There are various audit events generated when any files or folders are accessed. Following are the list of events that can be monitored when any file system related activities needs to be audited.
| event id | object type | log message | description |
| 4656 | File | A handle to an object was requested. | This is the first event logged when an application attempts to access the object |
| 4659 | File | A handle to an object was requested with intent to delete | This event is logged whenever patch installed requires replacement of a file that is already opened and cannot be closed until shut down |
| 4663 | File | An attempt was made to access an object. | This event logs actual operations performed against files and other objects |
| 4670 | File | Permissions on an object were changed | This event is logged when access control list on an object is changed and identifies the object, who changed the permissions and the old an new permissions. |
| 5145 | File | A network share object was checked to see whether client can be granted desired access | This event logs every access to the file share and indicates the reason it was allowed or not allowed, based on the access check results. |
Among all these events, 4663 is the best suited for any file related operation. Make sure to find object type as File in every case. File specifies any file/folder operation. Discussion and detail information about these events will be explained in later next write.
No comments:
Post a Comment