cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

How can I log when a file is opened using Object Access Auditing?

Jump to solution

Hello,

     I am trying to log every time files in a specific folder are actually opened, but I am having troubles.  I have Object Access Auditing for success and failure turned on in the local computer policy.   I enabled auditing of the specific folder with advanced security settings and I get great 4663 events for deleting and writedata events, but I don't see any way of getting accurate events for when a file is actually opened.   I can enable "list folder/read data", "read attributes", or "read permissions" which all will trigger when a file is opened - but all of these also trigger when the files are not opened as well(such as just opening a folder I get a read permissions trigger for every file in the folder, or if I highlight a file it will trigger the read attributes and the read data events for that file).   I don't want the event to trigger when I can just see the file or highlight it, I need to know when the file is opened (eg a spreadsheet opened with excel, a txt file opened with notepad, etc.).

Does anyone know how to accomplish this?

0 Kudos
1 Solution

Yeah, that's a limit of Windows, I'm afraid.  Even FIM will get flooded with the attribute and property "reads" because Windows makes no distinction between actually opening a file and just getting properties on the file.

View solution in original post

0 Kudos
7 Replies
Level 17

Have you followed the instructions as per the KB below?

http://knowledgebase.solarwinds.com/kb/questions/3454/How+to+enable+file+auditing+in+Windows

Bear in mind LEM Agent has inbuilt FIM capabilities. So, you can turn on the FIM connector for the folder you are interested in and you don't have to turn on Windows auditing.

0 Kudos

Yes if you read my question I have already done what is in that KB.   Where are the instructions for using the LEM  FIM connector?

0 Kudos

I was a little upset that the best documentation is from the release notes for an RC 6 months ago, so here's a video showing how to setup FIM and analyze the resulting data.

Solarwinds Log and Event Manager - Configuring FIM and Analyzing FIM Data - YouTube

That video was very helpful, thanks.   By any chance can you demonstrate the "file read" auditing?   I am having a very hard time finding a way to audit when a user actually opens a file because there is no way to accomplish this with regular windows file auditing, I can audit read permissions or read attributes but they show that permissions and attributes are being read on files which aren't actually opened.  

0 Kudos

Yeah, that's a limit of Windows, I'm afraid.  Even FIM will get flooded with the attribute and property "reads" because Windows makes no distinction between actually opening a file and just getting properties on the file.

View solution in original post

0 Kudos

Darn, so it looks like there is no way to log when a file is opened and know for sure that the file was opened.   I would settle for the "traverse folder" events but those don't even happen when folders are traversed most of the time.  

0 Kudos
0 Kudos