FileAudit Documentation
FileAudit Documentation

Version History

FileAudit 6.3 Beta Released: October 7th, 2021

What's new?

Added

  • Detection of the access event "move" on an audited server.
  • Filter alerts, reports, and scheduled reports with the new access type "move".
  • New predefined report for the access event "move".
  • Ability to export reports in .xlsx format.

Improved

  • New dynamic variable with the top local folders for the mass alert notification.
  • Ability to exclude accounts in the scan options for cloud access audit.

Fixed in 6.3 Beta

  • In some circumstances the database is not updated when the service starts.
  • The access audit fails if the audited path name contains special characters with accents.
  • Files with a path longer than 260 characters generate a PathTooLong exception.
  • Changes in the parameter to define the days to keep snapshots is not refreshed correctly in the view.
  • Unhandled exception exporting reports with more than 65000 lines in XLS format.
  • Renaming a scheduled access event report is not possible.
  • Mass alert doesn't work for cloud access events.
  • When UseFullPathForCloudProviders advanced settings is enabled the file name contains slash and not backslash as usual.
  • TopFolders dynamic variable can display the same path because it is case sensitive.
  • Changes in scan options are not displayed properly.
  • In audit paths report, the filtering of paths doesn't work.
  • In Windows servers report, the filtering of servers doesn't work.
  • Diagnostic process loses the connection with FileAudit service if the "Log System Information" take more than 2 minutes to be retrieved.
  • A console when remotely connected to the service, uses the local SQLite database if exists, when it should use the remote service SQLite database.
  • Unhandled exception when accessing to audit paths report for an user with only audit permissions.
  • Changes in the permissions of FileAudit are not saved.
  • Snapshots tile should be denied for a user with only audit permission.
  • Filtering on a group with more than 1000 members with a SQLite database is generating an error.
  • Under some specific circumstances file deletions are displayed as read events.
  • The system cannot find the file specified error (2) while scanning permissions.
  • Cloud Audit view is disabled after a subscription.
  • The TruncatePath advanced settings doesn't work in the snapshot generation.
  • Memory not disposed properly when scanning folders and files.
  • Unhandled exception checking the object access audit policy generates a service warning every half hour.
  • Changes in the access type or object type filters are not saved in the alerts.
  • A false rename access event could be registered under certain circumstances.
  • Unhandled exception displaying advanced permissions report.

FileAudit 6.2 Released: July 29th, 2020

What's new?

Added

  • SQLite database as default database.
  • Ability to exclude events from not configured paths.
  • Ability to select your favourite reports in the dashboard.
  • New filters for simple/advanced permissions and file and folders properties reports.
  • New scheduled reports, simple/advanced permissions and file and folder properties, related to scheduled snapshots.
  • Ability to audit rename access events.

Improved

  • Subscription to Cloud providers, by using an external browser.

Fixed in 6.2

  • Unhanded exception when selecting to display the auto filter row option on the grid view of the permission reports.
  • The access event scan can be blocked if there is a snapshot running at the same time.
  • Unhanded exception getting the snapshot list just after removing one of them.
  • In the file/user views some icons can be removed.
  • Unhanded exception when clicking in top files/users in Statistics view.
  • Snapshot generation can get stuck in running state if there are some scan warnings.
  • In access reports the status icons are not according with the text.
  • Deadlock scanning events under certain conditions.
  • The service tries to connected to the Cloud provider when it shouldn't be.
  • Unhanded exception by clicking on the top 5 files but outside the bar and the text in the user view.
  • Activating the audit from the servers view can lost the IP address of the configured server.
  • The monitoring of the server stays disabled when disabling and enabling the audit on the servers view.
  • Scripts with commands which need privilege elevation cannot be executed as a no default administrators in the servers.
  • In the users view the filter doesn't work properly according to the date and hours selected.
  • Alerts are not triggered when the process filter is used.
  • Memory leak scanning AD groups.
  • Events scanned several times when RecordID needs to be truncated to be registered in a MS Access database.
  • On a Turkish platform, OneDrive auditing cannot be enabled.

