Understanding audit event when writing files to a server

Hi,

Am trying to find information on the various stages when accessing a share and writing information to it, on my test server (2008R2) I have audit events enabled and its creating about 8 events per disk access and I would like to understand this a bit better.

Want to better understand the following sort of output

Access Request Information:
Access Mask: 0x80
Accesses: %%4423

Access Check Results:
%%4423: %%1801 D:(A;;FA;;;WD)

Access Request Information:
Access Mask: 0x1
Accesses: %%4416

Access Check Results:
%%4416: %%1801 D:(A;;FA;;;WD)

Access Request Information:
Access Mask: 0x120089
Accesses: %%1538
%%1541
%%4416
%%4419
%%4423

Access Check Results:
%%1538: %%1801 D:(A;;FA;;;WD)
%%1541: %%1801 D:(A;;FA;;;WD)
%%4416: %%1801 D:(A;;FA;;;WD)
%%4419: %%1801 D:(A;;FA;;;WD)
%%4423: %%1801 D:(A;;FA;;;WD)

Ultimately im trying to detect when a file is being written to a share (event id 5145) which will trigger a further action however i lack understanding on the various stages when you touch a share and the various steps in checking access, reading rights etc with the access mask.

Any pointers or direction most welcome

Cheers

Newbie

February 17th, 2015 7:54am

Hi,

Thanks for your post.

This event identifies the user in the Subject field, the user's IP address in the Network Information field, the share name, and the actual file that was accessed via the share in the Share Information filed. It also shows the permissions requested and the results of the access request.

For detailed information, you could refer to:

http://www.morgantechspace.com/2013/10/Event-ID-5145-Detailed-File-Share-Auditing.html#Event5145SampleSource

Regards.

Free Windows Admin Tool Kit Click here and download it now
February 18th, 2015 3:19am

I would like to add that reading these events from Event Viewer can be a difficult and a challenging task. That is why it would be better to have a third party tool to have a better visibility on what is happening and be able to easily track events and changes.

The tool I usually recommend is Lepide Auditor for File Server: http://www.lepide.com/file-server-audit/

February 18th, 2015 5:47am

Hi,

Any update about the issue?

Regards.

Free Windows Admin Tool Kit Click here and download it now
February 19th, 2015 5:13am
HI, Sorry been dragged into another project for a few days, will get back to you as soon as i can, thanks for the responses, appreciated
February 23rd, 2015 3:01am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics