Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

File System Auditing wizard

Previous Next

File System Auditing wizard

The File System Auditing wizard displays when you click Add or Edit on the File System Auditing page. This wizard steps you through the process of creating a new file system auditing template, identifying the files, folders or all drives on a system that are to be included in the auditing template.

The following table provides a description of the fields and controls in the File System Auditing wizard:

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates that the required information has been specified and you are ready to proceed.
 

Table 2. File System Auditing wizard

Create or modify a File System Auditing Template page

Use the first page of the wizard to enter a name for the template and specify the individual file or folder or all drives to be audited.

Template Name

Enter a descriptive name for the template being created.

Audit Path

Select one of the following options to define auditing for a file, folder or all drives:
File - select this option to audit a single file. Then enter a file name and path (i.e., Drive:\Folder\FileName.ext) or use the browse button to locate and select the file to be audited.
Folder - select this option to audit a folder or a set of files. To specify a particular folder, enter the folder’s name (for example, Drive:\Folder\) or use the browse button to select the folder to be audited.

Use the drop-down menu to specify a system variable: Common Program Files, Program Files, System Drive, Windows Directory, or All Shares.

NOTE: This must be a local path. Auditing of network shares or mapped drives is not supported. To audit those files/folders, a Change Auditor agent must be deployed on the share's hosting server.
NOTE: Change Auditor does NOT audit any shares that are hidden using the dollar sign character ($) appended to the end of the share name.
All Drives - select this option to audit all drives. The Audit Path text box will contain an asterisk (*) which cannot be changed.

Once you have entered the audit path to be audited, use the Add button to add it to the selection list.

When the File or Folder option is selected as the audit path, click the browse button to locate and select a file or folder to be audited.

Add

Click Add to move the entry in the Audit Path text box to the selection list.

NOTE: Even though you cannot edit the Audit Path when the All Drives option is selected, you must still use Add to move it to the selection list.

Remove

Select an entry in the selection list and click Remove to remove it from the template.

Selection list

The list box, located across the middle of this page, displays the files, folders or All Drives selected for auditing.

When a Folder is selected, you can use the drop-down menu in the Scope field to change the scope of coverage for a folder:
This object only - select this option to audit only the selected folder, not its files or subfolders.
This object and child objects only - select this option to audit the selected folder and its direct files and subfolders. This is not recursive.
This object and all child objects - select this option to audit this folder and all of its files and subfolders. (Default)

Select an entry in this list to enable the corresponding Events, Inclusions and Exclusions tabs at the bottom of the page.

Events tab

Use the Events tab to select the file and/or folder events to audit in the selected audited path. The contents of this tab are based on the entry selected above in the Selection list.

File Events

Select the file events to audit. Select the File Events check box to select all of the file events listed or select individual events from the list.

NOTE: Due to the potential of generating a very large number of events, File Open events are NOT captured when This object and all child objects is selected in the Scope cell. Therefore, File Open is NOT included in the File Events list on this page when This object and all child objects is selected above.

Folder Events

Select the folder events to audit. Select the Folder Events check box to select all of the folder events listed or select individual events from the list.

NOTE: Due to the potential of generating a very large number of events, Folder Open events are NOT captured when This object and all child objects is selected in the Scope cell. Therefore, Folder Open is NOT included in the Folder Events list on this page when This object and all child objects is selected above.

Ignore specific events

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action, select the Discard Windows Explorer tooltip events from browsing option.

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action, select the Discard file open events from folder browsing option.

Inclusions tab

When the Folder or All Drives option is selected in the Audit Path field and the Scope includes child objects, the Inclusions tab will be displayed allowing you to specify what in the selected audit path is to be audited.

NOTE: Do NOT use the Inclusion tab to add additional subfolder paths onto the monitored base path (audit path specified above). It is meant to specify an inclusion mask for ONLY objects located under the monitored base path.

Add the names of subfolders and files to audit

Enter a file mask to specify what in the selected audit path is to be audited. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
NOTE: For file system auditing, the slash characters (\) and double asterisks (**) are not allowed in file masks; therefore to include a specific folder (or share), use the Audit Path field at the top of the page to specify the folder ( or share) to be audited and enter an * on the Inclusions tab.

For example, entering * will include all folders and files in the selected audit path. See File/Folder Inclusion and Exclusion Examples for more file mask examples.

You can also enter the name of an individual subfolder or file to be included. However, if you enter the name of a subfolder, you will only receive events for operations performed against that subfolder. You will NOT receive any events for operations performed against any child objects under the specified subfolder.

Once you have specified the subfolder or file to be included, click Add to add it to the Inclusions list.

Inclusions list

The list across the bottom of this page contains the subfolders and files selected for auditing. Use the buttons to the right of the text box to add and remove entries.
Add - Click to move the entry in the text box to the Inclusions list.
Remove - Select an entry in the Inclusions list and click Remove to remove it.

Exclusions tab (Optional)

When the Folder or All Drives option is selected in the Audit Path field and the Scope includes child objects, the Exclusions tab will be displayed allowing you to refine the settings defined on the Inclusions tab. That is, you can optionally specify the names and paths of any subfolders and files in the selected audit path that are to be excluded from auditing.

