We help IT Professionals succeed at work.
Get Started

Too much event id 4663 generated for file access audit on a Windows file server.

653 Views
Last Modified: 2021-04-12
Hi,

I am auditing a large file server using Netwrix. The goal is to audit all files modifications like changed, deleted, added and credential or owner change.

For some share folder, i also want to audit List folder / read data. Until now, I know what to do.

List Folder / read data generates a lot of entries in the Security events log, this is why I don't enable it on all shares.

Netwrix use an agent scan all the files and create a state-in-time report of the files and folders permissions in time. So, that process is accessing millions of files and generating millions of audit events.

I am receiving a lots of events 4663 even in folder that I haven't enable Liste folder / read data. I am trying to find a way to eliminate those events to extend the security log retention.

The maximum size of the security log is 4GB and some audit plans in Netwrix doesn't have enough time to catch all the events before they are getting remove because it is getting full.

The solution, it is lower the number of audited events.

The following screenshot shows my auditing settings. LCDomainUsers is a Local Domain Group that contains Domain Users from 2 domains (forest).
2019-12-03AuditSettings.jpg
The next screenshot shows a generated audit event. Note that SRVSHARE1$ is the computer name and it is not part of the group LCDomainUsers. I don't understand why this event is generated. The process name NwxFsAgent.exe is the Netwrix agent.
2019-12-03Event4663.jpg
I am asking the experts, maybe one of you might have a solution or explain me why the event 4663 is generated even I didn't enable the "List folder / read data"

Thanks,
Comment
Watch Question
Architect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
Unlock 2 Answers and 6 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE