Pau Lo
asked on
file access event logs windows server
where specifically in the windows audit settings can you capture file level access (can you also capture file deletes, file creations etc in a single log)? I need to check what is enabled on a number of servers around this? Are there any specific risks/configurations in enabling this on larger file servers, and or any feedback whether the default windows logs are the best tool to capture this data, or whether 3rd party apps may be the way to go?
In large environment get help from third party solutions like; Lepide and Varonis.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
normally you can configure audit object access audit policy settings from audit policy section of gpo
OR you can even configure granular level audit from advanced audit policy settings under Object Access heading
Also if your file server is equipped with heavy disk read / writes, you can assign separate drive for same and increase the security log file size to few GBs
the setting can be found under computer config\admin templates\windows components \ event log service
Later on you can supply this logs to any SIEM solution if wanted to.
OR you can even configure granular level audit from advanced audit policy settings under Object Access heading
Also if your file server is equipped with heavy disk read / writes, you can assign separate drive for same and increase the security log file size to few GBs
the setting can be found under computer config\admin templates\windows components \ event log service
Later on you can supply this logs to any SIEM solution if wanted to.
Consult this : https://www.raymond.cc/blog/3-portable-tools-monitor-files-folders-changes/ . Advised to use a separate disk or another server for logging .