File Access Tracking collects all successful file access activity that is logged by the Operating System when auditing on a directory and/or file is enabled. File Access Tracking can report on
•files being added to a directory
•files being deleted from a directory
•files being modified
•other file changes such as permission or ownership changes
In addition, file access tracking can include the following information about a file change:
•The username of the user who performed the action
•The computer and/or IP address from which the action was performed (optional)
•The process which performed the action (unless performed through a file share)
Please see File Monitoring vs. File Access Tracking for a comparison between File Access Tracking and File Monitoring. |
File Access Tracking works by intercepting and normalizing event 560 (on computers running Windows 2003 and earlier) or event 4663 (on computers running Vista and later) and performing additional actions to obtain extended information about the events (such as the source computer) and categorize the file access action.
Using File Access Tracking on Windows 2003 and earlier
One problem with the 560 security events on Windows 2003 and earlier, is that they log not just when changes are made to files, but also when changes are requested to files. Microsoft® introduced so-called operational events with Windows 2003 (event id 567), which attempt to address this problem by only logging actual file changes to the security event log. We have found the operational events to be somewhat unreliable on Windows 2003 however, in particular when files are accessed through a file share over a network. We discussed this issue in detail in our event log blog. As such, the file access tracking feature will not utilize the 567 events on Windows 2003 and earlier, they are however utilized on Vista, Windows Server 2008 and later.
To compensate for this limitation, EventSentry can manually verify certain file actions by performing additional verification on files, such as creating checksums when files are modified and verifying that files are indeed deleted. This feature is called Verify, is optional and can be activated if you are tracking file access on Windows Server 2003 (and earlier) hosts.
Using File Access Tracking on Vista, Windows Server 2008 and later
If you are tracking file access on Windows Server 2008 (this includes file accessed from remote computers through file shares), then EventSentry will intercept and normalize operational events, making the additional processing through the Verify feature by the agent (as described earlier) unnecessary in most scenarios.