FileAudit 6.1 Released: November 25th, 2019

What's new?

Added

  • Ability to scan file/folder permissions and properties, on demand or scheduled.
  • New reports to analyse file/folder properties, basic permissions and advanced permissions.
  • New predefined reports for access events.
  • Supports SQLite database.

Improved

  • Excluded hours from Alerts to allow configuration ranges between two different days.
  • Advanced setting UseFullPathForCloudProviders to allow to display in the path file the owner of the resource.

Fixed in 6.1

  • Changes in the alert execution tab are not updated in other alerts using the same script.
  • Alert script execution doesn't work if there is an impersonation account and no working directory in the script settings.
  • Scheduling Denied access report doesn't keep predefined filters.
  • Communication error loading statistics view in a remote console.
  • Client IP addresses are shown in top 5 sources, of statistics view, instead of client names.
  • Access Evolution graph doesn't load all the figures if there are more than 500000 events.
  • Access denied when exporting from All Access view using a remote console with just Audit permission.
  • The MySQL 8.0 drivers ODBC are not supported.
  • In the view audited servers, a server is displayed as audit inactive, when the object access is disabled but it has been configured manually.
  • Disable the audit, in the server view, doesn't work when the advanced object access policy has been configured manually.
  • The servers view is not updated after opening the server details popup, due to a change in the object access policy check.
  • Unhandled exception thrown when loading statistics view.
  • Unhandled exception when clicking on the numbers of statistics view.
  • Web shortcuts in the Help menu do not work in some cases.
  • The console may hang when displaying the audited servers and there is much file access activity.

FileAudit 6.0 Released: May 15th, 2019

What's new?

Added

  • Ability to audit accesses on files stored by OneDrive, Box, Dropbox and Google Drive.
  • New accesses on files stored by OneDrive, Box, Dropbox and Google Drive (Copy, Rename, Move, Shared etc...).
  • New Cloud Audit view in the console.
  • Ability to start a process when an alert is triggered.
  • New Subscription licenses.
  • Ability to remove service events in console Warnings view.

Improved

  • Windows Servers and Windows Paths views.
  • Event Details view.
  • Sync process of Active Directory group members.
  • Console Statistics view.

FileAudit 5.5 Released: February, 2018

What's new?

Added

  • New view - access events performed by a specific user.
  • New view - access events performed on a specific path/file.
  • New view - event details by double clicking in the event.
  • New tool (FileAuditReporter) available in the installation folder to access archived databases.
  • Ability to generate a scheduled report without sending it by mail.
  • Ability to select the folder where the scheduled reports are saved to.
  • Ability to keep the history of all scheduled reports.
  • Ability to restart the FileAudit service when changing remote connection settings.
  • Send notifications to Slack.

Added in 5.5.1:

  • Compact MS Access database after events cleanup.

Improved

  • Save system in the Settings section.
  • Warning notification for any errors whilst generating scheduled reports.
  • Tiles in the Welcome Dashboard are greyed out when access is not authorized, according to user permissions.

Improved in 5.5.1:

  • Backup of the ServiceLog file when its size is above 1MB while the service is starting.
  • Improve the service shutdown while enumerating Active Directory group members in large environments.
  • Revoking a server licence removes now all related events in the database asynchronously.

