I'd like to track events such as create/delete/move for files and folders on a certain file server. This should work based on certain folders only (track folder x and nothing else). This is a Windows Server environment.
Here is what I did so far:
- Turn on Advanced Audit Policy - Audit File System - Success.
- enabled auditing on the folder of interest
It works but you're faced with a huge amount of endless log entries, most of them useless. I even filtered the security log to certain event IDs only (4656, 4659, 4660, 4663) but it's still a mess. For certain IDs like 4663 you also need to know which accessmask was triggered to put some sense to it.
What I need is some sort of management summary generated on a daily basis preferrably in HTML. One should be able to see which files and folders were created/deleted or moved and nothing else.
Seems like this is exactly what I am looking for --> link. Unfortunately the script starts to run then hangs forever. Could not get it working on Server 2008 R2 and my Powershell skills are to weak to debug this. The folder I'd like to monitor consists of <80.000 files and <10.000 folders.
What are my options? Would you go the Audit Policy route or are there better alternatives? Would be nice if I can get it to work with standard tools. How can I aggregate and filter the log to generate a clear and human readable output?
TL;DR
Looking for a poor mans SIEM to generate a daily report of who created/deleted/moved files and folders of a specific file share.
EDIT
Sorted some stuff out and got the script running. It's slow (taking about 20 min to examine ~100.000 log lines) but working. So I'm using this for the moment. If someone has a faster or more elegant solution I'd like to hear it.
Your on the right track, you would need to read the Security log of the server to get the events that your looking for. The best description of getting a "count" or reading the xml to dig in a little bit further is detailed here "https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/04/data-mine-the-windows-event-log-by-using-powershell-and-xml/"
If you're not a PowerShell expert (I'm not either) then it's probably unlikely you will get the report you are looking for with the PS script without investing a lot of time. It will take quite a bit of tweaking (and debugging to get it working in the first place) to get it look the way you want and then set it up for emailing etc.
You are probably better off investing a small amount of $$ in a software product that can help you with this. You mentioned a "poor man's SIEM", keep in mind that not all of the SIEM products out there are expensive.
EventSentry for example starts at $85 for a single server (and it sounds like that's all you need) and has a file access tracking component which does exactly what you need. It does rely on auditing being setup on your server already (which you already got covered) but then gives you very useful reports - here is an example.
Another advantage of using a 3rd party tool is that you will easily be able to schedule it so that you can get it via email, and most tools support multiple output formats like PDF as well.