asked on
Too much event id 4663 generated for file access audit on a Windows file server.
Hi,
I am auditing a large file server using Netwrix. The goal is to audit all files modifications like changed, deleted, added and credential or owner change.
For some share folder, i also want to audit List folder / read data. Until now, I know what to do.
List Folder / read data generates a lot of entries in the Security events log, this is why I don't enable it on all shares.
Netwrix use an agent scan all the files and create a state-in-time report of the files and folders permissions in time. So, that process is accessing millions of files and generating millions of audit events.
I am receiving a lots of events 4663 even in folder that I haven't enable Liste folder / read data. I am trying to find a way to eliminate those events to extend the security log retention.
The maximum size of the security log is 4GB and some audit plans in Netwrix doesn't have enough time to catch all the events before they are getting remove because it is getting full.
The solution, it is lower the number of audited events.
The following screenshot shows my auditing settings. LCDomainUsers is a Local Domain Group that contains Domain Users from 2 domains (forest).
![2019-12-03AuditSettings.jpg]()
The next screenshot shows a generated audit event. Note that SRVSHARE1$ is the computer name and it is not part of the group LCDomainUsers. I don't understand why this event is generated. The process name NwxFsAgent.exe is the Netwrix agent.
![2019-12-03Event4663.jpg]()
I am asking the experts, maybe one of you might have a solution or explain me why the event 4663 is generated even I didn't enable the "List folder / read data"
Thanks,
I am auditing a large file server using Netwrix. The goal is to audit all files modifications like changed, deleted, added and credential or owner change.
For some share folder, i also want to audit List folder / read data. Until now, I know what to do.
List Folder / read data generates a lot of entries in the Security events log, this is why I don't enable it on all shares.
Netwrix use an agent scan all the files and create a state-in-time report of the files and folders permissions in time. So, that process is accessing millions of files and generating millions of audit events.
I am receiving a lots of events 4663 even in folder that I haven't enable Liste folder / read data. I am trying to find a way to eliminate those events to extend the security log retention.
The maximum size of the security log is 4GB and some audit plans in Netwrix doesn't have enough time to catch all the events before they are getting remove because it is getting full.
The solution, it is lower the number of audited events.
The following screenshot shows my auditing settings. LCDomainUsers is a Local Domain Group that contains Domain Users from 2 domains (forest).
The next screenshot shows a generated audit event. Note that SRVSHARE1$ is the computer name and it is not part of the group LCDomainUsers. I don't understand why this event is generated. The process name NwxFsAgent.exe is the Netwrix agent.
I am asking the experts, maybe one of you might have a solution or explain me why the event 4663 is generated even I didn't enable the "List folder / read data"
Thanks,
SecurityWindows 10AzureWindows Server 2016* file auditing
Last Comment
Stephan Bourgeois