In order to use file access tracking, auditing needs to be configured on the files and/or folders you would to track with EventSentry. Additionally, object tracking needs to activated either through group policy or through the local security policy.
1. Enable Object Tracking
See Tracking Requirements for more information on how to enable the object tracking audit category. If object tracking is not enabled, then the necessary 560 or 4663 events will not be generated by the Operating System, even when auditing is enabled on a directory.
2. Setup Auditing for a file and/or folder
Once object access tracking has been enabled, you will need to configure auditing on the directories you want to track with EventSentry. You configure auditing by accessing the folder properties in Windows explorer and accessing the advanced security properties as shown in the screenshots below:
Viewing current file/folder permissions
|
Enabling auditing for file changes and deletions |
List of auditing entries after EVERYONE was added |
The detailed steps to enable auditing are as follows:
1.Right-click the folder where you want to enable auditing, and select "Properties"
2.Click the "Security" tab
3.Select the "Advanced" button
4.Select the "Auditing" tab
5.Click "Edit"
6.Click "Add"
7.In the selection dialog, specify the user(s) and/or group(s) you would like to audit. To audit everybody, enter Everyone
8.In the "Auditing Entry" dialog, specify the type of Access you want to audit, e.g. "Create files / write data"
9.Click OK several times to confirm your selection
Auditing entries will be effective immediately.