SCOM ACS - Audit Policies
Hey I posted this in the security forum and didnt get a response as of yet. I figured it couldn't hurt my chances posting here as well. ----------------------------------------------- Hello, We are looking to implement an audit policy for the purpose of collecting info in SCOM ACS however I find the info available in the event viewer after the audit policy is put into place is very vague and does not give us the info we need.. Our main requirements to audit are logon/logoff File/Folder -read, write, delete (move, rename) For example I turn on auditing for File system using Auditpol Auditpol /set /subcategory:”file system” /success:enable I go to my test folder “SCOM test” and navigate to the auditing. I set Apply to “this folder, subfolders and files”. I select “everyone” and apply the “create folders/append data – successful” checkbox. I create a new sub directory and get an event id 4663 which is correct. The only issue is that in no place does it reference the name of the created folder. ß This doesn’t seem to be useful. It does reference the parent folder that the new folder was created in however this would not be the info we are looking for. Any help on this would be much appreciated (I suspect some of the other audit policies will have me scratching my head too but for now I decided to start with simple folder creation) Thank you
June 17th, 2011 7:39am

i dont think SCOM can help you here. It just collects the events. When the events itself are not sufficient then you should look at another product which direct accesses those events and aren't dependant on the eventlog policy (quest, netiq have such products).Rob Korving http://jama00.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2011 7:49am

Hi To be honest, in my personal opinion (and others on here will disagree), I find windows file \ folder auditing poor from a compliance viewpoint. You get a lot of events (usually with the same event id) for someone opening a single file (or carrying out some other activity), some of which will give useful info and some of which won't. None of them will tell you if a change of the file actually took place or what the old value was. For compliance purposes around file auditing, I usually use Tripwire. It is expensive which is why I would only use the Tripwire modules that are vital and then use ACS for other auditing. http://contoso.se/blog/?p=1222 Depending on what the project needs to deliver, it might be worth aksing the security exactly what information they need to see if ACS alone can deliver it. Cheers Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
June 17th, 2011 7:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics