Anton Chuvakin of LogLogic posted today on some of the intricacies of Windows native file system audit. If you have a need for monitoring access or changes to files, beware of the do-it-yourself method. Chuvakin provides insight on some of the challenges.
One of the things that NetVision engineers brought to market long before I joined is a very slick file system monitoring solution. Slick mostly because you have extreme control over which events you want to capture. You can filter on server, folder, file, person acting, event type (read, create, modify, delete, ACL or attribute changes) – you can even specify times of day to activate a particular policy. And you can have different policies for different files or folders. You can also choose what to do when an event occurs. For some events, write it to a database or file. For others, send an email too or kick off another process. None of it relies on system logs and the reports are delivered in a nice web UI running on Crystal Reports. So the business people get relevant results without having to understand the tech stuff.
Some of our customers even use our filtering to narrow down the events that are then fed into an enterprise security event management or log management system (like LogLogic). It's File System audit made easy.