Auditing Folders and Files in Windows and on NetApp Filer CIFS shares

Enabling file auditing is a 2-step process.

1. Configure “audit object access” in AD Group Policy or on the server’s local GPO.

This setting is located under:

Computer Configuration–>Windows Settings–>Security Settings–>Local Policies–>Audit Policies. Enable success/failure auditing for “Audit object access.”

 2.  Configure an audit entry on the specific folder(s) that you wish to audit.

Right-click on the folder–>Properties–>Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit – auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.

After you’ve done both of these steps, any file deletions will show up in the Security log of the file server that hosts those files.

For NetApp Filers the steps continue as you need to export the audit logs in a format you can read using windows event viewer, you need to run the following command on your filer:

cifs audit save -f

After this the log is dumped into a folder on the fielr called /etc/log/adtlog.evt or \\filername\c$\etc\log\adtlog.evt

You can then copy this log from the filer to a central locaiton and view it in windows event viewer or other compatable utility.

One could create a script and schedule it to run the command on the filer, and move the file to a central location and rename it. It all depends on how you manage such logs. But the first two steps apply to the filer, as the filer will also have the GPO applied to it as well.

Note: If you would like to track actual changes to the file, you may want to check out a Subversion server of some sorts, there are a number of free ones out there. Also some programs have a built in change control such as MS Word.


About Paul Cardelli, CISSP
Cyber Security Analyst, and computer guru

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: