Announcement

Collapse
No announcement yet.

W2K8 File and folder auditing - event 4663 / 4656 / 4658

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • W2K8 File and folder auditing - event 4663 / 4656 / 4658

    Dear

    I have enabled file and folder auditing for everyone but I get a "load" of events 4656 / 4663 / 4658. It's really a mess. Every minute I have about 200 events for every user.!!! My log is being overwritten constantly. I have set the log to 100 Mb now.

    Does someone has a good article on how to setup auditing on w2k8, what events to monitor and what not.

    Is there a way to restrict some event ID's from being logged.

    Finally I want to see when users:
    delete files (success / failure)
    delete folders (success / failure)
    change permissions (failure)
    read folders (success / failure)
    read files (success /failure)

    Regards

    Bert

  • #2
    Re: W2K8 File and folder auditing - event 4663 / 4656 / 4658

    You should selectively configure auditing on critical files and folders rather than on large parts of the file system. Even then any file activity will generate multiple audit events.

    IMHO, unless you have a specific need to audit and the time to check the event logs, life is too short!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: W2K8 File and folder auditing - event 4663 / 4656 / 4658

      Well monitoring such events can indeed generate loads of events.
      Since I don't know every event-id you might copy/paste the messages over here
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: W2K8 File and folder auditing - event 4663 / 4656 / 4658

        Yep, object access auditing policies generate loads of events. Here for more on the ones you are experiencing: http://www.ultimatewindowssecurity.c...x?eventid=4663
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: W2K8 File and folder auditing - event 4663 / 4656 / 4658

          You are probably right that enabling auditing on all files for everyone is too much. I will setup logging on the more confidential shares. Still it is a pitty I think in case I might need it. (I hope I don't).

          Regards

          Bert

          Comment

          Working...
          X