Fixed in 5.5.1

  • Service warnings related to database size are not sent by email.
  • Some warnings makes the Service Warnings section inoperant.
  • Administrator permission is required to access the File Access Viewer with a remote console.
  • Database maximum size displayed in the EventCleaner information is not correct according to the SQL Express version.
  • Alerts are triggered for files whose name, not extension, matches a file pattern extension defined in the alert.
  • In rare cases, an unexpected exception is thrown in the FileAuditAgent process.
  • The database connection string is not updated in scheduled reports using raw data when it is modified.
  • Error serializing and de-serializing the impersonation account passwords when they include some special characters.
  • An exception is thrown in the console when the audit verification takes more than 2 minutes.
  • In certain conditions, querying the database to generate a report triggers an uncontrolled exception.
  • Sometimes, the Access database estimated size is far from the real database size.
  • An exception can be generated in the EventCleaner view when the service is overloaded.
  • In some conditions, raw data scheduled reports do not work if the service is using SQL authentication.
  • When the evaluation license expires, several exceptions can be thrown in different views of the console.
  • Database insertion exceptions are displayed in the service warnings as duplicate errors, hiding the real exception.
  • Scheduled reports emails are sent without attachment due to denied access to reports generated in shared folders.
  • If several service warnings are created at the same time, only one is displayed.
  • Inactivity incidents can be notified again even though they already were notified.
  • Date and time label of the group in File Access Viewer is not updated with the new events.
  • Mass alert view loses its specific settings.
  • An error is displayed when a scheduled report is configured with no email address.
  • The UniqueId database values for on premise events are not correctly generated.
  • In FileAuditReporter, launching a File Access Viewer report displays an error message.
  • In FileAuditReporter, database access fails when the connection string uses SQL authentication.
  • In FileAuditReporter, the "Group by Object Type" setting displays "0" and "1" items instead of "Folder" and "File".
  • In FileAuditReporter, the "Group by Client Ip Address" setting does not work.

Fixed in 5.5

  • Scheduled reports filtered by "Current..." queries the database with wrong dates after the first execution.
  • If there is only one single administrator for FileAudit, it is possible to deny access to the console for everyone, if their administrator permissions are removed.
  • Syntax to exclude a user in the User filter is not coherent with the syntax to exclude a group in the Group filter.
  • Object Type filter in the File Access Viewer and scheduled reports in the French version doesn't filter correctly.
  • Console hangs when deleting events from the database in the license revocation process.
  • Installation .exe file's details have incorrect copyright info.
  • Publisher field in the "Programs and Features" Windows dialog is wrong.
  • Access to "File Access Viewer" with a remote console and without "Configure settings" permission generates an exception.

FileAudit 5.2 Released: April 11th, 2017

Added

  • Support for Windows Server 2016.
  • Email notifications in case of a new FileAudit service event.
  • Ability to filter access events by Active Directory groups. Available in alerts, scheduled reports and the File Access Viewer.
  • Ability to filter access events by object type (file or folder). Available in alerts, scheduled reports and the File Access Viewer.
  • New FileAudit service event when no file access event has been detected for more than three consecutive days.
  • Ability to display the machine name in addition to the IP address when access is made remotely to a file share.

Fixed

  • Database connection error may generate an exception in FileAudit Settings.
  • Wrong language message in FileAudit service warnings.
  • Communication between the service and the console may generate an exception when an event's access mask contains an unsupported value.
  • Milliseconds missing in the date and time column of the csv file generated from the File Access Viewer.
  • Reconfiguring NTFS audit on a path doesn't propagate in sub-folders if root folder is already configured.
  • Clicking Check for updates may generate an exception.

FileAudit 5.01 Released: January 25th, 2016

Improved

  • The 'Hours' tab of the Alert configuration has moved to 'Excluded hours' tab with a new layout more ergonomic.

Fixed

  • When FileAudit doesn't find the name of the drive, the drivename.exe is not automatically launched.
  • Duplicate records may be inserted in the FileAudit database on specific environment.
  • The "g" character is truncated on the second line of the Recipient tile in the Recipients tab of the Alert configuration view.
  • Changing the database connection string in the FileAudit configuration may cause a service deadlock.
  • Scheduled reports are not correctly updated after a major upgrade during which the installation folder changes.
  • Some events could be lost during massive accesses.
  • Saving Alert modifications from a remote FileAudit console was displaying an error message although everything was correctly saved.
  • When FileAudit monitors more than 10 servers, additional servers may not be monitored properly.

FileAudit 5.0 Released: September 17th, 2015

Added

  • FileAudit detects and displays the source IP address when the access is done remotely through a share.
  • Alerts can be triggered when a user performs a number of accesses deemed beyond the tolerated threshold for a defined period of time.
  • Ability to trigger an alert on access out of business hours.
  • FileAudit now supports MySQL as database system.
  • Statistics can be displayed for a set of folders/files that can be chosen amongst all the paths registered as audited.
  • It’s now possible to add a corporate logo in the printed/exported reports.
  • It’s now possible to check the availability of new versions, direct from the FileAudit Console.

