This article is designed to provide information about reporting on file and/or folder access. Confidential files that require protection generally require a sophisticated end point security or file auditing solution, however Microsoft provides a Windows Security Event log that can be configured to report on this information.
The default configuration of the Event Log does not trigger entries when confidential files are accessed. The first step requires you to setup file and/or folder auditing. For more information about this process, please view our article on Managing Event Logs.
Once you have configured your settings for auditing, access to your confidential files will be recorded in the hosts computer’s Security Event Log. The next step is to import this information into WebSpy Vantage.
To do this:
1. Open Vantage (as Administrator if using Vista)
2. Navigate to the ‘Storages’ tab and click Import Logs
3. On the ‘Storages’ page of the Input dialog select ‘Create a new storage’, type in a name for your storage, then click Next.
4. On the ‘Input Type’ page, select ‘Windows Event Log’, then click Next.
5. On the ‘Loader Selection’ page, select ‘Microsoft’, then click Next.
6. On the ‘Input Selection’ page, click Add and select either local or multiple computers, then enter authentication details and click Filter Event Logs.
7. Check the ‘Security’ checkbox and then click OK.
8. Click OK on the Input dialog to start the import.
If you experience any issues with the import process, then you can consult the following articles:
- Event Log Troubleshooting (Known Issues and Fixes)
- Importing Event Logs from machines on a different domain
- Required Services for Event Log Importing
Once your data has been successfully imported you can view your storage on the ‘Summaries’ screen. Click on New Analysis and select an Ad Hoc analysis. When the analysis completes, go to the ‘Category’ summary. If the file has been accessed then you will be able to see some ‘File System’ items. You can then click on File System to drill down, and then view ‘Event Type’ to see ‘Audit Success’ or ‘Audit Failure’. If you drilldown into a ‘Audit Success’ you will be able to view who has successfully accessed that file.
The most important information is recorded in the ‘Message’ field, which is accessible from the ‘Individual Records’ view. Because the ‘Message’ field is free form you may see messages that are not important to reporting, i.e. A handle to an object was requested.
Event IDs can be used to filter this information. The ID 4663 corresponds to An attempt was made to access an object. In the ‘Event ID’ summary, right-click ‘4463’ and choose Drilldown | Individual Records to drilldown to the ‘Individual Records’ view. You can now view the message field to view the details. You can also use the Find box on the left to search for a particular user or file.
Right-click on the Individual Records summary and click Export to export the view to a Word Document, HTML, Text or CSV file.
To create a report template that displays this information you need to use the Custom Expression options, both when adding a column to a node in a Template, and when specifying your filter.
To add a column to a report that displays an Event Message:
1. Go to the ‘Reports’ tab and click New Template.
2. Create an Analysis template based on the ‘All Windows Event Schemas’ schema.
3. Click New Node and then Advanced to launch the Advanced editor.
4. On the ‘General’ page, delete any existing Key columns and select Add | Key. In the Custom Expression section enter [Message], then set the Name value to Message, and click OK.
Note: You must include the square brackets.
To filter the report:
1. Go to the ‘Filters’ page of the New Node dialog (alternatively you can specify this filter in for the entire report globally using the Template Properties dialog).
2. Click Add | Field Value Filter. Select ‘Category’ from the Summary drop down, select ‘Include’, and click Add. Enter File System and click OK. Click OK to add the filter.
3. Click Add | Field Value Filter. Select ‘Event ID’ from the Summary drop down, select ‘Include’ and click Add. Enter 4463 and click OK. Click OK to add the filter.
4. To filter on the ‘Message’ field, select Add | Manual Filter Expression. Enter the expression [Message] LIKE “text filter” where text filter is the user or file that you want to search for. To search for multiple users or files you can join expressions using ‘AND’ or ‘OR’ and by including brackets. For example:
[Message] LIKE “lisasmith” AND [Message] LIKE “.xml”
Will filter for all .xml files that lisasmith has accessed.
[Message] LIKE “lisasmith” OR [Message] LIKE “.xml”
Will filter for all .xml files that have been accessed and all files that lisasmith has accessed.
([Message] LIKE “lisasmith” AND [Message] LIKE “.xml”) OR [Message] LIKE “tomjones”
Will filter for all .xml files that lisasmith has accessed and any file that tomjones has accessed.
5. You can add the individual filters using Add | Manual Filter Expression multiple times, and then using the Manual Filter Expression editor at the bottom to change ANDs to ORs and place brackets appropriately.
6. Right-click the ‘Manual Filter Expression’ edit box and select Validate to ensure the expression is valid.
7. Click OK once you have added all the filters.
You can download a sample report template here. Please note that you need to modify the filter by entering the users or files you want to monitor. If you wish to see all File Audit events then you can remove the filter.