[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 921
  • Last Modified:

Log end user activity

Hi,

I need to find an end user monitoring solution for a client. They would like to log specific events:
- Every network share and file accessed by the user
- Every document name printed by the user
- Every file copied from network shares to local machine
- Every file copied onto external media (USB, CD, DVD etc)

The system does not need to be able to block the end user from performing any of these actions, simply to log the details of it for audit purposes.

Any suggestions or thoughts appreciated.
Thanks
0
Roger Adams
Asked:
Roger Adams
  • 2
1 Solution
 
mo_patelCommented:
firstly you need to enable auditing on the files folders where the sensitive info is kept then yes u can get the info.

One thing to bear in mind is that 'if you do want to track everything' will have too too much info there, take you ages to sift through it all, and not to mention fill up the disk space.  also will be very expensive.

I recommend you explain this to clients and only enable auditing on key files/folders.

a best practise for this kind of situations is once auditing is enabled to then use a SIEM utility to monitor the events and if a match is found to log the events into threads...

So basically you would have threads for:

i.e.
- logon events
- object access
- folder access etc
- log off events

To get event ID's use this link

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

One thing to NOTE is that there is no COPY event, its not that simple, so you will have to once enabled auidting and SIEM capture to test all this by accessing files, copying files etc.

One such solution is NNT LogTracker.........loads more on market, they are not free and not cheap.........
0
 
mo_patelCommented:
OR if you do have loads of free time, good with SQL, you can use LogParser and write your own SIEM tool to download the logs into a SQL DB and then write your own queries to extract the info, will never be as good as a paid version,

but atleast its an alternative....
0
 
JustMy2CentsCommented:
You should give a look to a 3rd-party software solution called FileAudit, that allows tracking, auditing, reporting and alerting on all access to shares, files and folders on Windows servers.

Info and trial version:
http://www.isdecisions.com/products/fileaudit

P.S. I also noticed there is a new version coming (still in beta for now):
http://community.isdecisions.com/knowledgebase/articles/142333-fileaudit-4-beta-testing-program-how-to
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now