Prerequisites

Navigation: Monitoring with EventSentry > Compliance Tracking > File Access Tracking >

Prerequisites

In order to use file access tracking, auditing needs to be configured on the files and/or folders you would to track with EventSentry. Additionally, object tracking needs to activated either through group policy or through the local security policy.

1. Enable Object Tracking

See Tracking Requirements for more information on how to enable the object tracking audit category. If object tracking is not enabled, then the necessary 560 or 4663 events will not be generated by the Operating System, even when auditing is enabled on a directory.

2. Setup Auditing for a file and/or folder

Once object access tracking has been enabled, you will need to configure auditing on the directories you want to track with EventSentry. You configure auditing by accessing the folder properties in Windows explorer and accessing the advanced security properties as shown in the screenshots below:

clip0250

Viewing current file/folder permissions

clip0446

Enabling auditing for file changes and deletions

clip0447

List of auditing entries after EVERYONE was added

The detailed steps to enable auditing are as follows:

1.	Right-click the folder where you want to enable auditing, and select "Properties"

2.	Click the "Security" tab

3.	Select the "Advanced" button

4.	Select the "Auditing" tab

5.	Click "Edit"

6.	Click "Add"

7.	In the selection dialog, specify the user(s) and/or group(s) you would like to audit. To audit everybody, enter Everyone

8.	In the "Auditing Entry" dialog, specify the type of Access you want to audit, e.g. "Create files / write data"

9.	Click OK several times to confirm your selection

Auditing entries will be effective immediately.