Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

File System Auditing

Previous Next

File System Auditing
Introduction
File System Auditing page
File System Auditing templates
File System Auditing wizard
File System Event settings
File System event logging

Introduction

Previous Next

Introduction

To capture Windows file server events, you must define the files/folders to be audited and the events to be captured:

1
Create a File System Auditing template which specifies the files/folders and events to be audited.
2
Add this template to an agent configuration.
3
Assign the agent configuration to agents.
* 
TIP: Quest recommends a phased approach to setting up file/folder auditing for all servers. A phased approach will allow file/folder auditing to be deployed in stages so that the coordinator performance is not degraded.
* 
NOTE: Windows File System auditing is supported in a Windows failover cluster configuration. However, the agent is not aware of the cluster and will only audit the active nodes in the cluster where agents are deployed.

 

File System Auditing page

Previous Next

File System Auditing page

The File System Auditing page displays when File System is selected from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can launch the File System Auditing wizard to specify the file, folder or all drives in a system that are to be audited. You can also edit existing templates, disable a template, and remove templates that are no longer being used.
* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.

The File System Auditing page contains an expandable view of all the File System Auditing templates that have been previously defined. To add a new template to this list, click Add. Once added, the following information is provided for each template:

Template

Displays the name assigned to the template when it was created.

Status

Indicates whether the auditing template is enabled or disabled.

Paths

This field is used for filtering data.

Excluded Processes

This field is used for filtering data.

 

Click the expansion box to the left of the Template name to expand this view and display the following details for each template:

Path

Displays the name of the file paths or folders included in the File System Auditing template.

Status

Indicates whether auditing for the selected file path is enabled or disabled.

Scope

Indicates the scope of coverage specified for each file path in the selected template:
This object only
This object and child objects only
This object and all child objects
Include

Displays the names of the subfolders or files to be audited (or a file mask) as specified on the Inclusions tab of the wizard.

Exclude

Displays the names and paths of subfolders and files to be excluded from auditing as specified on the Exclusions tab of the wizard.

Operations

Displays the events selected for auditing on the Events tab of the wizard. Hover your mouse over this cell to view all of the events included in the template.

Excluded Process

Displays a list of the processes excluded from auditing (i.e., changes from these processes are not audited) as specified on the last page of the File System Auditing wizard.

 
* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the Change Auditor client, see the Change Auditor User Guide.

File System Auditing templates

Previous Next

File System Auditing templates

To enable File System auditing in Change Auditor, you must first create a File System Auditing template which specifies the files, folders, or all drives on a system that are to be audited. This template must then be assigned to the appropriate agents’ configuration to audit the specified files and folders.

To create an auditing template for a file:
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select File System (under the Server heading in the Auditing task list) to open the File System Auditing page.
4
Click Add to open the File System Auditing wizard which will step you through the process of creating a File System Auditing template.
5
On the first page of the wizard, enter the following information:
Template Name - Enter a name for the template.
Audit Path - Select the File option. Enter a file name (Drive:\Folder\FileName.ext) or click the browse button and select the file to be audited.
* 
NOTE: This must be a local path. Auditing of network shares or mapped drives is not supported. To audit those files/folders, a Change Auditor agent must be deployed on the share's hosting server.

Click Add to move the specified file to the selection list.
Events tab - Select the file events to be audited for the file selected in the selection list.

Repeat this step to add additional files to this auditing template.

* 
NOTE: Selecting the File Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing this check box will clear all of the selected events.
6
Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action, select the Discard Windows Explorer tooltip events from folder browsing option.
7
Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action, select the Discard file open events from browsing option.
8
(Optional) Click Next to proceed to the next page to select processes that are to be excluded from auditing (for example, changes made by the processes specified on this page will not be audited).

Select one or more processes from the process list and click Add to move these processes to the exclusion list at the bottom of the page.

* 
NOTE: You can also view processes on a different server or enter a process not listed in the process list.
9
To create the template without assigning it to an agent configuration, click Finish.

This creates the template, closes the wizard, and returns you to the File System Auditing page where the newly created template is now listed.

10
To create the template and assign it to an agent configuration, expand Finish and select Finish and Assign to Agent Configuration.

On the Configuration Setup dialog, use one of the following methods to assign this template to an agent configuration:
Select the newly created template and drag and drop it onto a configuration in the Configuration list.
Select a configuration from the Configuration list and ‘drag and drop’ it onto the newly created template.
Select a configuration, then select the newly created template, right-click and select Assign.
Select a configuration, then select the newly created template, click in the corresponding Assigned cell and click Yes.
11
If this configuration is not assigned to any agents, you will need to assign it to one or more installed agents to capture the specified file system events.
On the Agent Configuration page, select one or more agents from the agent list and click Assign.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents and click OK.
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
To create an auditing template for a folder:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select File System (under the Server heading in the Auditing task list) to open the File System Auditing page.
4
Click Add to launch the File System Auditing Wizard which steps you through the process of creating a File System Auditing template.
5
On the first page of the wizard, enter the following information:
Template Name - Enter a name for the template.
Audit Path - Select the Folder option. Enter a folder name (i.e., Drive:\Folder\) or click the Browse button to select the folder to audit.
* 
NOTE: This must be a local path. Auditing and/or protecting network shares is not supported. To audit or protect those files/folders, an agent must be deployed on the share's hosting server.
 
* 
NOTE: Once the Folder option is selected, you can select a system variable using the drop-down menu. Click the arrow to the far right of the text box and select one of the following options:
Common Program Files
Program Files
System Drive
Windows Directory
All Shares (Change Auditor does NOT audit any shares that are hidden using the dollar sign character ($) appended to the end of the share name.)

