I am new to using LEM, and have found that out of the box, Windows has a lot of auditing occuring that is creating issues in making reports with LEM. When I run a report for a few hour period, I have thousands of events logged. It turns out that Windows 7 has multiple folders flagged for logging from the get go. How do you configure LEM and Windows to be ale to just have the file shares audited. That is really the only information we need access to at this time. Any help would be appreciated.
There's a few things you might want to look at.
First, take a look at your auditing policies. Open a command prompt and run "auditpol /get /category:*" This will give you an over-view of what the server has as a policy to start with:
Most of that Windows noise comes from the two items I have high-lighted (and turned off) on my machine. This isn't meant to be a guide to how your policies should be setup, since mine is in a lab and I can mess with it with reckless abandon and you probably have actual business needs. Still, those Filtering Platform items don't seem to do many people any good. We have an article on it:
Now, in that Object Access Category, there are a lot of policies that can make a LOT of noise. You may want to experiment with turning some of them (like Detailed File Share and SAM) off and see if you still capture the events you want. For example, in my lab (setup as shown) just hovering over a file in Explorer makes two events. Clicking on it makes four. Opening it is four more. I obviously have it set to audit to a stupid level, but I'm in a lab and I'm one user. You can imagine what having a hundred users in a share might do!
You'll also need to take a look at what Windows has set to Audit:
You may want to push a policy from the root level that has no auditing, and then turn auditing on more precisely. Remember, you can set Windows to Audit certain locations with the Everyone user, which is easy, but maybe you don't need to Audit everyone. Everyone includes all the Windows System Accounts, so maybe you should consider Domain Users. Maybe you only need to Audit what your Executive Office or Domain Admins are doing in some locations. Be smart with Auditing policy. Microsoft has a lot of docs on Auditing if you search TechNet and their KB.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.