Navigation:  Monitoring with EventSentry > Compliance Tracking > File Access Tracking >

Access Masks & Filter

 Top  Previous  Next

You can specify which types of file access are being tracked to ensure that only relevant events are being recorded in the database. Additionally, you can setup file filters to include or exclude files that match a pattern.

 

clip0251

 

Access Masks

Windows distinguishes between the following access masks when recording file access activity, either through regular or operational events:

 

ReadData
ReadAttributes
ReadEA

 

SetPermissions
SetOwner
WriteData
WriteAttributes
WriteEA
AppendData
Delete

 

For example, to track when users change files, make sure that WriteData and AppendData are both selected. To record when files are deleted, make sure that Delete is checked.

 

Filter

The default filter ("Include") includes all files but lets you specify exclusion on a by case basis. For example, you could exclude all files that have a tmp extension by specifying the following filter:

 

*.tmp

 

Alert or Warning 1 24 n g

File names and paths need to be specified relative to the monitored folder. For example, if you are monitoring the folder C:\Logfiles, but want to exclude any file in the Temp sub directory (C:\Logfiles\Temp), then you would need to specify the filter as Temp\*.*.