question

shankar431-9012 avatar image
0 Votes"
shankar431-9012 asked LeonLaude answered

How to Monitor File creation/change/Deletions and Permission Changes on Windows File Servers with SCOM 2012 R2

Hi All,

Is it possible to monitor the below file monitoring criteria with SCOM.

  1. Who has created\changes\deleted what files\folders and when

  2. Who has removed\opened and copied a specific file

  3. Who has modified access rights on files\folders or shares?


We are using SCOM 2012 R2.

Regards,
Ravi Shankar

msc-operations-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StoyanChalakov avatar image
1 Vote"
StoyanChalakov answered StoyanChalakov edited

Hi @shankar431-9012,

yes, you can, but you need to enable some auditing related GPO settings, so that the access to those files and folders is logged in the form of events.
You can find a very nice example here that will also work for SCOM 2012 R2 of course:

Monitoring File Access with SCOM
https://opsmgrsolutions.wordpress.com/2010/02/02/monitoring-file-access-with-scom/

You can also check the Asnwer of Leon from the old Social Technet forums:

SCOM 1807 and monitoring File Server
https://social.technet.microsoft.com/Forums/en-US/07726cdc-5798-4c1b-bbc2-e246465cf6b2/scom-1807-and-monitoring-file-server?forum=operationsmanagergeneral

The following post froms the SquaredUp forums is presenting also another approach (script based):

Monitor a Folder in FileServer for User Addition/Removal
https://community.squaredup.com/t/monitor-a-folder-in-fileserver-for-user-addition-removal/1135


Hope this will help you out!


If the response is helpful, please click "Accept Answer" and upvote it.
Regards,
Stoyan


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
1 Vote"
LeonLaude answered

Hi @shankar431-9012,

I want to warn you that you'll need to be extra careful when monitoring file creations/changes/deletions and permission changes with SCOM as file auditing can be very noisy.

One way you can achieve this is to enable audit policies in your Active Directory (How to Enable the Security Auditing of Active Directory) and configure auditing for your folders that you want monitor, then you'll need to find which events are generated for each file action, you can find the related event IDs over here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Then simply can create SCOM rules to monitor the event IDs that interest you.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)


Best regards,
Leon

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.