Solved

Log end user activity

Posted on 2013-01-18
3
902 Views
Last Modified: 2013-12-06
Hi,

I need to find an end user monitoring solution for a client. They would like to log specific events:
- Every network share and file accessed by the user
- Every document name printed by the user
- Every file copied from network shares to local machine
- Every file copied onto external media (USB, CD, DVD etc)

The system does not need to be able to block the end user from performing any of these actions, simply to log the details of it for audit purposes.

Any suggestions or thoughts appreciated.
Thanks
0
Comment
Question by:Roger Adams
  • 2
3 Comments
 
LVL 6

Expert Comment

by:mo_patel
Comment Utility
firstly you need to enable auditing on the files folders where the sensitive info is kept then yes u can get the info.

One thing to bear in mind is that 'if you do want to track everything' will have too too much info there, take you ages to sift through it all, and not to mention fill up the disk space.  also will be very expensive.

I recommend you explain this to clients and only enable auditing on key files/folders.

a best practise for this kind of situations is once auditing is enabled to then use a SIEM utility to monitor the events and if a match is found to log the events into threads...

So basically you would have threads for:

i.e.
- logon events
- object access
- folder access etc
- log off events

To get event ID's use this link

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

One thing to NOTE is that there is no COPY event, its not that simple, so you will have to once enabled auidting and SIEM capture to test all this by accessing files, copying files etc.

One such solution is NNT LogTracker.........loads more on market, they are not free and not cheap.........
0
 
LVL 6

Expert Comment

by:mo_patel
Comment Utility
OR if you do have loads of free time, good with SQL, you can use LogParser and write your own SIEM tool to download the logs into a SQL DB and then write your own queries to extract the info, will never be as good as a paid version,

but atleast its an alternative....
0
 
LVL 4

Accepted Solution

by:
JustMy2Cents earned 500 total points
Comment Utility
You should give a look to a 3rd-party software solution called FileAudit, that allows tracking, auditing, reporting and alerting on all access to shares, files and folders on Windows servers.

Info and trial version:
http://www.isdecisions.com/products/fileaudit

P.S. I also noticed there is a new version coming (still in beta for now):
http://community.isdecisions.com/knowledgebase/articles/142333-fileaudit-4-beta-testing-program-how-to
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now