question

MezaJulioA-8379 avatar image
0 Votes"
MezaJulioA-8379 asked ·

Alert when a file is created in Windows/temp in Windows Server 2012r2

Is there a way to get an alert when a file named SQL.log is created in Windows/temp in Windows Server 2012r2?

not-supported
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MezaJulioA-8379 avatar image
0 Votes"
MezaJulioA-8379 answered ·

File SQL.log is randomly created in Windows/temp folder, which start growing and growing. I deleted, but I would like to be alerted as soon it is created to be able to "read" it and prevent the issue in other servers.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered ·
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yagmoth555 avatar image
0 Votes"
yagmoth555 answered ·

Hi

You can achieve that with Windows Auditing natively too.

To activate:

  • Type gpmc.msc, or gpedit.msc.

  • Navigate to “Computer Configuration” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policies” ➔ “Audit Policy”.

  • Double-click “Audit Object Access”

  • Click “Define these policy settings” checkbox. Click “Success” and “Failure”.

Now, you need to select that auditing to the folder;

  • Open “Windows Explorer”, and navigate to the folder that you want to track.

  • Right-click the folder and select “Properties”, and go to the Security tab

  • Click “Advanced” to access “Advanced Security Settings”. In “Advanced Security Settings” window, navigate to “Auditing” tab.

  • To create a new auditing entry, click “Add”. “Auditing Entry” window will appears

  • Click “Select a Principal” to choose users whose activities you want to track, for your case select Everyone, or if your SQL instance run under a username, please add it there, it will limit the scoop of the auditing.

  • Click Ok, Select “All” in “Type” drop-down menu.

  • Select the permission you want, and click ok 3 time to get out of that windows.


Now to monitor it, we will check the event viewer.

Filter on the event id 4616, to see file creation.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.