NOTE: To reduce the number of events generated by document File | Save operations in Microsoft Word, Excel, Visio, and PowerPoint (Microsoft Office version 2010, 2013, and 2016), Change Auditor uses event consolidation rules. Excluding temporary files will remove the ability to consolidate these events and you will lose file modified events. Consolidation rules are not supported in multiple agent auditing scenarios.

Add the names and paths of subfolders and files to exclude from auditing

Enter a file mask to specify the name and path of subfolders and files to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters. Use a single asterisk (*) to specify a non-recursive match (i.e., find match in the folder only; does not match any slash characters (\)). Use a double asterisk (**) to specify a recursive match (i.e., find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character. The ? wildcard character does not match slash (\) characters.

For example, entering *.log will exclude all files in the audit folder with the .log file extension. Whereas, entering **.log will exclude all files with the .log file extension found in the audit folder or in any subfolders.

See File/Folder Inclusion and Exclusion Examples for more examples.

You can also enter the name of an individual subfolder or file to be excluded or use one of the browse options to browse for and select an individual subfolder or file.

Click the browse button and select one of the following options:
Browse Files - selecting this option displays the Select a file system path dialog allowing you to select an individual file for exclusion.
Browse Folders - selecting this option displays the Browse for Folder dialog allowing you to select an individual folder for exclusion.
NOTE: If you select a file or subfolder that does not belong to the selected audit path, the wizard will not allow you to continue. A red flashing icon is displayed indicating that you have selected a file or folder outside of the selected audit path. However, the wizard will not prevent you from entering the name of a file or subfolder that is outside of the audited path. If this happens, Change Auditor will not exclude it from auditing.

Once you have specified a subfolder or file to be excluded, click the appropriate Add button to add the file or folder to the Exclusions list.

Exclusions list

The list across the bottom of this page contains the folders, files and masks that are to be excluded from auditing. Use the buttons to the right of the text box to add and remove entries.
Add | Folder - Use this to exclude activity against files/subfolders in any folders that match the exclusion string.
Add | File - Select this to exclude activity against any files that match the exclusion string.
Remove - Select an entry in the Exclusions list and click Remove to remove it.

(Optional) Select Processes Exempt From Auditing page: Use this page to suppress events generated by a specific process (e.g., anti virus process).

NOTE: Any file changes performed by the agent service (NpSrvHost.exe process) are excluded from auditing.

Processes list

Displays a list of the processes available on the local server. From this list, select one or more processes and click Add to move them to the Excluded Process list at the bottom of the page.

You are viewing processes on

Displays the name of the server from which the processes list was populated.

Click the browse button to select a different server. Selecting this button displays the Select Active Directory Objects dialog. Use the Browse or Search page to locate and select a server. The processes found on that server will then be displayed.

Enter a process not listed above

Select this check box to enter the name of a process that you do not find listed in the Processes list.

You can also enter a file mask to select a group of processes to be excluded from auditing. The file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.

Click the Add button to add the selected process(es) to the Excluded Process list.

Excluded Process list

The list across the bottom of the page lists the processes that will be allowed to make changes to audited object without generating an event. Use the buttons located above this list box to add and remove processes.
Add - Select one or more processes in the Processes list and click Add to add the processes to the list.
Remove - Select one or more processes in the Excluded Process list and click Remove to remove them from the exclusion list.

File System Event settings

Previous Next

File System Event settings

From the Agent Configuration page on the Administration Tasks tab you can define how Change Auditor is to handle duplicate file system events.

Use the File System tab at the top of the Configuration Setup dialog to define how to process duplicate file system events.

Discard duplicates that occur within nn seconds

This option is selected by default and will discard file system events that occur within 10 seconds of each other. You can enter a value between 1 and 600 (or use the arrow controls) to increase or decrease this interval.

Audit all configured, including duplicates (Not Recommended)

Select this option to audit all configured file system events including duplicate events. This is NOT recommended and therefore is disabled by default.

To set the File System Event settings:
1
Open the Administration Tasks tab.
2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Configurations.
5
On the Configuration Setup dialog, select an agent configuration from the left-hand pane.
6
Open the File System tab and set the File System Event settings as defined above.
7
Once you have set these settings, click OK to save your selections, close the dialog and return to the Agent Configuration page.
8
On the Agent Configuration page, select the agents assigned to the selected agent configuration and click Refresh Configuration.

File System event logging

Previous Next

File System event logging

* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.

In addition to real-time event auditing, you can enable event logging to capture Windows file server events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

For Windows file server events, event logging is disabled by default. When enabled, only configured activities are sent to the Quest File Access event log. See the Change Auditor for Windows File Servers Event Reference Guide for a list of the events that can be sent to this event log.

To enable Windows file server event logging:
1
Open the Administration Tasks tab.
2
Click the Configuration task button at the bottom of the navigation pane.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Event Logging.
5
On the Event Logging dialog, select File System.
6
Click OK to save your selection and close the dialog.

The Windows file server events configured in the File System Auditing template will then be sent to the Quest File Access event log.

File System Searches/Reports

Previous Next

File System Searches/Reports
Introduction
Create custom File System search
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating