File Audit Sensor

<< Click to Display Table of Contents >>

Navigation:  Sensors > Harddisk Sensors >

File Audit Sensor

The File Audit Sensor is able to monitor the security event log of local and remote computers to notify you when files or directories are accessed.

Note:

To enable auditing one of the following Group Policy Options (GPO) needs to be activated in the Local Group Policy Editor:

1."Audit object access" at "Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy"

2."Audit File System" at "Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access"

Please keep in mind that the Advanced Audit Policy Settings (2) will override any of the Local Audit Settings (1).

You can specify whether to audit only successes, only failures or both successes and failures.

 

Audit events are only generated for files and directories with matching settings in the System Access Control List (SACL).

For help on configuring the SACL for a specific file or directory please see the Microsoft Documentation.

Sensor Tasks

Test Sensor

Tests the current sensor settings.

Get Help

Opens the ServerSentinel online help for the current sensor.

Basic Settings

Name

The name of the sensor (max. 100 characters). Choose a meaningful name to clearly identify the sensor.

Sensor is Active

Toggles the sensor ON/OFF.

Check Interval

This sensor is event based and will only execute, if an event occurs.

Only check if this Sensor didn't fail

This sensor will only be checked, if the sensor in the drop down list didn't fail.

Further Information

Comment

Short additional information to the sensor (max. 255 characters).

Connection Settings        

Host

The IP address or DNS name of host which should be monitored (max. 255 characters).

Credential

Here you can either select an existing credential set or create a new one by inserting a display name, an username and a password.

Monitoring Settings        

Path

The Path of the file or directory which should be monitored (max. 1024 characters).

Keywords

Here you can either select if only successful, failed or both types of access should be monitored.

Access Types

Here you can select which types of access should be monitored.

Meta Data Values

Data Value

Data Type

Description

Checktime

Date

The time the dataset has been created.

Exception Message

String

The message of the error if any occurred.

Response Time

Integer

The response time needed to perform the check.

Status

String

A status string that may contain arbitrary information that was collected by the sensor (max. 255 characters). Per default this value is empty.

Status Flag

Enum

The status of the sensor after the check has been performed.

Data Values

Data Value

Data Type

Description

Access Type

Enum

The type of access made to the file or directory.

Computer

String

The name of the computer that produced the event.

Domain

String

The domain of the computer that accessed the object.

Keywords

Enum

The keywords of the event.

Message

String

The description of the event that occurred.

Object Type

String

The type of the accessed object (file or directory).

Path

String

The path of the accessed object.

Process

String

The full path of the process that the object was accessed by.

Record Number

Integer

The record number of the event in the log database.

Type

Enum

The type of the event.

User Name

String

The name of the user that accessed the object.