented:
Is there a way to have the log emailed to me on a regular basis automatically from the server?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

star_trekCommented:
Okay, may be you can do this: you can set the log parser and save it as a CSV or a graph. it can be scheduled to run daily or weekly. Then you can have another script that is scheduled to run regualrly will email you the logs files.

jtgraphicAuthor Commented:
How do I save it as a graph?
jtgraphicAuthor Commented:
Also the log is filling at a very fast pace and not recording only the file I specified but all access
star_trekCommented:
Script to email the audit logs. You can change this script to you requirements:

Ex: strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" _
    & strComputer & "\root\cimv2")


Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where" _
    & " Logfile = 'Security' and Type = 'audit success'",,48)


On Error Resume Next
For Each objItem in colLoggedEvents
 Set objEmail = CreateObject("CDO.Message")
 objEmail.From = "Security_Failure"
 objEmail.To = "t...@test.com"
 objEmail.Subject = "Security Failure For (" & "Libgonas02" & ")"
 objEmail.Textbody = objItem.Message
 objEmail.Configuration.Fields.Item _
     ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
 objEmail.Configuration.Fields.Item _
     ("http://schemas.microsoft.com/cdo/configuration/smtpserver") =  "10.32.81.80"
 objEmail.Configuration.Fields.Item _
     ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
 objEmail.Configuration.Fields.Update
 objEmail.Send
 Next

=============================================================

Log parser is a tool that will save the event logs in text or graphical format. You need to install it on the machine. For more info on it:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
http://www.logparser.com/
jtgraphicAuthor Commented:
What does the first line Ex: strComputer = "."  do, It is generating an error on execution.
star_trekCommented:
that is the computer name from which you are trying to get the the logs
jtgraphicAuthor Commented:
I can not get the script to email, what am I missing from the equation?
strComputer = "10.150.199.174"
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" _
    & strComputer & "\root\cimv2")


Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where" _
    & " Logfile = 'Security' and Type = 'audit success'",,48)


On Error Resume Next
For Each objItem in colLoggedEvents
 Set objEmail = CreateObject("CDO.Message")
 objEmail.From = "Security_Failure"
 objEmail.To = "brucec@msivt.com"
 objEmail.Subject = "Security Failure For (" & "Libgonas02" & ")"
 objEmail.Textbody = objItem.Message
 objEmail.Configuration.Fields.Item _
     ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
 objEmail.Configuration.Fields.Item _
     ("http://schemas.microsoft.com/cdo/configuration/smtpserver") =  "mail.msivt.com"
 objEmail.Configuration.Fields.Item _
     ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
 objEmail.Configuration.Fields.Update
 objEmail.Send
 Next
star_trekCommented:
I tested the script and working for me: May be you need to add this before the objemail.from:

objEmail.Sender="brucec@msivt.com"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jtgraphicAuthor Commented:
That was the key, Thank you very much!
star_trekCommented:
glad to help!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.