Track file access

Here are the steps to track who read a file on Windows File Server. Note: It is suggested to create a new GPO, link it to the domain, and edit it. The former lets you audit successful attempts made to access the objects, whereas the latter lets you audit failed attempts. Select any one or both the options as per requirement. It is recommended to select both options. In our case, we have selected both the options because we want to audit both the successful and the failed attempts.

Step 2 — Set auditing on the files that you want to track After configuring GPO, you have to set auditing on each file individually, or on folders that contain the files. All functions are then inside the binary and not in a library. As ltrace can track libraries only, you have to use strace instead. Everything on disk is a file. Normal files, devices and even directories are all presented as a file. The file system marks each of these entries in a file table, with the related type.

While you might normally not even notice due to colored screen output, directories have a different type. To see open files, we can use the lsof utility. It can really show any type of open files, from the earlier mentioned special files block and character devices , to tracking open network connections.

One big disadvantage of the lsof utility should be shared up front: there are way too many options to remember. So getting exactly the right output is usually experimenting. At the bottom we have share some common used examples, to make this process easier.

We already have written some posts about the powerful Linux audit framework. This built-in kernel feature allows tracking files and system calls. Of course we can combine both. We define what process we want to track and the related system call. Now when this process uses the open system call, it will be logged in the audit log. The Linux audit framework is a great alternative to strace, but might be less friendly to configure.

Especially on a system which already has watches going on, you might want to skip inserting a few test rules. In that case use strace instead.

Note: It is recommended to create a new GPO, link it to the domain and edit it. Step 2: Configure auditing on files and folders Follow the below steps to enable auditing for the files and folders you want to audit on your Windows File Server. Select all the actions that you want to audit. Step 3: View Events in Windows Event Viewer After you have configured the above audit settings, you can track any change made to folders, subfolders and files. The same event ID shows all accesses made to the objects, such as files and folders.

Figure 8: File creation report In the above image, we have highlighted the record which contains the information about where a file was created. You can centralize the monitoring of all of your servers in one overview that offers a drill-down path to see statistics on each individual location. Site24x7 is a subscription service and you can get it on a day free trial. ManageEngine DataSecurity Plus is a file monitoring software platform that displays file and user activity on a network.

You can see who accessed the file, when, and what they accessed. There are also several visual displays like graphs and pie charts that show you a more complete overview.

You can also view the most active users, most accessed files, and most modified files within the file server. File access analytics highlight access trends , monitor access times and detect anomalous file access.

For example, the tool can identify if a file was accessed outside of working hours and if the user was authorized to access the content. The built-in auditing and regulatory compliance of ManageEngine DataSecurity Plus are also extremely useful. You can download the day free trial version. LANGuardian is a file activity monitor that uses deep packet inspection to track user activity.

Charts are generated based on file activity. User metadata is obtained from network packets to monitor user activity within the network.

In practice, this shows you when users open and close files on file share , download or upload files. The tool also has an alerts feature to notify you about suspicious activity. For instance, the user is sent an alert if the rate of file renames increases or the user copies large volumes of files.

Having alerts on hand to flag suspicious activity reduces early the likelihood of malicious software like ransomware putting you out of action. LANGuardian is available as a perpetual license or a subscription. The price depends on the number of users on your network and the number of sensors you require. There is also a free trial version. Teramind is a file activity monitoring software designed specifically for user activity monitoring.

The product monitors file access , creation , deletion , and write operations. User activity is monitored through screen recording and textual logs so you can take a closer look at user activity to verify its legitimacy. There is also a notifications system to keep you updated on developments in the network. For example, the notifications system tells you when files are uploaded to the cloud either as an email attachment or through a cloud service like Google Drive, Dropbox, or OneDrive.

You also can block uploads to the cloud storage if you believe an activity is malicious in nature. Teramind is available as an on-premises or cloud-based solution. PA File Sight is a file monitoring solution with real-time file monitoring capabilities.