File Access Monitoring on Windows Server

Graylog Central (peer support)
,
1

Hi, Im running Windows Server with Active Directory users, and shared storage on bussiness network.
I can monitor when users are logging in and out, but I’ve been wondering is it possible to collect log of Active directory users, when they access some of the files or folders on shared storage. I’ve been searching on forum but there wasn’t a clear explanation on how can that be configured. The point is, when user opens a file/folder, there needs to be a log file in Graylog saying “User ****** opened folder/file (path to a file)”
Did anyone made something similiar, or is there any plugins or content packs for that?
Thanks in advance!

2

Hi, khorvat

I think that to achieve this goal
You need to use these 3 tools together ، for See all the Activity details of the users.
1- https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html
2-https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html <===important
3- https://marketplace.graylog.org/addons/da1d0f41-7e26-40ad-9a53-518692ed71e9

3

That tools should be installed on Virtual machine that is running Graylog with Elasticsearch, or should I install it on client (server which i want to be monitored)? When I try to install Auditbeat on Win Server thru Powershell, with instructions provided on Elastic webpage, i got this

image
image1262×300 6.88 KB

4

Hi
Must be setup on the system you want to monitor ( Windows Server)
PS > cd ‘C:\Program Files\Auditbeat’
PS C:\Program Files\Auditbeat> .\install-service-auditbeat.ps1
*/

If script execution is disabled on your system, you need to set the execution policy
for the current session to allow the script to run.
For example: PowerShell.exe -ExecutionPolicy UnRestricted -File
.\install-service-auditbeat.ps1

5

Hi there, i did mount an audit for filesharing in cluster only use winlogbeat and choose the events: winlogbeat:
event_logs:

  • name: Security
    event_id: 5140,5141,5142,5142,5143,5144,5145

To activate this events you need to create policy for audit, i use this example:


When you create the “sidecar” for winlogbeat audit fs you can use in other server with the audit policy implemented. I thing in the case of auditbeat you need to generate the script in all the servers with shares, no?
BTW there is not an content pack for audit Fs is not very simple for template it.
Best regards,
LC
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.