2 Replies Latest reply on May 29, 2014 8:30 AM by curtisi

    Windows share auditing with LEM

    jfarlow97

      I am new to using LEM, and have found that out of the box, Windows has a lot of auditing occuring that is creating issues in making reports with LEM.  When I run a report for a few hour period, I have thousands of events logged.  It turns out that Windows 7 has multiple folders flagged for logging from the get go.  How do you configure LEM and Windows to be ale to just have the file shares audited.  That is really the only information we need access to at this time.  Any help would be appreciated.

       

      Joshua

        • Re: Windows share auditing with LEM
          evanr

          You can edit the policies by going to manage - appliance.  Click the gear on the left hand side and go to policy.  From there you can disable the policies you don't want to see. 

          • Re: Windows share auditing with LEM
            curtisi

            Hello!

             

            There's a few things you might want to look at.

             

            First, take a look at your auditing policies.  Open a command prompt and run "auditpol /get /category:*"  This will give you an over-view of what the server has as a policy to start with:

             

             

            2014-05-29 07_12_54-Administrator_ C__windows_system32_cmd.exe.png

            Most of that Windows noise comes from the two items I have high-lighted (and turned off) on my machine.  This isn't meant to be a guide to how your policies should be setup, since mine is in a lab and I can mess with it with reckless abandon and you probably have actual business needs.  Still, those Filtering Platform items don't seem to do many people any good.  We have an article on it:

             

            SolarWinds Knowledge Base :: Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy

             

            Now, in that Object Access Category, there are a lot of policies that can make a LOT of noise.  You may want to experiment with turning some of them (like Detailed File Share and SAM) off and see if you still capture the events you want.  For example, in my lab (setup as shown) just hovering over a file in Explorer makes two events.  Clicking on it makes four.  Opening it is four more.  I obviously have it set to audit to a stupid level, but I'm in a lab and I'm one user.  You can imagine what having a hundred users in a share might do! 

             

            You'll also need to take a look at what Windows has set to Audit:

             

            2014-05-29 07_26_14-Advanced Security Settings for OSDisk (C_).png

            You may want to push a policy from the root level that has no auditing, and then turn auditing on more precisely.  Remember, you can set Windows to Audit certain locations with the Everyone user, which is easy, but maybe you don't need to Audit everyone.  Everyone includes all the Windows System Accounts, so maybe you should consider Domain Users.  Maybe you only need to Audit what your Executive Office or Domain Admins are doing in some locations.  Be smart with Auditing policy.  Microsoft has a lot of docs on Auditing if you search TechNet and their KB.