If you've ever wondered what not to do when implementing file auditing on your Windows systems, the answer is simple: Don't audit everything on every file.
What Files Should I Audit?
We recommend only auditing sensitive or confidential files or folders, such as those that contain enterprise financial information or customer data. But even this warrants some fine-tuning. For example, for some files or folders, you might not care if somebody reads or opens it, but you do care if someone modifies or deletes it. Similarly, in many cases, it may seem frivolous to keep track of every time someone reads the attributes of a file. In any case, the bottom-line recommendation is: Tailor your file auditing strategy to the needs of your company and requirements of your regulators; just don't set auditing for the C: drive to "Full Control."
What Do I Do With File Auditing Information?
File auditing information is extremely helpful in keeping track of who has done what with what files. One way to view this information is to watch the Security log on each system - your file servers, for example - in Windows Event Viewer. Monitor the logs proactively to watch for patterns that might indicate someone is up to no good, or use the logs as a forensic tool after the fact.
Another way to manage this information is to use an Event Log monitoring software, such as the SolarWinds free tool by the same name. This way, you are able to see logs from several systems at once, and even compare them to correlate similar events.
The best option is to use a comprehensive log management, or SIEM software. Something like SolarWinds Log and Event Manager (LEM) not only consolidates this information from numerous systems (including Linux, Mac, and others), it allows you to build filters and rules to show you what you want to see when you want to see it. Furthermore, LEM can even take immediate action when something fishy happens, like logging the offending user off the system, or even disabling the account.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.