From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

How to audit disk reads in Windows

Splunk ships with a cool tool, the file system change monitor (fschange), that audits and logs out all the changes made to files. But what if you want to audit reads as well? Where data disclosure is also an issue, such as HIPAA or FISMA, there are several options for auditing all events, including reads.

The most straightforward method is to use the native Windows auditing.

This is a two step process, as described by Microsoft. The first step is to enable auditing of objects at a system level. You can do that either as a Group Policy, which is applied to objects in Active Directory, or directly on the local system as a local policy. Auditing objects for successes or failures is your only high-level option - everything else is set on the individual objects. Obviously, in this case you want to audit both.

There are two considerations. First, although group policy is more scalable and easier to deploy, you need to have Active Directory access to set policy and an OU structure that aligns with the subsystems you'd like to audit. Second, if you need to go down the local policy route, note that group policy overrides local policy in domain environments, so confirm that there isn't a global audit policy superseding yours.

Once you have auditing enabled on the system, you have to tell Windows which objects to audit. You can audit other objects, like the registry or system objects, but in this case our focus is on files.

In Explorer, you can set advanced SACLs for auditing both by user/user group and by action. Be as specific as you can; for example audit list and data reads only for explicit user groups, rather than Everyone. This auditing will create a staggering amount of data if you audit unnecessary directories or system actions.

Once you specify who and what to audit, events should start appearing in the Security event log. This is where Splunk can work its magic. A common criticism of Microsoft auditing is the complete lack of meaningful search, correlation or event filtering tools. Splunk can fill all those requirements, and add in advanced reporting and alerting to boot. That means many scenarios where Microsoft auditing was previously untenable become possible with IT Search.

Note that there is a CLI tool that might be useful for you auditusr, that can set auditing up on a per-user basis. If your domain is large, that might not be useful, or may require advanced scripting but it is noted here for completeness.

Separately, note that there are other options for producing these audit trails. For the purpose of Splunk, these tools would need to output to a log file. Unfortunately, many of the free tools, such as FileMon, either don't output to a log, or if they do, lack a command line version. If you are considering paid tools, such as FileSure or WatchDirectory, make sure they are configured to drop flat file logs and not register to a SQL data source.

Moving forward, we'll be addressing enhancement requests to add read auditing to the capabilities of fschange.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk