Navigation:  Web Reports > Compliance Tracking >

File Access Tracking

 Top  Previous  Next

If you configured File Access Tracking to write to the database then you can run queries to search for a file access history on the File Access Tracking page.

 

The File Access Tracking page can generate the following reports:

 

Complete history of file access in any monitored directory
See which folders are most frequently accessed
See which users are accessing/modifying files in a folder
Which process is making file changes*
File checksums of modified files (if enabled)
Other Reports

 

Additionally, any reports will include the following information in most cases:

 

The computer and/or IP from which the change was made
The user who made the change
The logon id, to track a file change back to a logon event

 

The files access tracking query page gives you the same flexibility the database query page gives you, allowing you to construct your own powerful queries with just a few clicks.

 

Pencil and Document 24 n g Prerequisites:

A Tracking Package that includes a File Access Tracking object needs to be assigned to one or more computers and auditing needs to be enabled for the directory that needs to be monitored.

 

Computer

This is the computer where the files that were accessed where physically located. Files could have been accessed either locally (e.g. from a workstation or terminal server) or remotely (e.g. through a file share on a file server).

 

Source Computer

The source computer is the computer from which the file change was requested. If the file change was made through a file share, then the source computer name will be different from the computer name. This field will only be populated if the package is configured to retrieve the source computer and IP address.

 

Domain, Username

The user account who initiated the file change. If the username contains a $ sign at the end, then it indicates that the change was initiated by the computer itself - e.g. by a service.

 

File Path

The directory in which the file was modified, or the directory that was changed if the file access pertained to a directory only.

 

Filename

The file name that was accessed.

 

Caller File Path, Caller Filename

If the file was accessed directly by local process (not through a network share, in which case this field is not useful), then this field contains the process name and path (if available).

 

Logon ID

The logon ID of the user who accessed the file. This can be used to correlate file access activity to other actions such as process activity, network logons and so forth.

 

Action

The action that EventSentry determined was applied to the file. Since the windows event log, especially on Windows Server 2003 and earlier, does not actually indicate what action was performed, EventSentry tries to determine the action that was performed on the file. This is only available if the directory being monitored has the event analysis set to either "Normalize & Verify" or "Normalize, Verify and Filter".

 

Verified

You can restrict a search so that it only includes files access information that was or was not verified by the EventSentry agent. Please note that a file action can only be "Verified" if if the directory being monitored has the event analysis set to either "Normalize & Verify" or "Normalize, Verify and Filter".

 

Access Mask

The access mask, as reported in the object access tracking events. For searching, you can either specify the complete access mask or check any access mask to filter the search results.

 

 

Examples

The chart below shows all verified file access, grouped by the File Path field:

clip0456