Chat now with support
Chat with Support

Change Auditor for Windows File Servers 7.2 - Event Reference Guide

Introduction

Quest® Change Auditor for Windows File Servers tracks, audits and alerts on file and folder changes in real time, translating events into simple text and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can also include or exclude certain files or folders from the audit scope in order to ensure a faster and more efficient audit process.

In addition to real-time event auditing, you can also enable event logging to capture Windows File Server events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

This guide lists the events that can be captured by Change Auditor for Windows File Servers. Separate event reference guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

 

Change Auditor for Windows File Servers Events

This section lists the audited events captured when Change Auditor for Windows File Servers is licensed and custom file system auditing templates are applied to Change Auditor agents defining the files/folders to be audited. These events are listed in alphabetical order by facility.

 

Moving a parent folder: For a ‘Move’ operation, only one event will be generated for the parent folder because action is only on the parent folder’s path, none of the child folders or files are physically moved.
Deleting a parent folder: For a ‘Delete’ operation, an event will be generated for each folder or file because each object will be removed separately.
Copying a parent folder: For a ‘Copy’ operation, an event will be generated for each folder and file because a new object will be created within the target folder.

If a parent folder is copied to a target folder that is not being monitored, no event will be generated. The target folder must be monitored in order for an event to be generated.

Failed File Access (NTFS Permissions)

Created when access to a file is denied based on the NTFS permissions assigned.

Medium

Failed File Access (Change Auditor Protection)

Created when access to a file is denied because it is locked down using the File System Protection feature of Change Auditor.

Medium

Failed Folder Access (NTFS Permissions)

Created when access to a folder is denied based on the NTFS permissions assigned.

Medium

Failed Folder Access (Change Auditor Protection)

Created when access to a folder is denied because it is locked down using the File System Protection feature of Change Auditor.

Medium

Failed Share Access (NTFS Permissions)

Created when access to a file share properties is denied based on the NTFS permissions assigned.

Medium

Failed Share Access (Change Auditor Protection)

Created when access to a file share properties is denied because it is locked down using the File System Protection feature of Change Auditor.

Medium

File Access Rights Changed

Created when file access rights have changed on a file system.

Medium

File Attribute Changed

Created when a file attribute has changed on a file system.

Medium

File Auditing Changed

Created when file auditing has changed on a file system.

Medium

File Central Access Policy Changed

Created when the central access policy of a file changed on a file system.

Medium

File Classification Changed

Created when the classification of a file changed on a file system.

Medium

File Created

Created when a file is created on a file system.

Medium

File Deleted

Created when a file is deleted on a file system.

Medium

File Last Write Changed

Created when the last write time of a file is changed on a file system.

Medium

File Moved

Created when a file is moved on a file system.

Medium

File Opened

Created when a file is opened on a file system.

Medium

File Ownership Changed

Created when file ownership is changed on a file system.

Medium

File Renamed

Created when a file is renamed on a file system.

Medium

Folder Access Rights Changed

Created when folder access rights have changed on a file system.

Medium

Folder Attribute Changed

Created when a folder attribute has changed on a file system.

Medium

Folder Auditing Changed

Created when folder auditing has changed on a file system.

Medium

Folder Central Access Policy Changed

Created when the central access policy of a folder changed on a file system.

Medium

Folder Classification Changed

Created when the classification of a folder changed on a file system.

Medium

Folder Created

Created when a folder is created on a file system.

Medium

Folder Deleted

Created when a folder is removed from a file system.

Medium

Folder Moved

Created when a folder is moved on a file system.

Medium

Folder Opened

Created when a folder is opened on a file system.

Medium

Folder Ownership Changed

Created when folder ownership has changed on a file system.

Medium

Folder Renamed

Created when a folder is renamed on a file system.

Medium

Junction Point Created

Created when a third-party tool is installed and a new junction point is created. 

Medium

Junction Point Deleted

Created when a third-party tool is installed and a junction point is deleted.

Medium

Local Share Added

Created when a local share is added to a file system.

Medium

Local Share Folder Path Changed

Created when the path of a local share folder is changed on a file system.

Medium

Local Share Permissions Changed

Created when local share permissions are changed on a file system.

Medium

Local Share Removed

Created when a local share is removed from a file system.

Medium

Shadow Copy Created

Created when a shadow copy is created for a volume.

Disabled by default.

Medium

Shadow Copy Deleted

Created when a shadow copy is deleted from a volume.

Disabled by default.

Medium

Shadow Copy Rolled Back

Created when a shadow copy for a volume is rolled back.

Disabled by default.

Medium

Transaction Status Changed

Created when the status of the transaction changed.

Disabled by default.

Medium

Log Events

When event logging for File System is enabled, Windows File Server events will also be written to a Windows event log, named Quest File Access Audit event log. These log events can then be gathered by InTrust and Quest Knowledge Portal for further processing and reporting.

NOTE: To enable event logging, select Event Logging on the Agent Configuration page (Administration Tasks tab), and select the type of event logging to enable.

The following table lists the Windows File Server events that are recorded to the Quest File Access Audit event log when File System event logging is enabled in Change Auditor. They are listed in numeric order by event ID.

1

File audit service started

2

File audit service stopped

3

File audit service error

4

File audit service configuration changed

5

File audit service abnormal termination

6

File audit service startup changed from Automatic

7

Disabled in safe mode

8

Protected folder move

257

Remote access failed (NTFS)

258

Local access failed (NTFS)

273

Remote object permissions changed

274

Local object permissions changed

769

Remote file read

770

Local file read

779

Remote folder open

780

Local folder opened

1025

Remote file written

1026

Local file written

1281

Remote object created

1282

Local object created

1537

Remote object deleted

1538

Local object deleted

1793

Remote object moved

1794

Local object moved

2049

Remote object renamed

2050

Local file renamed

2059

Remote object attribute changed

2060

Local object attribute changed

2069

Remote object auditing changed

2070

Local object auditing changed

2305

Remote object owner changed

2306

Local object owner changed

2561

Remote share settings change failed

2562

Local share settings changed failed

2817

Remote share created

2818

Local share created

3073

Remote share deleted

3074

Local share deleted

3329

Remote share permissions changed

3330

Local share permissions changed

4098

Local transaction status changed

4353

Remote access failed (lockdown)

4354

Local access failed (lockdown)

4610

Shadow copy created

4866

Shadow copy deleted

5122

Shadow copy rolled back

5200

Junction Point created

5210

Local Junction Point deleted

5211

Remote Junction Point deleted

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating