NTFS auditing

Hello,

   I can only find this answer online for Server 2003, need info for Server2008r2. When I turn on Auditing for a file, what event ID do I look for in the security logs to see who made changes. Its funny how al of the articles out there show everytihng but this info.
entintAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
BelushiLomaxConnect With a Mentor Commented:
event id 4656  I believe
0
 
AnuroopsunddCommented:
•New Event IDs for auditing CHANGES
¿Modification of objects: event ID 5136
¦Explicit SACL on object or inheriting SACL on parent container auditing <sec. princ.> for "Successes/Failures" of "<whatever action>" on "<whatever scope>"
¿Creation of objects: event ID 5137
¦Explicit/Inheriting SACL on parent container auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"
¿Undelete/reanimation of objects: event ID 5138
¦Explicit SACL on NC head auditing <sec. princ.> for "Successes/Failures" of "Reanimate Tombstone" on "This Object Only"
¦Explicit/Inheriting SACL on target OU auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"
¿Moving objects: event ID 5139
¦Explicit/Inheriting SACL on source OU auditing <sec. princ.> for "Successes/Failures" of "Delete specific object-Class" or "Delete All Childs" on "This Object and All Descendant Objects"
¦Explicit/Inheriting SACL on target OU auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"


http://blogs.dirteam.com/blogs/jorge/archive/2008/04/29/auditing-in-windows-server-2008.aspx
0
All Courses

From novice to tech pro — start learning today.