FileAudit Frequently Asked Questions
How to reduce the number of events generated in the Windows Security event log of the File Server when implementing FileAudit
FileAudit uses the Microsoft NTFS Audit integrated in all Windows systems. This NTFS Audit, as with the Object Access Audit, can be enabled in the Local Security Policy of your Windows File Server or through the Microsoft Group Policies. For technical reasons, FileAudit can currently only enable this audit policy automatically for all subcategories of the Object Access Audit. However, for FileAudit to perform the audit it only needs some of them. You can minimize the number of events generated in the File Server Security event log by implementing the Advanced Audit Policy Configuration.
To implement the Advanced Audit Policy Configuration with FileAudit:
- Launch the Local Security Policy console on the File Server that FileAudit is monitoring.
- Browse to “System Audit Policies – Local Group Policy Object” and display its content.
- Configure the three following Subcategories as:
- Audit Detailed File Share Success and Failure
- Audit File System Success and Failure
- Audit Handle Manipulation Failure
Advanced Audit Policy Configuration console
This can also be achieved without the console, using “auditpol” command line:
auditpol /set /subcategory:"File system" /failure:enable /success:enable
auditpol /set /subcategory:"Handle manipulation" /failure:enable /success:disable
auditpol /set /subcategory:"Detailed File Share" /failure:enable /success:enable
Currently FileAudit can’t detect the Advanced Audit Policy Configuration. That’s why when setting the Audit Policy in this way, FileAudit will prompt you when performing its checking process. To avoid this prompt, we recommend that you select the option “Let me configure the object access audit by myself” when asked.
FileAudit Prompt
Take note that:
- On Windows Server 2008 and Windows Vista the “Advanced Audit Policy Configuration” can only be configured using command lines.
- Whatever the method used, through the Local Security Policy console or by using command lines, setting the Advanced Audit Policy will overwrite the default Audit Policy.