WatchDirectory Forum
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl
watchDirectory forums >> How to... >> Events recorded in Security log but not in WD
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl?num=1133062911

Message started by SimonDMZ on Nov 27th, 2005 at 4:41am

Title: Events recorded in Security log but not in WD
Post by SimonDMZ on Nov 27th, 2005 at 4:41am
I have set up WatchDirectory on a W2K domain server. Local Security settings (as initially set up in Global) show Audit Object Access as Success and Effective Setting as Success. On creating a file or a folder in the monitored directory, many event logs are written about the creation in the Security log. However, although watchDirectory reports in the column ‘Last Message’ about (say) the file created by its filename, the message says “No auditing info found for file/directory e:\private\new text document.txt”.  And no report is written in the designated report folder.

Any help would be appreciated!

Title: Re: Events recorded in Security log but not in WD
Post by Gert on Nov 27th, 2005 at 6:36am
Is this E:\Private folder on the same computer as where watchDirectory is running. I mean: really connected to that computer? If E: is a mapped drive of some kind, you need to monitor it using it's UNC name (\\Server\share on http://www.watchdirectory.net/wdhelp/help/wdnewconfigpage0.html ) and enter the "local directory" on the "who did it" panel ( http://www.watchdirectory.net/wdhelp/plugins/wdopAuditInfo.html ).

Also make sure you have properly setup the auditing entries for the specific directory (e:\Private - http://www.watchdirectory.net/wdhelp/plugins/wdopAuditInfoConf.html ).

Gert

Title: Re: Events recorded in Security log but not in WD
Post by SimonDMZ on Nov 28th, 2005 at 11:58am
Thanks for coming back to me so quickly Gert.

E:\ is a physical drive and the directory Private is one of the shared directories that I would like to monitor. The auditing setup is exactly as you document.

I enclose an image of three screenshots to illustrate:- (a) the Local Security Setting ‘audit object access’ entr; (b) the error message in the WD control when I add a test sound wave to the folderand (c)is the log of the addition of that file in the Security Event log.

So by the fact that it is logging and that it says in the Security Settings that the effective setting is enabled, indicates that it is correctly configured. Yes?

Could I have overlooked something?

Regards, Simon

WD_Screen_Shots.jpg (212 KB | )

Title: Re: Events recorded in Security log but not in WD
Post by Gert on Nov 28th, 2005 at 4:20pm
Your screenshot doesn't show if you also enabled auditing for the directory itself:

The above are my settings for a local folder (d:\auditmeforfilesanddirs).

Gert

Title: Re: Events recorded in Security log but not in WD
Post by SimonDMZ on Nov 28th, 2005 at 5:42pm
That's pretty much how I am set up. See enclosed Screen Shot.
Regards, Simon
Auditing_Entry.jpg (54 KB | )

Title: Re: Events recorded in Security log but not in WD
Post by Gert on Nov 28th, 2005 at 5:53pm
Yup, I guess that should do it.

Can you email me
C:\Documents and Settings\All Users\Application Data\watchDirectory\YOURTASKNAME.config
(replacing YOURTASKNAME with the name you gave this task)
so I can review your settings.

Gert

Title: Re: Events recorded in Security log but not in WD
Post by SimonDMZ on Dec 2nd, 2005 at 11:11am
Thanks Gert your fix resolved the issue!

Here’s a synopsis of what happened:-

The Security Event log showed that the folder audit properties were set correctly as events were being created and logged every time a file/folder was added or deleted.  However, the watchDirectory Control Center reported (in this case, when adding a new file ‘New Wave Sound.wav’ to the directory Private) that “No auditing info found for file/directory e:\private\new wave sound.wav”

The config file Gert requested was setup correctly. However, the Event Properties screen posted above, showed something different from the normal.  The E:\ drive and the folder being monitored was not being represented as E:\Private but as \Device\HarddiskDm\Volumes|PhysicalDmVolumes\BlockVolume1\Private\

The config file was amended in Notepad and the line  
remotedir=  
was changed to
remotedir=\Device\HarddiskDm\Volumes|PhysicalDmVolumes\BlockVolume1\Private\

And all goes well.  The directory and the many sub-directories are all being monitored.

The E:\ drive is a mirrored set (Dynamic Disk) and W2K had created a different drive mapping reference which the setup GUI (as yet!) doesn’t recognise

The program is excellent.  Task History shows in-depth clear detail. Thanks for your support and all your hard work Gert!  Highly recommended.   ;)

WatchDirectory Forum » Powered by YaBB 2.5.2!
YaBB Forum Software © 2000-2017. All Rights Reserved.