Change Auditor for Windows File Servers 7.3 - Event Reference Guide

Introduction

Quest® Change Auditor for Windows File Servers tracks, audits and alerts on file and folder changes in real time, translating events into simple text and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can also include or exclude certain files or folders from the audit scope in order to ensure a faster and more efficient audit process.

In addition to real-time event auditing, you can also enable event logging to capture Windows File Server events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

NOTE: File System auditing and event logging are only available if you have licensed Change Auditor for Windows File Servers and have applied custom File System Auditing templates that define the files/folders to be audited. Contact your Sales Representative for more information on obtaining Change Auditor for Windows File Servers.

This guide lists the events that can be captured by Change Auditor for Windows File Servers. Separate event reference guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

Change Auditor for Windows File Servers Events

This section lists the audited events captured when Change Auditor for Windows File Servers is licensed and custom file system auditing templates are applied to Change Auditor agents defining the files/folders to be audited. These events are listed in alphabetical order by facility.

IMPORTANT: When expecting large numbers of events, it may be necessary to increase the Max Events per Connection setting in the client (Agent Configuration on the Administration Tasks tab) to avoid an ever-increasing backlog of events waiting to be sent from the agent to the coordinator database.

NOTE: To view a complete list of all events, open the Audit Events page on the Administration Tasks tab in the client. This page displays the facility to which the event belongs, the severity assigned to each event, if the event is enabled or disabled, and the type of Change Auditor for Windows File Servers license that is required to capture each event.

NOTE: Events are generated as described below when actions are taken on folders that have subordinate files and folders: • Moving a parent folder: For a ‘Move’ operation, only one event will be generated for the parent folder because action is only on the parent folder’s path, none of the child folders or files are physically moved. • Deleting a parent folder: For a ‘Delete’ operation, an event will be generated for each folder or file because each object will be removed separately. • Copying a parent folder: For a ‘Copy’ operation, an event will be generated for each folder and file because a new object will be created within the target folder. If a parent folder is copied to a target folder that is not being monitored, no event will be generated. The target folder must be monitored in order for an event to be generated.

Log Events

When event logging for File System is enabled, Windows File Server events will also be written to a Windows event log, named Quest File Access Audit event log. These log events can then be gathered by InTrust for further processing and reporting.

NOTE: To enable event logging, select Event Logging on the Agent Configuration page (Administration Tasks tab), and select the type of event logging to enable.

The following table lists the Windows File Server events that are recorded to the Quest File Access Audit event log when File System event logging is enabled in Change Auditor. They are listed in numeric order by event ID.