Security Basics mailing list archives
Re: How to track who reads/changes files on NT4.0 server in NT4 domain?
From: H Carvey <keydet89 () yahoo com>
Date: 26 Dec 2003 12:29:45 -0000
In-Reply-To: <408D8DCD3813D5119DB400902771A41F0711A393 () mercury charlottesville org>
We need the ability to track what users read and change files in a specific directory on a NT 4.0 server in an NT 4.0 domain (not the entire server). I'm not seeing any built-in auditing that will do that.
You need to enable auditing for File and Object Access, then set the SACLs on the directories/files that you want to monitor. Event Logs will then be generated.
Is there any software which will do the monitoring and generate reports?
Generating the data is no problem. Generating the reports will be the issue...you'll have to collect the Event Log entries and then parse them in order to generate a report. That is not too difficult to do...you can easily do this in Perl, or using third-party tools (psloglist) to get the entries and then use Perl to generate the reports. I don't know of any software that will collect all of the entries with specific IDs and then give you a report of which file was accessed by which user. Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: How to track who reads/changes files on NT4.0 server in NT4 domain? H Carvey (Dec 29)