Click Add to add the specified folder to the Selection list (middle of the page).

6
By default, the scope of coverage for the selected folder will be This object and all child objects. However, you can change the scope, by selecting a different option from the drop-down box in the scope cell of the selection list:
This object only- select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders.

In addition, selecting the folder entry in the Selection list activates the tabs across the bottom of the page. The settings specified on these tabs apply to the entry selected.

7
On the Events tab, select the file and folder events to be audited.
 
* 
NOTE: Selecting the File Events or Folder Events check box at the top of the events list on the Events tab will select all of the events listed. Similarly, clearing these check boxes will clear all of the selected events.
8
On the Inclusions tab, specify the file masks to audit.
* 
NOTE: Do NOT use the Inclusion tab to add additional subfolder paths onto the monitored base path (audit path specified above). It is meant to specify an inclusion mask for ONLY objects located under the monitored base path.

Enter a file mask to specify what is to be included in the audit. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
* 
NOTE: For file system auditing, the slash characters (\) and double asterisks (**) are not allowed in file masks; therefore, to include a specific folder (or share), use the Audit Path field at the top of the page to specify the folder (or share) to be audited and enter an * on the Inclusions tab.

For example, entering * will include all subfolders and files in the selected audit path.

You can also enter the name of an individual subfolder or file to be audited. However, if you enter the name of an individual subfolder, you will only receive events for operations performed against that subfolder. You will NOT receive events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolders/files for inclusion, click Add to add it to the Inclusion list at the bottom of the page.

Repeat this step to add additional subfolders and files to the Inclusion list.

9
(Optional) On the Exclusions tab, specify the names and paths of any subfolders or files in the selected audit path that are to be excluded from auditing.

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

You can also enter the name of an individual subfolder or file to be excluded from auditing or click the browse button and select one of the options to browse for and select an individual subfolder or file in the specified audit path:
Browse Files - selecting this browse option displays the Select a file system path dialog allowing you to select a file for exclusion from auditing.
Browse Folders - selecting this browse option displays the Browse for Folder dialog allowing you to select a folder for exclusion from auditing.
* 
NOTE: If you select a file or subfolder that does not belong to the selected audit path, the wizard will not allow you to continue. A red flashing icon is displayed indicating that you have selected a file or folder outside of the selected audit path. However, the wizard will not prevent you from entering the name of a file or subfolder that is outside of the audited path. If this happens, Change Auditor will NOT exclude it from auditing.

Once you have specified a subfolder or file for exclusion, use the appropriate Add command to add it to the Exclusion list at the bottom of the page:
Add | Folder - use this option to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - use this option to exclude activity against any files that match the exclusion string.

Repeat this step to add additional subfolders and files to the Exclusion list.

10
(Optional) Click Next to proceed to the next page to select processes that are to be excluded from auditing (for example, changes made by the processes specified on this page will not be audited).

From this page, select one or more processes from the process list and click Add to move these processes to the list at the bottom of the page.

* 
NOTE: You can also view processes on a different server or enter a process not listed in the process list.
11
To create the template without assigning it to an agent configuration, click Finish.

This creates the template, closes the wizard, and returns you to the File System Auditing page, where the newly created template is now listed.

12
To create the template and assign it to an agent configuration, expand Finish and select Finish and Assign to Agent Configuration.

On the Configuration Setup dialog, use one of the following methods to assign this template to an agent configuration:
Select the newly created template and drag and drop it onto a configuration in the Configuration list.
Select a configuration from the Configuration list and ‘drag and drop’ it onto the newly created template.
Select a configuration, then select the newly created template, right-click and select Assign.
Select a configuration, then select the newly created template, click in the corresponding Assigned cell and click Yes.
13
If this configuration is not assigned to any agents, you will need to assign it to one or more installed agents to capture the specified file system events.
On the Agent Configuration page, select one or more agents from the agent list and click Assign.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents and click OK.
On the Agent Configuration page, select the agent(s) assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
To modify a template:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
On the File System Auditing page, select the template to be modified and click Edit.

This displays the File System Auditing wizard, where you can modify the files, folders, events and/or processes included in the template.

2
Click Finish or expand the Finish and select Finish and Assign to Agent Configuration.
To disable an auditing template:

The disable feature allows you to temporarily stop auditing the specified file path without having to remove the auditing template or individual file path from a template.

1
On the File System Auditing page, use one of the following methods to disable a File System Auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
Right-click the template to be disabled and select Disable.

The entry in the Status column for the template will change to ‘Disabled’.

2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To disable the auditing of a file path in a template:
1
On the File System Auditing page, use one of the following methods to disable a file path in an auditing template:
Place your cursor in the Status cell for the file path to be disabled, click the arrow control and select Disabled.
Right-click the file path to be disabled and select Disable.

The entry in the Status column for the selected file path will change to ‘Disabled’.

2
To re-enable the auditing of a file path, use the Enable option in either the Status cell or right-click menu.
To delete an auditing template:
1
On the File System Auditing page, select the template to be deleted and click Delete | Delete Template.
2
A dialog displays confirming that you want to delete the selected template. Click Yes.
To delete a file path from a template:
1
On the File System Auditing page, select the file path to be deleted and click Delete | Delete File Path.
2
A dialog displays confirming that you want to delete the selected file path from the template. Click Yes.
* 
NOTE: If the file path is the last one in the template, deleting this file path will also delete the template.
To delete an excluded process from a template:
1
On the File System Auditing page, right-click the excluded process to be deleted from the auditing template and select Delete.
2
A dialog will be displayed confirming that you want to delete the selected process from the template. Click Yes.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating