FileAudit Documentation
FileAudit Documentation
You are here: Reference > Audit > Display the audit > The File Access Viewer

The File Access Viewer

The File Access Viewer allows you to display, search, schedule and print reports on all access attempts generated for monitored files/folders configured on FileAudit.

  1. Enter a file/folder into the ‘Path(s)’ field to display the file access events generated for it. To validate this entry, press ‘Enter’ or click the refresh button. Once you have displayed the events for one folder/file path, FileAudit keeps it in memory and you will be able to select it again using the drop-down list.

    FileAudit displays events detected for the selected path in the same way as those already saved in the database, according to the filter configuration.

    Take note:

    - The ‘Path(s)’ field of the ‘File Access Viewer’ supports ‘*’ (any string) and ‘?’ (any character) wild characters.
    - The 'Source' column displays the name of the process generating the access attempt when the file/folder is accessed locally (i.e. on the machine hosting the file/folder). When the access is performed through the network, this column displays the IP address or the name (if found) of the machine from which the access has been performed.

  2. If you enter a file/folder path not currently monitored, FileAudit will detect and propose that the audit configuration be set up via its wizard.

    Follow the different steps to configure the NTFS audit for this new path:

Access types

  • Read: A user tried to open a file in ‘Read’ mode.
  • Write: A user tried to modify a file/folder.
  • Write attributes: A user try to modify a file attribute.
  • Delete: A user tried to delete a file/folder.
  • Ownership: A user tried to take ownership of the file/folder
  • Permissions: A user tried to change the permissions on the file/folder.
  • Execute: A user tried to execute an executable file.
  • System: An attempt to read or write the system access control list of the file. Generally this event just means that a user displayed properties of a file using Windows Explorer.
  • Other: Any other types of access attempts not defined above.

Take note that the event is generated for an attempt of access. If a user without sufficient privileges attempts to delete a file on a monitored folder, an event is generated for a ‘Delete’ event with a status ‘Denied’.

Action buttons

: Refresh.

: Open the filter form.

: Print/Export the display view.

: Export raw data in CSV format.

: Browse a folder to display its file access events.

: Browse a file to display its file access events.

: Schedule a report using the current view / filters.

: Enable/Disable the real-time display for the Console. Green denotes ‘Enabled’, grey indicates ‘Disabled’. Take note that this is useful only if the real-time scan is enabled on the audited server.