|
|
1
28th September 19:16
External User
Posts: 1
|
How to understand file audit output
I have audit on a Windows 2000 TS filesystem on a public file share, i'd like
to see if a user delete or modify a file. How do I read the security log? In security log Event ID: 560 contain the information, but is hard to understand. Is there an easy way to understand from this log if the user has open/delete/ or modify the file?? Regards, Jan Example: -------------------------------- Object Open: Object Server: Security Object Type: File Object Name: E:\gemensam\backuplogs\backup09.log Handle ID: 928 Operation ID: {0,667228} Process ID: 8 Image File Name: Server1$ Primary User Name: MyDomain Primary Domain: (0x0,0x3E7) Primary Logon ID: John Client User Name: MyDomain Client Domain: (0x0,0x56079) Client Logon ID: DELETE READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Accesses: - Privileges: %16 Restricted Sid Count: %17 |
|
|
SPONSORED LINKS BY GOOGLE |
|
2
28th September 19:16
External User
Posts: 1
|
How to understand file audit output
Hello Jan,
Scroll down to Figure 2 in: http://www.microsoft.com/technet/arc....mspx?mfr=true Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. |
|
|
|
SPONSORED LINKS BY GOOGLE |
|
|
Linear Mode