FileAudit 4.5 Released: February 16th, 2015

Added

  • FileAudit can audit the file attribute changes. A new switch has been added into the ‘Scan options’ section of the ‘Settings configuration’ view to enable this ability.
  • A view named ‘Warnings’ is available from FileAudit Hub to display all issues FileAudit detects when performing its audit monitoring.
  • The File Access Viewer, Alerts and Scheduled reports integrate a new criterion to filter on domain.
  • The ‘Audit configuration’ view now allows you to check and directly reconfigure a registered path if required.
  • It's now possible to reset the ‘File Access Viewer’ filter.
  • It's now possible to reset the layout of the ‘File Access Viewer’.

Improved

  • The ability to exclude a file extension from the audit available in the ‘Scan option’ section of the ‘Setting configuration’ view has been turned to a file pattern mask exclusion allowing wild characters ‘*’ (any string) and ‘?’ (any character).
  • The ‘Time’ settings of ‘Scheduled reports’ offer new predefined relative time period options to generate more easily dynamic contents according to the execution date as: Yesterday, the current week, the previous week, the current month, etc…
  • The audit configuration engine now checks when registering a path if the inheritance settings are enabled on subfolders and will also suggest to enable it for a path.
  • The audit configuration engine now checks when registering a path if there are any audit settings already existing on the path entered and will also suggest to overwrite then.
  • The ‘Path(s)’ field of the ‘File Access Viewer’ supports now ‘*’ (any string) and ‘?’ (any character) wild characters.

FileAudit 4.03 Released: October 7th, 2014

Improved

  • FileAudit is now compatible with the security option "Use FIPS compliant algorithms for encryption, hashing, and signing".
  • It is now possible to disable the flush to the database when displaying events in the File Access viewer in order to avoid a timeout when there is much activity.
  • File access events generated during backup operations with disk shadow copies are automatically discarded.
  • A backup of the configuration file is kept in case the file becomes corrupted.

Fixed

  • In some cases displaying more than 50000 records generates an exception.
  • It was not possible to add the administrators group again in the access permissions once it was removed.
  • After removing the administrators group from the access permissions scheduled reports were no longer working (Access denied in ServiceLog.txt).
  • It was not possible to perform audit on a deleted file for which the parent folder was also removed.
  • Specifying an invalid E-mail address in the "From" field of the SMTP settings was making FileAudit crash when launching the E-mail test.
  • The NTFS audit was not correctly configured when selecting a single file to audit.
  • Some issues when auditing files on a dynamic drive or on a cluster (The path displayed in the File access viewer was corrupted).
  • It was possible to use invalid characters in the scheduled report names leading to an exception when saving the scheduled report.
  • A memory leak could happen in the FileAudit service.
  • It was not possible to delete a configured path when the concerned file/folder was deleted or moved somewhere else.
  • Accounts with a $ in the name were considered as computer accounts and their events ignored even if the $ was not at the end of the name.

FileAudit 4.02 Released: February 17th, 2014

Added

  • You can now filter events on several users (e.g. user1,user2,user3) and you can also exclude several users form the filter (e.g. *,-user1,-user2,-user3).
  • A button to test SMTP settings in the E-mail Settings view.
  • A diagnostic tool to troubleshoot problems. The tool can be launched thanks the F12 key.

Improved

  • If the TCP port defined in the remote connection configuration is already used by another application the FileAudit service will still be able to start but remote connections will be disabled.
  • Local folders/files are accessed by FileAudit with their local path instead of their UNC path.
  • Added routine to check credentials provided in impersonation accounts.
  • When the FileAudit service doesn't have administrative rights to a remote file server to audit, the GUI automatically switch to the impersonation accounts.
  • Configured paths are automatically added to recent audited paths in the File access viewer.

