Who copied, deleted, moved files on my Windows Servers (auditing)

proximityworld
proximityworld used Ask the Experts™
on
Hi,

I have been asked to research the best solution for auditing our Windows servers. We need to be able to find out who deleted, moved or copied files to and from the servers. We run a Windows 2008 r2 fully functional level domain and our file servers are 2003, 2003 r2 and 2008 r2.

I  know this can be setup to report to the even viewer, but is this the only way and what is the best tool to actually find this information.

I assume I will asked question like the following :-

What files has user xxxx accessed?

List all the files that have been deleted

File xxx.doc has been deleted, who did it and when.

What are people using to do this? Is Splunk a good option here as we would get the option to monitor other types of logs and not just Microsoft ones.

An information would be most welcome.

Best wishes

Michael
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Take a look at the products from Quest. I have used this in a DEV environment and have seen many demo's from Quest. It works really well and think it offers everything you are looking for.

http://www.quest.com/changeauditor-for-windows-file-servers/
I use share alarm pro on 2 of my file servers. good tool for only $30 per machine.

http://sharealarm.nsauditor.com/

use the folder watcher functionality

http://sharealarm.nsauditor.com/help/folder_watcher.html
I am going to be doing a trial with Webspy. I will come back with my results.
Awarded 2009
Top Expert 2010

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial