Recently one of our clients was interested in creating a report to monitor file access. They simply wanted to know who in their Admin group was accessing what files and at what time. ELM Editor has many preconfigured reports, including an Object Access Report, however this was too general out-of-the-box and provided a bit too much detail for their needs. Instead of modifying this existing report, we decided to create a new report.
To get started, our Product Support Engineers had a quick fact finding mission to determine exactly what they were looking for that was not offered in the default Object Access report in ELM (as well as what they didn’t need). This included Event fields such as the Computer, Username, specific Event IDs, Object Name, Type and of course the date and time.
Next, as a complimentary service, our Product Support Engineers scripted a new report in XML format that could be imported directly into ELM Editor. After some testing and verification in-house, the report was emailed to the client along with simple import instructions.
In order the for the report to work properly, auditing has to be enabled for the specific directories you wish to monitor.
For more details on that, scroll down to the bottom.
Once you have a custom report in XML format, the import process is quite simple.
Save the XML file to an accessible drive.
In the ELM Console navigate to the ELM Editor container, right-click and select Import Report Definition From > File…
Select your XML file and click Open. ELM Editor will import the file into the available reports list.
Sample Report
After monitoring activity for a few days our Product Support Engineers ran a sample report to view the results of the report setup. In the details of this custom report we can see activity from users including Bob, Krista and George and which files they accessed.
This report is now available to preview, schedule and modify according to our needs. For details on how to modify the report further, please contact TNT Software Support.
Download and try this ‘Object Access – File Activity Monitoring‘ Report for yourself.
How to Enable Auditing
In order for the Object Access reporting to perform correctly you need to enable object access auditing in your security settings. This can be set using group policy or the local security policy (secpol.msc).
After Auditing has been enabled you now need to turn auditing on for the folder you want to watch for changes.
- Right-click the folder you wish to audit and select Properties
- On the Security Tab, click the Advanced button and then the Auditing tab
- Click the Edit button, then the Add button to add a user or group to be audited
- Enter the name of the users or group (Ex: Everyone, Domain Users) then click OK
- Specify what you would like to audit for failures and successes and check the “Apply these auditing entries to objects..” box, then click OK.
6.Check the box that says “Replace all existing inheritable auditing entries…” then click OK three more times to close the dialogs.
Auditing is now setup.
We hope that you found this article on getting using Object Access for File Activity Monitoring informative and useful and wish you continued success with ELM.