Fixed

  • The schedule type (Weekly/Monthly) and the start hour where missing in the Database cleaner.
  • The Database wizard could not start the OLEDB wizard.
  • In Windows 2012/8 when a disk was considered as removable by Windows FileAudit was ignoring file access events on the concerned drive.
  • Problems in error management when configuring/checking/removing the NTFS audit.
  • FileAudit could not audit remote File Servers that disallow access to the Service control manager.
  • If the NTFS audit was configured manually for everyone all accesses and the access was denied to FileAudit in a specific audited folder a lot of failure events could fill up the security log and slow down the computer.

FileAudit 4.01 Released: July 11th, 2013

Added

  • Partial support of Windows cluster (Active/passive). The tool Drivename.exe needs to be executed on the active node each time the file system resource is switched to the other node and the FileAudit service needs to be restarted.

Improved

  • The display speed of the main hub if the database is big.
  • The number of events displayed by the File Access Viewer is automatically limited to avoid out of memory and communication exceptions.

Fixed

  • The tool tip for the top 5 accessed files in statistics was truncated if the path was too long.
  • When a big scheduled report (More than 10 MB) was generated by the service, the GUI could hang and throw an exception.
  • The Event Cleaner was not working correctly when the execution was scheduled.
  • Exported CSV files with east asian characters were not correctly imported in MS Excel
  • File paths with more than 254 characters are truncated to avoid a database insertion error
  • When auditing a file server from a Windows XP/2003 computer some events may be lost in reason of an integer overflow
  • Permanent deletions done by Windows 8/2012 clients were not audited.

FileAudit 4.0 Released: February 11th, 2013

Added

  • Community page
  • French localization (except help file and getting started guide)
  • The service regularly saves its configuration instead of doing it only when the service stops
  • Ability to disable an alert
  • Ability to export file access events in a CSV file
  • Ability to send scheduled reports as raw data in a CSV file
  • Ability to test a scheduled report
  • FileAudit runs as a service to constantly monitor access events on file servers
  • The FileAudit service can be controlled remotely through a customizable TCP port
  • It is no longer needed to have administrative rights to use FileAudit. You can delegate audit tasks to non IT persons
  • Windows 2008/2008 R2/2012 servers can be monitored remotely in real time
  • For Windows 2008/2008 R2/2012 servers events of the security log are prefiltered on the server to avoid using much bandwidth
  • E-mail alerts can be triggered when specific access events occur (Access denied, file deletion,....)
  • Reports can be automatically generated at scheduled times and sent by E-mails.
  • New access events can be displayed in real time in the FileAudit console
  • New filter/group/sort/Search capabilities in the datagrid of the file access viewer
  • File access statistics can be displayed for a specific time frame
  • The event cleaner can display the size of the database if it is a MS Access database
  • New "Modern" interface (Windows 8)

Improved

  • Configuring the NTFS audit is done asynchroneously avoiding to make the interface hang when configuring the NTFS audit for a folder with a lot of subfolders and files in it
  • Each report has its own schedule.
  • The window is maximized if the screen resolution is less or equal than 1024*768
  • Performance when the access event rate is high

Fixed

  • When editing an alert, removing/adding a recipient or modifying the mail template didn't enable the save button
  • When editing an alert or a scheduled report a red cross was displayed for the name
  • When all scheduled reports where deleted the scheduled task was not deleted
  • If and alert/scheduled report was already edited, adding a new alert/scheduled report was displaying settings of the previous alert/scheduled report
  • The SSL switch in the E-mail settings was not kept
  • The source filter was missing in the alert/scheduled reports settings
  • Applying a bad license key was making crash the application
  • The one shot cleaning was not working
  • Renaming a scheduled report was duplicating it
  • When the licensed is expired the FileAudit service was going to 100 % CPU and generating a big log file
  • If more than one recipient was specified in a scheduled report the mail could not be sent
  • A mouse wheel problem after displaying the event cleaner and going back to the main hub
  • FileAudit was unable to retrieve access events from servers for which more than 4 billions events have already been generated in the security log
  • Minor bugs in the interface