I recently had the chance to work with an excellent auditing tool for file servers. Auditing can be rather cumbersome to create using default windows tools, you have to configure Group Policies, enable auditing on the folders, configure event forwarding, attaching tasks to alerts to send via email, backup that information, make it available for a long period of time and most of the time its very time consuming when it comes to filtering out the necessary events unless you have previous experience doing this.
LepideAuditor for File Server can provide all those functionalities and more, the main advantage from my point of view is the time you save in finding specific events and the flexibility it provides during your searches. Nobody wants to parse through events and waste a lot of time doing it, so for me this is my number 1 thing I like about this tool, but there are others…
Configuring LepideAuditor for File Server is rather easy nothing special. It uses an SQL instance but can be deployed just fine using SQL Express. The tool has two main consoles, the Settings Console and the Reporting Console, what they show is self-explanatory.
And the simple and efficient Reporting Console
As you can see I have various servers setup for auditing some of which are even DC’s and Exchange servers. You can use this tool for various purposes if you are creative and I will show you such an example using a Domain Controller later in this document.
We create a New Rule in which we can define policies and settings that we want to enforce for auditing. Here is where the fun begins. Another strong feature of this tool is the flexibility that you can configure using policies. When deploying your settings you can configure the tool to consider Individual User Policy, User Group Policy or create a New Policy.
So creating a New Policy is pretty straight forward but if you are having trouble the Help Documentation is very easy to read through and provides examples and descriptions. During this configuration you have the ability to set various Monitoring Times at which to apply the policy. This means you can somewhat control how much audit data is generated and it allows more efficient auditing.
The next great flexibility features allow you to configure policies for Drive Lists, Directories, File Names, File Types, Processes and Events. And each of these customizable settings can be combined to create various custom policies that you assign to servers depending on your needs.
As you can see various settings can be configured in one policy.
When it comes to notification settings you have 3 options, Email, Network Message and SMS.
You can even define a query, using simple operators to send notifications if certain conditions are met.
One interesting feature I like, is managing simple operations on the SQL database right from the Settings Console through a simple wizard. No need to use Management Studio or other tools to do a simple database shrink. That is nice.
Now moving to the Reporting console, this is where the magic happens, in this GUI you will see who modified, accessed, deleted, changed ownership and other events that are useful when doing auditing.
For example, when an admin or a user with delegated rights changed ownership of a file or folder in order to access that content we can filter out just those events that are relevant for our search.
Or we can use one of the built in filters for fast results. Like I said earlier in the post here you get the speed advantage of searching through events. Below we are using the Permission Changes filter (Folder).
Opening the event, we can see the following details:
You can also create scheduled reports, custom reports and you can export in various formats like pdf, word, html, csv or simple text. The reports are quick to build and well formatted.
I said earlier that you can use this tool in various scenarios, for example on a Domain Controller or Exchange Server. Of course Lepide has separate specialized products for auditing or managing these systems but I just want to show you that you can get more bang for your buck using this tool. You can configure for example LepideAuditor for File Server to monitor the SYSVOL share, the policies container to be more specific. By doing so you will be able to monitor GPO’s, not anything fancy, just raw information like Who Modified, Created, Deleted What and When regarding Group Policies. Like I said it’s not as pretty but it’s functional, and combined with the alerting feature you will be notified instantly about a GPO change and you might be able to take some measures before you get notified by users or worse, your boss…yaykes…
In the image above you see for example how someone deleted a Group Policy (in this event the GPT.ini file was deleted). I know you see the group policy’s GUID instead of its actual name but keep in mind that this is a FILE auditor not an AD auditor, besides anyone can find the GPO GUID by looking in the object’s properties.
Same can be applied for Exchange logs and others, depends on how creative you are….
As a wrap up about LepideAuditor for File Server, the good and the bad:
The Good:
The Bad (the first two I guess are inevitable because most enterprise level monitoring software works with agents and requires databases, but if it is targeted as an enterprise solution perhaps it should offer more features and some of the following suggestions could be used to improve the product):
More information about this software you can find at:
http://www.lepide.com/file-server-audit/?gclid=CM775_fp7bUCFfB3cAodhyIAqw
Demo Video:
http://www.lepide.com/file-server-audit/lfsa-overview-video.html
Hi Marius,
Thanks for such a nice article. I tested Lepide Auditor for file server and it was good as it did all the monitoring of file and folder. Few days back i have to do this and i tested the tool and today its good to recommend some one as an answer.
Please update as how to set alerts at the tool when ever there any changes made in a file and folder. The option is in the tool but it been not understandably how to set.
Please explain this and thanks again for such a nice article.