Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auditing questions

Status
Not open for further replies.
bcre3306

bcre3306

MIS
May 7, 2002
45
0
0
US
I know this is probable a stupid quest but I have a request to audit a folder just for succeful reads of files in that folder only for a specific domain group. So I turn on auditing and everything works fine execpt I get events for the user logged into the machine. This user is not a member of the group I want to audit. So I was wondering is there a way to stop this from happining. Also I'm looking for a utility to write a report (command line if possible) for the secuirty folder in event viewer. Any help would be appreciated.
Thanks
 
Sort by date Sort by votes
Are you getting auditing events from other users, or just the user of that machine?
 
Upvote 0 Downvote
I'm getting them from the users of the domain group assigned and the user logged into the machine
 
Upvote 0 Downvote
Try going into the auditing tab of the folder that you want to audit and see if you can remove that particular user. The only group that should be in the auditing portion of the folder properties should be the group that you created. If that particular user is not being audited, then I'll do some research and get back to you. Let me know if that is the problem.
 
Upvote 0 Downvote
Below is an e-mail (slightly altered for privacy) from a colleague that covers cheaply monitoring event logs using freeware tools.

Here is a quick dirty example using a tool called psloglist from a freeware utility.

This command dumps the security log and clears it:
psloglist -s -c \\serverName security | find /I "," >> c:\junk\filename.log

In the above example the syntax means:
-s list the records one per line with delimited fields, comma being the default delimiter
-c clear the log after dumping it, the account doing this must have those rights
\\<servername> self explanatory
security in this case the security log, other valid entries would be system or application

Then we do a find for the string ignoring case and output the log to a desired location and log name.

The file created is a text file with everything in the log delimited by commas.

Events you might want to track are:
:: Event 539 is Locked-out Account
:: Event 628 is a Password Reset
:: Event 528 is a login (type 2 or 7) local console/tse session
:: Event 540 is a login (type 3) network connection/remote
:: Event 538 is a logoff
:: Event 681 tracks various reasons why a user login was not successful, see below:
:: Error codes Cause
:: 3221225572 User logon with misspelled or bad user account.
:: 3221225578 User logon with misspelled or bad password.
:: 3221225583 User logon outside authorized hours.
:: 3221225584 User logon from unauthorized workstation.
:: 3221225585 User logon with expired password.
:: 3221225586 User logon to account disabled by administrator.
:: 3221225875 User logon with expired account.
:: 3221226020 User logon with &quot;Change Password at Next Logon&quot; flag set.
:: 3221226036 User logon with account locked out.

You can certainly track other events in the Security log and track other logs and their events too. You can parse this text file for example as follows:
find &quot;,681&quot; < c:\junk\name.log

In the above example we do a find for the 681 event using the logfile we created in the log dump as the input.

Now with some creative scripting, a couple of FOR loops using various input files, and the blat utility you could automate this and even have it alert you with an SMTP mail. Schedule it to run using Task Scheduler and there you go, an automated log monitoring. If you wanted to this could also be scripted in VBScript, ADSI and/or also use WMI. The issue there though would be legacy NT4 systems, you might have to install the VBScript, ADSI, and WMI packages on them and perhaps you may not want to or be able to do that. Everything above is free using psloglist, blat, batch scripting, and some time. I like free personally. Thanks.

Mike
 
Upvote 0 Downvote
anthony0494 the only user I have in the folder right now is myself yet I still get successful audits from the user logged into the machine. If you have any more suggesttions I would really appreciate it.

mcconmw Thanks alot for that utility/ideas. That is exactly what I need now I just need to get the log to report correctly.
Thanks to all for the help!!
Brian
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
66
RRankin355
RRankin355
Shimness
  • Locked
  • Question
Hyper-V Server Build Questions
Replies
6
Views
70
technome
technome
KevCon
  • Locked
  • Question
Questions re: exporting roles/features from 2008 to 2012 new machine 1
Replies
1
Views
34
Mshen
Mshen
skyislandmaggie
  • Locked
  • Question
Two questions about my Windows 2008 network
Replies
1
Views
53
NetworkTek
NetworkTek
CecilXavier
  • Locked
  • Question
File Level Auditing Too much
Replies
0
Views
17
CecilXavier
CecilXavier

Part and Inventory Search

Sponsor

Back
Top