Audit Share Folder

salmaalouf
salmaalouf used Ask the Experts™
on
I have many Share folder on Server 2003  Is there a way to be able to audit the share
per example I want to know who access the folder and which file and what action is done as modify create delete .
can you send me the information as much detai as possible

thanks

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dear salmaalouf,

There is in Windows Server 2003 no audit directly referring to "shares", but rather the "shared" folders.

You can find a very simple/step-by-step guide via: http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access#Enabling_File_and_Folder_Auditing

Alternately via the Micosoft KB814595 http://support.microsoft.com/kb/814595 and/or http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/16c3050b-c6fb-42f0-b68b-25d4561ae9de

Hope those does the trick for you, otherwise post back.

Kind regards,
Soren
Dear salmaalouf,

sorry forgot also to add the link to article "Operation-based auditing on files or folders" http://technet.microsoft.com/en-us/library/cc738931(WS.10).aspx

Kind regards,
Soren
Distinguished Expert 2017

Commented:
Note that this type of auditing adds many entries to the security log.  you might want to consider using event forwarding that is part of windows such that all the events are collected on a single system where it can be analyzed or use something like splunk for log analysis.
Presumably you will not be sitting watching the access in real time but need a record in the event you have to review something.

Author

Commented:
How to configure event forwarding on Windows 2003
can you send me the detail
Distinguished Expert 2017

Commented:

Author

Commented:
is there a site I can find a ready script for event forwarding or othe software can do the same job
Distinguished Expert 2017

Commented:
The links to MS point how you would go about to setup the forwarding/subscribing.

You can also use snmptrad daemon and setup SNMP on each server. Then using evntwin you would configure the security events to snmptrap mapping.

Try and see whether splunk is what you want.

http://msdn.microsoft.com/en-us/library/aa394593%28v=vs.85%29.aspx

Are you familiar with vbscript/databases
You could use the above rertieving the logs while inserting them into a database (ms sql)

Author

Commented:
good reference but no direct way to see all the events on one server 2003
i hope windows 2008 solve this issue more practical way

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial