Windows Server 2003 - Log filesystem changes

M

MatiasZ

Regular
Hi everybody,

I'm looking for a way to log things that get changed on the filesystem of a Server 2003 Enterprise by users connected through folder sharing. I want, for example, to get a log on all the files that get deleted by the users. Is there any way to do this?

Best regards,
Matias
 
MatiasZ said:
Hi everybody,

I'm looking for a way to log things that get changed on the filesystem of a Server 2003 Enterprise by users connected through folder sharing. I want, for example, to get a log on all the files that get deleted by the users. Is there any way to do this?

Best regards,
Matias
Click to expand...

Look into turning on auditing. There is a performance cost, so please understand what you're doing before you enable it.

http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx

There are a variety of tools you can use to dump the security event log into a text file and analyze it.

Here is one: http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

You can automate this with a scheduled task that runs every night if you want.
 
aaaaa00 said:
Look into turning on auditing. There is a performance cost, so please understand what you're doing before you enable it.

http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx

There are a variety of tools you can use to dump the security event log into a text file and analyze it.

Here is one: http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

You can automate this with a scheduled task that runs every night if you want.
Click to expand...

Great, thanks. I'll take a look at it.

Regards!
 
What is the perf. cost associated with this feature? If that is unknown or variable, what becomes the bottleneck? I suspect I/O, but I haven't managed a 2k3 server in at least 2 years so I may be off-base here.
 
ShaidarHaran said:
What is the perf. cost associated with this feature? If that is unknown or variable, what becomes the bottleneck? I suspect I/O, but I haven't managed a 2k3 server in at least 2 years so I may be off-base here.
Click to expand...
what else!?
Last week I made a test which involved signing&saving lots of 100KB files...
somehow all the people around me ghet amased that its hdd i/o bottlenecked (scsi 10U rpm hdd)
Amazingly, turning off "last accessed time" and generating 8.3 names (because these 10K files had names like "copy of copy of copy ..." :D) had icreased performance with 20% - time for test went down from 37 to 30 min on 2 quad core Intel@2.33, while CPU utilisation was never above 60-70% (and hdd was never under 90s)
 
ShaidarHaran said:
What is the perf. cost associated with this feature? If that is unknown or variable, what becomes the bottleneck? I suspect I/O, but I haven't managed a 2k3 server in at least 2 years so I may be off-base here.
Click to expand...

It is variable, but the main cost is the added writes to the security log.

Before you enable it on a production server you should load test it to make sure your configuration can tolerate the extra writes and you're ok with the performance cost.
 
aaaaa00 said:
It is variable, but the main cost is the added writes to the security log.

Before you enable it on a production server you should load test it to make sure your configuration can tolerate the extra writes and you're ok with the performance cost.
Click to expand...

Ok, I/O after all. Has anyone out there had a chance to try this feature out on a flash drive or two?
 
aaaaa00 said:
It is variable, but the main cost is the added writes to the security log.

Before you enable it on a production server you should load test it to make sure your configuration can tolerate the extra writes and you're ok with the performance cost.
Click to expand...

I'm about to enable the feature, sadly I cannot test it on a different server first, but I'll use the weekend to try it over in case something goes wrong. Is there any way to specify where the security log files should be placed, or is this a fixed location?
 
MatiasZ said:
I'm about to enable the feature, sadly I cannot test it on a different server first, but I'll use the weekend to try it over in case something goes wrong. Is there any way to specify where the security log files should be placed, or is this a fixed location?
Click to expand...

The events are logged to the security event log. You can configure how big it is and what the overwrite policy is using the event viewer mmc snapin.

I believe you can configure a variety of properties from there. I don't remember if you can specify the location.

Looks like this kb article describes how to change the location of the log file:

http://support.microsoft.com/kb/315417
 
You must log in or register to reply here.

Similar threads

R
Valve just pushed out a massive Steam Beta Client Update (UI improvements, new features)
Replies
2
Views
616
Pressure
P
Rys
Reopening Architecture and Products + rules and guidelines changes
3 4 5
Replies
90
Views
13K
Shifty Geezer
Shifty Geezer
P
GPU Utilities for tweaking and overclocking
Replies
6
Views
3K
pharma
P
P
0Patch to support Windows 7 and Server 2008 R2 with security patches after official support end
Replies
0
Views
1K
pharma
P
T
so you want to review an Android device...
Replies
7
Views
2K
Ailuros
Ailuros
Back
Top