watchDirectory Help

Help Home
Creating New Tasks
Running Tasks
Task History


Standard versus Pro
Version History


See Also...

Free 30 day evaluation!
Standard version: $79 USD
Professional version: $149 USD
Buy Now!


German Helpfile

German Helpfile

French Helpfile

French Helpfile

Spanish Helpfile

Spanish Helpfile

Privacy Policy

Audit Windows Directories - Who Did It?

This plugin for watchDirectory uses the Windows Security Event Log to find out Who is messing with your files.
You should properly configure Windows to write "audit info" to the Security log, otherwise watchDirectory will not find the audit information.

Settings for this plugin

Operating system of monitored computer
Select the operating system of the computer you are monitoring. This plugin reads/interprets the Security event log and the records inside the event log are operating system specific. The plugin uses "mapping files" to properly process event logs from different operating systems. If your operating system is not included, please try one of the listed operating systems. If those do not work properly, see how to request a new mapping file.

Path Prefix to use...
For some file-systems, Windows will write the audit information to the security log with a different filename. For example, when you monitor the directory \\Server\Share\SomeDir, the info in the security log will often be of the form C:\SharedDirectory\SomeDir. To make sure watchDirectory can find the correct entry in the security log, watchDirectory needs to now the proper "Path Prefix".
When you press the "Assistant" button, watchDirectory will help you to find the proper Path Prefix.

Write audit reports to this directory
Enter the name of an existing directory where watchDirectory should write its audit reports.
The reports that watchDirectory writes is given a name like "event_567_filename.txt". 567 is an increasing number assigned by watchDirectory, corresponding to the Event-Id in the Task History. "filename" is the name of the file this audit report is about.

Create a CSV file with this name
Additionally, you can let watchDirectory create a CSV (comma separated value) file with all events. Press the Configure button to select the fields that are written to the CSV file.

Email those reports to me
Additionally, you can let watchDirectory email the audit reports to you.

Email address
Enter the email address that should receive the reports. You can enter addresses in the following formats:

Email Subject
The subject used for the email alerts. If you choose to send alerts for each event immediately, the name of the file will be appended to this subject.

Send reports
Choose how often those audit reports should be sent.

Please note that this plugin uses the wdPostMan program to send email in the background. You will need to configure the wdPostMan program first.

Example auditing report

File/Directory C:\WUTemp\Disasm.log 
   from 7/24/2005 10:41:31 AM to 7/24/2005 10:41:31 AM
[2036] 7/24/2005 10:41:31 AM, Open File by GDPLAP\\Jeremy. Program C:\WINDOWS\explorer.exe. 
   Permissions requested Delete, Read Attributes
   [2036] 7/24/2005 10:41:31 AM, Used a granted permission. Permission used Delete
   [2036] 7/24/2005 10:41:31 AM, Delete 
[2036] 7/24/2005 10:41:31 AM, Close 

The first 2 lines identify the file (C:\WUTemp\Disasm.log) and the timespan this report is about.
The lines following all start with a number ("handle") of a file operation between [square brackets]. They will normally start with an "Open" operation that will tell you who accessed the file. In this case it was Jeremy from the GDPLAP computer.
It is followed by the program used to open the file (explorer), and the permissions that program asked.
Lines following the "Open" operation for the same handle are indented until the corresponding "Close" operation.

Now press next to Configure the Directory to MonitorNext