12 Replies Latest reply on Nov 14, 2011 2:47 PM by nicole pauls

    LEM-File Audit Alerts

      When I use nDepth to search for FileAudit-DetectionIP I do not see results for all servers. They all have the same tools running from the same group. What am I missing here? We need to log all changes that occur on a MS SQL Server thats on a Windows 2003 Server; for Sarbox.

      Any help is appreciated!

        • Re: LEM-File Audit Alerts
          phil3

          Do all of the servers have the same level of file auditing enabled in Windows? We have a KB with recommendations if you're interested: [LEM] Audit Policy and Best Practice.

          If this doesn't help, perhaps you could post the entire search parameters. You can switch your search input mode to "Text" using the toggle on the left side of the search bar and paste that content here, or you could just upload a screenshot of the Search Builder view.

          Thanks.

            • Re: LEM-File Audit Alerts

              I found my problem. I had not enabled FileAudit in the Rules.

               

              Thanks for your quick reply!

              • Re: LEM-File Audit Alerts

                However...I don't recall what if anything I need to do after enabling the Rule.

                  • Re: LEM-File Audit Alerts
                    phil3

                    Are you talking about a rule you have enabled in your LEM Console? If so, you'll want to be sure to click the Activate Rules button at the top of the Build > Rules view to sync your local changes with your LEM Manager.

                    The presence of this sort of rule shouldn't affect whether you can search File Audit events using nDepth, however, so I'm confused about the correlation here. If your LEM Manager is picking up the events from the Agent, you should see them in your filters and they should be searchable in nDepth regardless of your LEM rules.

                      • Re: LEM-File Audit Alerts

                        Hmmm.... I see fileaudit events for other servers but not the one I need.

                          • Re: LEM-File Audit Alerts
                            phil3

                            Did you check the Windows audit policy on that computer?

                              • Re: LEM-File Audit Alerts

                                On the physical server? No, what do I need to do?

                                  • Re: LEM-File Audit Alerts
                                    phil3


                                    Do all of the servers have the same level of file auditing enabled in Windows? We have a KB with recommendations if you're interested: [LEM] Audit Policy and Best Practice.

                                     



                                      • Re: LEM-File Audit Alerts
                                        phil3

                                        Here's a link to the section you'll need: Procedure.

                                        Note: The recommendations in this document are based on optimizing your LEM implementation, not necessarily any particular audit standard. If you're trying to meet the requirements of a particular standard, as you implied above, you will probably want to customize these settings for your needs.

                                          • Re: LEM-File Audit Alerts

                                            ok, I did have that setup already.

                                            But, does the statement below mean it won't watch files unless it has its own ACL?

                                            Audit object access

                                            Object access events track users accessing objects that have their own system access control lists. Such objects include files, folders and printers.

                                              • Re: LEM-File Audit Alerts
                                                phil3

                                                That description really refers to object auditing in general, which, in the case of file audit events, refers to whether or not specific files or folders are set to log at that level.

                                                I'd say try these two things to see if they help:

                                                1. Make sure your audit policy matches across all of your servers.
                                                2. Check to see if the events you want to see are actually in the Windows Event Log on the server that's giving you trouble.
                                                If the events aren't in the Event Log, that could mean several things. However, it would be a clear indication of why your LEM isn't seeing them.

                                                • Re: LEM-File Audit Alerts
                                                  nicole pauls

                                                  For reference in case this wasn't mentioned or for future readers, Windows file auditing is a two step process in that you have to:

                                                  1. Enable the file auditing policy in your Local/Domain Security Policy (as Phil linked)
                                                  2. Enable Auditing in the properties of the file/directories you want to audit

                                                  By default if you do #1 but not #2, the ability to perform file auditing is on, but Windows will do some basic level of Object Auditing on different system objects.

                                                  You'll have to go to Properties of the file/directory you're interested in auditing, then "Security", "Advanced", "Auditing" and enable different audit properties for different users. (Generally you want to be careful with the "Read" permissions, as they tend to get super chatty.)

                                                  This article is for Windows 2000, but it's not all that different on 2003, XP, 2008, Vista, and 7. Maybe a couple of extra clicks here or there. http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308

                                                   

                                                  One more super common event log gotcha is the rotation policy - we see often that peoples' event logs fill up, and when that happens new events aren't logged. If you aren't seeing ANY new windows security log events but everything looks like it's set up correctly, check the event log and see if it's full (no new events, or from properties of the security log), then set the "Overwrite" policy and/or set the log file size to be much larger, also in properties of that log in Event Viewer. You can also set the overwrite policy/size at a domain level with domain policy.