LepideAuditor for File Server (LAFS) is a one-stop solution to audit the file servers in an organization. It audits the events of all files and folders on the server, including shared folder such as access, create, delete, modify, and copy. Easy-to-use interface lets a user add the File Server, create an audit policy, create a rule, and the auditing will be started instantly. It will show every change in the added file servers. You are free to add a specific drive or directory that you want to monitor without requiring any property modification of the target object. In this article, we will have a look at the steps to audit the access and changes in files & folders and file shares.
Adding File Server
Please note that LepideAuditor for File Server is divided into two consoles – Settings Console and Report Console. The former lets you add and manage the file servers and to manage their auditing, whereas the latter displays the auditing reports.
In Report Console, click “Add File Server” button. This will display the wizard to add the file servers, which has to be monitored.
Click “Add” button to access the following options:
- From AD: This option lets you add the computers from an Active Directory environment. You just have to type a computer name to add it.
- Manually: You can provide the names and IP Address of computers to be added.
- IP Range: This option lets you add all computers falling between an IP Address range. For example, providing the range from 192.168.10.1 to 192.168.10.10 will add all ten computers of whom IP Addresses fall in this range.
- Scan: This option scans the complete network and displays the expandable list of all domains. You can expand any domain and select any computer. It comes handy when you don’t know the IP Address.
In this blog, we will be adding the computers manually. Selecting “Add” => “Manually” will display the following dialog box.
Provide the name or IP Address of the computer. Click “Check Availability” to validate the input. Select the domain name using the drop-down menu or type it in the box. Click “Add” to add the computer. The added computers will be listed in the bottom section. You can add multiple computers using this dialog box. Click “OK” once you have added the required file servers to be monitored.
This will take you back to “Add File Server” wizard, which will now display the selected servers.
Click “Next” to proceed. The next step will ask for the details of SQL Server where you want to save the auditing logs.
You have to provide the name of SQL Server, authentication type, database name, and login credentials of a SQL user in case of SQL Server Authentication that should be preferred in case of a remote SQL Server. If SQL Server is not installed, then please download and install SQL Express Edition, which is available free.
If you want to create a new database, then provide its name in the “Database name”. Click “Next” to proceed.
At this step, you have to provide the login credentials for the file servers being added. A login credential will be used to install the agent on the preferred file server. The agent will capture the events and pass it to LepideAuditor for File Server. These events will be parsed by the software. Afterwards, the software will display these events easy-to-read format in the Report Console.
Provide the required login credentials and click “Next” to move ahead. This will install the agent and completes the process to add the file servers.
Configuring the Auditing
Click “Start Auditing” link to start the auditing of the file servers. You can click “Stop Auditing” link to stop it when not required.
You have the following options in this Settings Console.
- Add, Modify, and Remove File Servers
- Start or Stop Auditing
- Install or Uninstall Agent
- Configure Communication Port
- Configure Auditing Status Notification
Creating Audit Policy
You can create audit policies to specify the objects to be monitored such as all objects, shared objects, exclude shared objects, or a custom list.
Click “Audit Policies” link in the Left Panel to access the audit policies.
In the Policy Name section, click plus icon to create a new policy using “Add New Policy” dialog box.
Provide a name and a description for the new policy. The Object List dialog box lets you specify the objects to be monitored. It has the following options:
- All Objects: This option lets you monitor all objects at the added file servers.
- Shared Objects Only: This option lets you monitor the shared files and folders only.
- Exclude Shared Objects: This option lets you monitor all objects except shared files and folders.
- Create New Object List: This option lets you specify a custom folder or file to be monitored.
Let us select the last option “Create New Object List”. This will show the following wizard.
Provide a name and a description for the new object list. Click “Next” to proceed.
“Add Object” drop down menu lets you select an option between drive, directory, file mask, process, and event. Select the required option such as we have selected the directory. Click “Add” to add the required folders to be monitored.
Uncheck the option “All Directories”. This will enable the area to add the custom list of directories. Click “Add” once again and select “Scan and Add”. This will show the following dialog box.
Select the required file servers to list its drives and directories. Expand the nodes to select the required directory. Click plus button to take it to the right panel. Follow these steps to add as many directories as you require. Click “OK” once you have added the required directories. This will take you back to “Add Directory” box.
Click “OK” to confirm the selection of directories. This will take you back to “Add Object List” wizard.
Now, you can use drop-down menu to specify the custom list of other options of drive, file mask, etc. Click “Next” once you are done.
This will display the option to specify the auditing duration between the following options.
- One Time Only
Click “Finish” to complete the process to add the custom object list. This will take you back to “Add New Policy” dialog box.
Select the newly created object list from the drop-down menu and click “Add” to add the same. You can use the same drop-down menu to add more default or custom policies.
Once added, you can use the red upward icon to increase the priority of any priority or click green downward icon to decrease its priority. The auditing lists will be sorted priority-wise. Click “OK” to save the new auditing policy.
Creating Audit Rule
You can create the audit rule to specify which audit policy will be applicable on which server. You can create multiple audit rules for a server.
Click “Audit Rule” in the Left Panel to switch to its panel.
You have to click plus icon to access “Add Rule” wizard.
Provide a name for the new rule. Select the file servers on which this rule will be applicable. You can select an individual file server or a combination of added servers. Click “Next” to proceed.
Here, you have to select the policy to be used for creating the new audit rule. You can apply an individual user policy, a group policy, and any of the user-defined policies. Click “Next” once you’ve selected the desired policy to create the rule.
Select the users and groups that you want to monitor. Click drop-down menu to select any of these options – All Users, Include selected users, and Exclude Selected Users. Selecting any of the last two options will let you add the users, which you want to include or exclude in the monitoring. Select the desired users and click “Next”. This will show “Alert Settings”.
This optional step lets you send real-time alerts for the configured queries. You can use “Create New Query” option to create a query to keep a check on the changes in critical and important files and folders. Upon creating an alert, you can configure it to send an alert through email at your email address, SMS at your mobile number, and a message box at the networked computers.
Configuring Report Console
Click “Report Console” to access the auditing reports. You will be asked to configure the SQL Server Settings when you open the “Report Console” for the very first time.
You have to provide the details of the same SQL Server, SQL user, and SQL database, which you had already used in Settings Console. Click “OK” once you are done. The Left Panel of “Report Console” lets you browse the different audit reports.
In the created audit policies, we had configured to monitor only two folders – “D:\LAFS – Test” and “D:\LAFS – Shared”. Therefore, all reports will display the changes being made in these two folders.
All Changes in Folder
“All Changes” report will display the events for both folders “D:\LAFS – Test” and “D:\LAFS – Shared”.
All Changes in Shared Folder
All Changes (Share) will display the changes only in the added shared folder – “D:\LAFS – Shared”.
Conclusion: LepideAuditor for File Server is a one-stop solution to audit the file servers in an organization. Its wide range of predefined detailed audit reports lets an organization abide by the regulatory compliances such as PCI DSS, HIPAA, FISMA, GLBA, etc. Once LepideAuditor for File Server has been installed, you have to add the file server, create list of objects, create auditing policies, and create auditing rules. “Report Console” lets you browse the different auditing reports. Here, you can filter the auditing reports, group it by, customize it, and search for a specific operation.