How to setup auditing for File Servers

How to setup auditing for File Servers in Netwrix Auditor Vega
Email It to Me Print this Page
Question How do I setup auditing for File Servers
Answer What settings you have within Netwrix Auditor, will determine what auditing flags need to be set on the shares you are monitoring. See the screenshot below for the auditing settings you can set within the product
User-added image

These settings are broken down into four categories:
  • Successful modifications - Used to see when users create, remove and modify files/folders successfully
  • Failed modification attempts - Used to see when users fail to create, remove or modify files and folders
  • Successful reads - Used to see users successfully read a file or folder
  • Failed read attempts - Used to see when users fail to read a file or folder
To setup auditing for these 4 categories, this KB is broken down into two categories: Pre-Windows 2012/8.x and 2012/8.x

Pre-Windows 2012/8.x

The steps listed below are for setting up auditing on machines that are before Windows 2012 and Windows 8.x.
  1. Begin by going to the share/folder you want to audit with Netwrix Auditor
  2. Right-Click on the folder and go to Properties
  3. Click on the Security Tab and click Advanced
    User-added image
  4. Select the Auditing tab and click on Edit
    User-added image
  5. Click Add and then under locations, make sure to choose Entire Directory or your Active Directory domain. Type in Everyone into the textbox and then hit OK
    User-added image
The next window that opens up will be the Auditing Entry window where you will pick which flags you need to set, based on the auditing checkboxes you selected with Netwrix Auditor.

Successful Modifications

Make sure that Apply onto is set to This folder, subfolders and files and then check the following Successful flags:

  • Create files / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership

You can also verify that your settings are right from the screenshot below
User-added image

Failed Modification Attempts

Make sure that Apply onto is set to This folder, subfolders and files and then check the following Failed flags:

  • Create files / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership

You can also verify that your settings are right from the screenshot below
User-added image

Successful Reads

Make sure that Apply onto is set to Files only and then check the following Successful flag:

  • List folder / Read data

You can also verify that your settings are right from the screenshot below
User-added image

Failed Read Attempts

Make sure that Apply onto is set to This folder, subfolders and files and then check the following Failed flag:

  • List folder / read data

You can also verify that your settings are right from the screenshot below
User-added image

After all of these settings are in place, continue to click OK until a window pops up, showing you that auditing is being set on multiple files/folders.

2012/8.x

The steps listed below are for setting up auditing on machines that are Windows 2012 or Windows 8.x
  1. Begin by going to the share/folder you want to audit with Netwrix Auditor
  2. Right-Click on the folder and go to Properties
  3. Click on the Security Tab and click Advanced
    User-added image
  4. Select the Auditing tab and click Add
    User-added image
  5. Click Select a principal and then make sure to choose Entire Directory or your Active Directory domain. Type in Everyone into the textbox and then hit OK
    User-added image
  6. Click Show advanced permissions and also click the Clear all button at the bottom before turning on any auditing.
    User-added image
The next window that opens up will be the Auditing Entry window where you will pick which flags you need to set, based on the auditing checkboxes you selected with Netwrix Auditor.

Successful Modifications

Make sure that Type is set to Success and Applies to is set to This folder, subfolders and files and then check the following flags:

  • Create files / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership

You can also verify that your settings are right from the screenshot below
User-added image

Failed Modification Attempts

Make sure that Type is set to Fail and Applies to is set to This folder, subfolders and files and then check the following flags:

  • Create files / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership

You can also verify that your settings are right from the screenshot below
User-added image

Successful Reads

Make sure that Type is set to Success and Applies to is set to Files only and then check the following flag:

  • List folder / Read data

You can also verify that your settings are right from the screenshot below
User-added image

Failed Read Attempts

Make sure that Type is set to Fail and Applies to is set to This folder, subfolders and files and then check the following flag:

  • List folder / Read data

You can also verify that your settings are right from the screenshot below
User-added image

After all of these settings are in place, continue to click OK until a window pops up, showing you that auditing is being set on multiple files/folders.

Was this information helpful?