Enable Windows file auditing for use with SEM
Enable file auditing in Windows to monitor events related to users accessing, modifying, and deleting sensitive files and folders on your network.
To maximize the value of this type of auditing, enable auditing on a file server where you installed a SEM agent, and only for the specific files and folders you want to monitor. If you enable auditing on all files or folders, the additional auditing may impact SEM performance.
Complete the procedures below to enable object auditing on your server, and then enable file auditing on the files and folders that you want to audit. If Windows is logging the events and your server is running a SEM agent, the SEM console will begin displaying the new file auditing alerts.
Enable object auditing in Windows
- In the Windows Control Panel, navigate to Administrative Tools > Local Security Policy.
- In the left pane, expand Local Policies, and then click Audit Policy in the left.
- Select Audit object access in the right pane, and then click Action > Properties.
- Select Success and Failure, and then click OK.
- Close the Local Security Policy window.
Enable file auditing on a file or folder in Windows
- In Windows Explorer, locate the file or folder you want to audit.
- Right-click the file or folder, and then select Properties.
- Click the Security tab.
- Click Advanced.
- Click the Auditing tab.
- Click Add. (If using Windows Server 2008, click Edit.)
- Enter the name of a user or group you want to audit for the selected file or folder, and then click Check Names to validate your entry. For example, enter Everyone.
- Click OK.
- Select Success and Failure next to full control to audit everything for the selected file or folder.
- Optionally, clear Success and Failure for unwanted events such as:
- Read attributes
- Read extended attributes
- Write extended attributes
- Read permissions
- Click OK in each window until you are back at Windows Explorer.
- Repeat these steps for all files or folders you want to audit.