This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Auditing

Question
0

Sign in to vote

Hi All

I have enabled auditing on a 2008 server and added the audit permissions to a folder I want to watch. I need to look for deleting of files and folder but am getting way too many records in the event logs at present.

I have been looking at

auditpol /get /category:"Object Access"

I wanted to know which sub categories I actually need enabled for this so I can disable the rest to reduce the data in the event logs

Many thanks

Glenn

Wednesday, September 26, 2012 11:14 AM

Answers

0

Sign in to vote
Hi,

Since enabling "Audit Object Access" generates a ton of logs, so to reduce the amount of logs and only get the "File System" ones you can disable this and enable the subcategory only using the Auditpol tool with the following command.

AUDITPOL /SET /SUBCATEGORY:"File System" /SUCCESS:ENABLE /FAILURE:ENABLE

If we want to see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER:

auditpol /list /subcategory:*

For details about Auditpol command, please refer to the following articles.

Auditpol

http://technet.microsoft.com/en-us/library/cc731451(v=ws.10).aspx

Auditpol set

http://technet.microsoft.com/en-us/library/cc755264(v=ws.10).aspx

How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.

http://support.microsoft.com/kb/921469

In addition, we could also enable file and folder auditing with the following steps.

Enabling File and Folder Auditing

http://msmvps.com/blogs/richardwu/archive/2010/07/16/enabling-file-and-folder-auditing.aspx

Regards,

Andy
- Proposed as answer by iamrafic Thursday, September 27, 2012 7:55 AM
- Marked as answer by Glenn_uk Thursday, September 27, 2012 12:38 PM
Thursday, September 27, 2012 6:47 AM