|
<< Click to Display Table of Contents >> Navigation: Sensors > Harddisk Sensors > File Audit Sensor |
The File Audit Sensor is able to monitor the security event log of local and remote computers to notify you when files or directories are accessed.
Note:
To enable auditing one of the following Group Policy Options (GPO) needs to be activated in the Local Group Policy Editor:
1."Audit object access" at "Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy"
2."Audit File System" at "Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access"
Please keep in mind that the Advanced Audit Policy Settings (2) will override any of the Local Audit Settings (1).
You can specify whether to audit only successes, only failures or both successes and failures.
Audit events are only generated for files and directories with matching settings in the System Access Control List (SACL).
For help on configuring the SACL for a specific file or directory please see the Microsoft Documentation.
Sensor Tasks
Test Sensor |
Tests the current sensor settings. |
Get Help |
Opens the ServerSentinel online help for the current sensor. |
Basic Settings
Name |
The name of the sensor (max. 100 characters). Choose a meaningful name to clearly identify the sensor. |
Sensor is Active |
Toggles the sensor ON/OFF. |
Check Interval |
This sensor is event based and will only execute, if an event occurs. |
Only check if this Sensor didn't fail |
This sensor will only be checked, if the sensor in the drop down list didn't fail. |
Further Information
Comment |
Short additional information to the sensor (max. 255 characters). |
Connection Settings
Host |
The IP address or DNS name of host which should be monitored (max. 255 characters). |
Credential |
Here you can either select an existing credential set or create a new one by inserting a display name, an username and a password. |
Monitoring Settings
Path |
The Path of the file or directory which should be monitored (max. 1024 characters). |
Keywords |
Here you can either select if only successful, failed or both types of access should be monitored. |
Access Types |
Here you can select which types of access should be monitored. |
Meta Data Values
Data Value |
Data Type |
Description |
Checktime |
Date |
The time the dataset has been created. |
Exception Message |
String |
The message of the error if any occurred. |
Response Time |
Integer |
The response time needed to perform the check. |
Status |
String |
A status string that may contain arbitrary information that was collected by the sensor (max. 255 characters). Per default this value is empty. |
Status Flag |
The status of the sensor after the check has been performed. |
Data Values
Data Value |
Data Type |
Description |
Access Type |
The type of access made to the file or directory. |
|
Computer |
String |
The name of the computer that produced the event. |
Domain |
String |
The domain of the computer that accessed the object. |
Keywords |
The keywords of the event. |
|
Message |
String |
The description of the event that occurred. |
Object Type |
String |
The type of the accessed object (file or directory). |
Path |
String |
The path of the accessed object. |
Process |
String |
The full path of the process that the object was accessed by. |
Record Number |
Integer |
The record number of the event in the log database. |
Type |
The type of the event. |
|
User Name |
String |
The name of the user that accessed the object. |