watchDirectory Help > Plugins > Audit Windows Directories
Audit Windows Directories - Who Did It?
This plugin for watchDirectory uses the Windows Security Event Log to find out Who is messing with your files.You should properly configure Windows to write "audit info" to the Security log, otherwise watchDirectory will not find the audit information.
Settings for this plugin
Operating system of monitored computer
Select the operating system of the computer you are monitoring. This plugin reads/interprets the Security event log
and the records inside the event log are operating system specific. The plugin uses "mapping files" to properly process
event logs from different operating systems. If your operating system is not included, please try one of the listed
operating systems. If those do not work properly, see how to request a new mapping file.
Path Prefix to use...
For some file-systems, Windows will write the audit information to the security log with a different filename.
For example, when you monitor the directory \\Server\Share\SomeDir, the info in the security log will often be of
the form C:\SharedDirectory\SomeDir. To make sure watchDirectory can find the correct entry in the security log, watchDirectory
needs to now the proper "Path Prefix".
When you press the "Assistant" button, watchDirectory will help you to find the proper Path Prefix.
Write audit reports to this directory
Enter the name of an existing directory where watchDirectory should write its audit reports.
The reports that watchDirectory writes is given a name like "event_567_filename.txt".
567 is an increasing number assigned
by watchDirectory, corresponding to the Event-Id in the Task History.
"filename" is the name of the file this audit report is about.
Create a CSV file with this name
Additionally, you can let watchDirectory create a CSV (comma separated value) file with all events.
Press the Configure button to select the fields that are written to the CSV file.
Email those reports to me
Additionally, you can let watchDirectory email the audit reports to you.
Email address
Enter the email address that should receive the reports. You can enter addresses in the following formats:
- <john@doe.com>
Just one email address - John Doe<john@doe.com>
An email address with a "friendly name" - <john@doe.com>;<mary@doe.com>
Multiple addresses, separated by a ";"
Email Subject
The subject used for the email alerts. If you choose to send alerts for each event immediately, the name of the file
will be appended to this subject.
Send reports
Choose how often those audit reports should be sent.
Please note that this plugin uses the wdPostMan program to send email in the background. You will need to configure the wdPostMan program first.
Example auditing report
File/Directory C:\WUTemp\Disasm.log from 7/24/2005 10:41:31 AM to 7/24/2005 10:41:31 AM [2036] 7/24/2005 10:41:31 AM, Open File by GDPLAP\\Jeremy. Program C:\WINDOWS\explorer.exe. Permissions requested Delete, Read Attributes [2036] 7/24/2005 10:41:31 AM, Used a granted permission. Permission used Delete [2036] 7/24/2005 10:41:31 AM, Delete [2036] 7/24/2005 10:41:31 AM, Close
The first 2 lines identify the file (C:\WUTemp\Disasm.log) and the timespan this report is about.
The lines following all start with a number ("handle") of a file operation between [square brackets]. They will normally
start with an "Open" operation that will tell you who accessed the file. In this case it was Jeremy from the GDPLAP computer.
It is followed by the program used to open the file (explorer), and the permissions that program asked.
Lines following the "Open" operation for the same handle are indented until the corresponding "Close" operation.