FileAudit Documentation
FileAudit Documentation
You are here: Reference > Audit > Display the audit > Filter

Filter

To access the filter and perform a search action, click on the magnifying glass button. The filter form will pop up on the right-hand side of screen. Select your criteria and apply the filter:

Filter options

The What filters

  • Access Status: This allows you to filter the display to limit it to either Granted and/or Denied access attempts.
  • Object type: You can display events on files and/or folders.
  • Access type: Choose the desired access type(s).
    • (Select All): All types of access events will initiate the alert.
    • Delete: A user tried to delete a file/folder.
    • Ownership: A user tried to take ownership on the file/folder
    • Permissions: A user tried to change the permissions on the file/folder.
    • Write: A user tried to modify a file.
    • Execute: A user tried to execute an executable file.
    • Read: A user tried to open a file in ‘Read’ mode.
    • System: An attempt to read or write the System Access Control List (SACL), i.e. the audit entries of the file/folder. (Pre-Vista only).
    • Write attributes: A user tried to modify a file attribute (like Read-only or Hidden checkboxes).
    • Other: Composite events, where an event can be a combination of several access events - e.g. Write and read or Delete and read, etc. (Windows 2003 Server only)

    Take note that the event is generated for an attempted access. If a user without enough privileges attempts to delete a file on a monitored folder, you will be alerted of a ‘Delete’ event with a status ‘Denied’.

The When filters

  • From: You can display events from the first event available, or a specific date.
  • To: You can display events up until the last event available, or a specific date.

The Who filters

  • Domain: You can display events for a specific domain by typing its netbios name.
  • Group: You can display events for members of a specific Active Directory group.
  • User: You can display events for a specific Active Directory user.


An advanced syntax allows you to exclude or include multiple users in the Group and User fields. See below for more details.

Please note:

  • Groups without users are not allowed (e.g., a group of machines).
  • Groups of sub-domains or parent domains are not supported.
  • If the service just (re-)started, it needs some time to build the list of groups. As a consequence, during this timelapse, any selection will be denied (generally a matter of seconds).

The Source filters

  • Client IP Address: This allows you to specify the IP address of the machine from which the access has been performed (if the access is performed through the network).
  • Client name: This allows you to specify the name of the machine from which the access has been performed (if the access is performed through the network).
  • Process: This allows you to specify the name of the process generating the access attempt (if the file/folder is accessed locally - i.e. on the machine hosting the file/folder).


You can reset all filter configuration options to default by clicking on the 'Reset' button.

Include or exclude users

User and Group filters can be used to include or exclude users from the results. To include more than one user or group, separate entries with commas. To exclude an user or a group, enter the minus sign before the group name or the user name.

Inclusion example
Sales, Marketing


All accesses of Sales and Marketing group members will be displayed.

Exclusion example
-Marketing


Accesses of Everyone except Marketing group members will be displayed.

Inclusion + exclusion example
Sales, -Managers


All accesses of Sales group members will be displayed, except for users also members of Managers group.
If there are no common members betweenSales and Managers groups, it will include all Sales members. If all members of Sales are members of Managers, no data will be displayed.

Status bar

The status bar indicates which filters are enabled for the current view. Furthermore, if you re-open the Filter display, your previously selected filter criteria will still be visible: