hidden hit counter
Welcome to WindowsForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

How to understand file audit output

  
   Win 2000/NT/98/ME (Home) -> File System RSS
Next:  Email attachment symbol, but no attachment  
Author Message
Jan Larsson

External


Since: Sep 28, 2007
Posts: 1



(Msg. 1) Posted: Fri Sep 28, 2007 5:13 am
Post subject: How to understand file audit output
Archived from groups: microsoft>public>win2000>file_system (more info?)
I have audit on a Windows 2000 TS filesystem on a public file share, i'd like
to see if a user delete or modify a file. How do I read the security log?

In security log Event ID: 560 contain the information, but is hard to
understand.
Is there an easy way to understand from this log if the user has
open/delete/ or modify the file??

Regards,
Jan

Example:
--------------------------------
Object Open:
Object Server: Security
Object Type: File
Object Name: E:\gemensam\backuplogs\backup09.log
Handle ID: 928
Operation ID: {0,667228}
Process ID: 8
Image File Name: Server1$
Primary User Name: MyDomain
Primary Domain: (0x0,0x3E7)
Primary Logon ID: John
Client User Name: MyDomain
Client Domain: (0x0,0x56079)
Client Logon ID: DELETE
READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Accesses: -
Privileges: %16
Restricted Sid Count: %17

 >> Stay informed about: How to understand file audit output 
Back to top
Login to vote
Meinolf Weber

External


Since: Aug 27, 2007
Posts: 314



(Msg. 2) Posted: Fri Sep 28, 2007 4:58 pm
Post subject: Re: How to understand file audit output [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Hello Jan,

Scroll down to Figure 2 in:
http://www.microsoft.com/technet/archive/winntas/support/usesecur.mspx?mfr=true

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> I have audit on a Windows 2000 TS filesystem on a public file share,
> i'd like to see if a user delete or modify a file. How do I read the
> security log?
>
> In security log Event ID: 560 contain the information, but is hard to
> understand. Is there an easy way to understand from this log if the
> user has open/delete/ or modify the file??
>
> Regards,
> Jan
> Example:
> --------------------------------
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: E:\gemensam\backuplogs\backup09.log
> Handle ID: 928
> Operation ID: {0,667228}
> Process ID: 8
> Image File Name: Server1$
> Primary User Name: MyDomain
> Primary Domain: (0x0,0x3E7)
> Primary Logon ID: John
> Client User Name: MyDomain
> Client Domain: (0x0,0x56079)
> Client Logon ID: DELETE
> READ_CONTROL
> SYNCHRONIZE
> WriteData (or AddFile)
> AppendData (or AddSubdirectory or CreatePipeInstance)
> WriteEA
> ReadAttributes
> WriteAttributes
> Accesses: -
> Privileges: %16
> Restricted Sid Count: %17

 >> Stay informed about: How to understand file audit output 
Back to top
Login to vote
Display posts from previous:   
   Win 2000/NT/98/ME (Home) -> File System All times are: Eastern Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum

Categories:
 Windows XP
  Win 2000/NT/98/ME
 Windows Vista!

[ Contact us | Terms of Service/Privacy Policy ]