Do you keep your file servers clean?
  v1.0 Posted at 1/07/2017 10:18 AM by Tiago Araujo
How often do you find files on your network file server that clearly shouldn't be there? Developers are notorious for creating temporary files and littering your file system with them. So how can you identify exactly who created or modified the file, and when?​

Figure: Who created this file?
Figure: Terminal into your file server using Terminal Services
Figure: It was Jatin!

The easiest way is to configure Windows file auditing.

Thankfully, Windows XP and Server come with built-in file auditing. Any changes create and delete can be logged to your system event log. Here's how to set it up.

How to implement auditing on your file server

  1. Terminal Server into the file server
  2. In Windows Explorer, locate the directory you want to configure logging for (e.g. C:\Inetpub\wwwroot for logging changes to your website files)
  3. Select Security tab | Advanced
    Figure: Select the folder you want to configure auditing for
  4. Click the Auditing tab
  5. Select the users whose usage you want to monitor (usually all users, so select Everyone)
    Figure: Select Everyone so that anyone who modifies any of the files will be logged
  6. Select what you want to monitor. For best performance, we only tick the options in shown in the figure below - there's no need to log when someone opens a file.
    Figure: Select these 4 options (only audit the events you need to audit - there's no need to log when someone opens a file)
  7. Click OK and OK again to apply the changes. The process may take some time depending on the number of subfolders and files selected.
    Now you need to configure the system event log.
  8. Open Control Panel->Administrative Tools->Event Viewer
  9. Right-click the Security node and Control Panel | Administrative Tools | Event Viewer
  10. Right-click the sure Overwrite events as needed is checked
    Figure: Keep your log file to about 250MB - otherwise, your system performance may suffer

Checking who created the file

Now test to see if auditing is working.

  1. On the server, create a file called "test.aspx" somewhere in the path that is being audited
  2. Open Control Panel->Administrative Tools->Event Viewer
  3. Select the Security node, and notice the entries that have been created. They will have a similar format to the figure below.
    Figure: Any creates, deletes and updates now get logged to the Event Log

That's all! It is also great for finding out who accidentally deleted files from the file system.

Furthermore, we can dump the event log to an Access or SQL Server database to make it easier to handle. Here is how to do it:

  • Download the scripts: one for Access database and the other for SQL Server.
  • Find and change the strEventDBConn variable to your connection string, also, modify strEventDB and tblEvents variable to your database name and table name.
  • Write down the names of the servers to monitor in EventHosts.txt.

Done, now you need only double-click to start it.

Figure: Caught an action on remote server and logged it to database

This script is originally from http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=340.​​

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address:


    Note: Social Media login for Yotpo is not working in IE or Safari, please use Chrome. We are waiting for Yotpo to fix it.