I have enabled the Audit logging of events on a central file server, these are set to archive every 100Mb to a network share for off server storage. As you can imagine there are lots of events to review BUT the default tool is proving very difficult to use and gather the correct information im looking for. So.....
I need to track file access over the next 3 months for 2 users they have been added to the Auditing settings and i can see things are reporting back to the security logs.
1) Events to be looking out for (file open, access, delete, copy etc..) what are the best event ID's to be looking for here
2) Event Viewer, are there any good free event viewing tools out there?>
Any advice would be much appreciated.