This post will describe how to enable SACL policies and how to use the events in a log management system.
I recommend use of a GPO to enable SACL on all of the servers. It will still be necessary to enable SACL on the folder or file so it will not clutter all of the event logs.
Creation of the GPO is done via Group Policy manager, create a new policy and expand Computer configuration/policies/Security Settings/Advanced Audit Policy Configuration/Audit policies/Global Object Access Auditing
Select file system and check ‘Define this policy setting’, all GPO work is now done.
Next step is to configure SACL on the folders or files that needs to be monitored.
In this demonstration all work will be done on a folder called tmp.
Select properties and the security tab in properties. On the security tab select the Advanced menu.
Select Add to add users who should be monitored. I recommend Domain users or everyone. This is done via the select principal option
I have selected advanced permissions to give my self more options. I advice everyone to do the same.
It should now be possible to see events in the Event Viewer every time someone opens, creates or deletes a file in tmp.
The Event Id one should be looking for is 4663. This Event ID will show all events, if we want to filter more we have to look at the ’Accesses’ codes
This table shows how to translate the codes into something human readable.
1 537 DELETE
1538 READ_CONTROL
1539 WRITE_DAC
1540 WRITE_OWNER
1541 SYNCHRONIZE
1542 ACCESS_SYS_SEC
The following search strings can be used in ELK:
EventID:4663 AND Accesses:1538
Will show all documents that has been opened
EventID:4663 AND Accesses:1537
Will show all documents that has been deleted
EventID:4663 AND (SubjectUserName: username) or (username)
Will show all documents that has been manipulated by the username selected