|
The Auditing plugin will, when possible, extract the user who created or
deleted a file from local or remote computers. |
The success of this plugin relies on proper security configuration of the
computer and folder as well as administrator rights for the user running ShareWatcher. |
|
- ShareWatcher does not require the steps below for any of the other
features to work. This is only for user level auditing where there is a need
to know the user who added or deleted a file/folder.
- Auditing requires reading the Windows Event Log and this can slow
ShareWatcher's performance for remote computers on busy networks and
computers. Depending on file event rate this may or may not be an issue.
- For Auditing to be allowed, ShareWatcher must be run on a computer with
administrator rights for the local computer (if audited) and any remote
computers selected. Typically a Domain Administrator account is required.
- ShareWatcher will try its best to extract the User Information from the
Windows Event Log but cannot always guarantee success.
|
|
The Audit Plugin is used by the New(live) and Deleted plugins.
When adding or editing a folder, an Audit choice is offered. "Not Audited" is
the default option. Licensed users will have the option of "Local Computer" or
one of their pre-configured Remote Computers to choose from. |
 |
|
Open Local Security Policy either from Control Panel... |
 |
...or open a command prompt and type, "secpol.msc". |
Edit the Audit Policy as shown below. |
 |
Your computer is now ready to audit file events. |
NOTE: You may appear to have successfully configured your computer as shown
above but reopen the Audit Policy to be sure it has saved. Reasons for not
saving or working could be related to you not having Domain Administrator rights, your Security Policy being controlled by
another Group Policy or it could be related to the scenario discussed on this
Microsoft Support Page. It is
important that this process above be completed successfully for the plugin to
work. Following the Folder Configuration below alone will not provide user
auditing. |
|
The following steps must be completed for any folder selected for Audit: |
|
|
|
|
|
|
|
|
|
...and click OK on each dialog until you're back at the folder view. |
|
The user needs to be an administrator on the local computer or in the case
of remote computer auditing, a domain administrator. This high level security
setting is a requirement for remote computer access of the Windows Event Log. |
 |
If you are experiencing long delays between file events and a logged
entry then it may be that the computer being monitored with Auditing
turned on is heavily utilised. Click the Info button (New
Files / Deleted Files) for insight into
this possibility. If this is adversely affecting the performance then
please contact
support@thecodeline.com for advice on how to customise the Event Log
Search for your environment. |
|
|