Hi,
I should known, with Splunk, who had access to a specific directory in our fileserver.
Questions:
- what should be the query?
- before those query should I able the audit control in those specific folder directory?
Thanks,
AM
In windows, you need to turn object auditing for the folder you are monitoring. Windows will then log events in the windows security log. Assuming you are splunking this, you can start searching for events.
Are trying to get ACLs for each folder on our file server or do you want to track changes to specific folder? I am assuming this is windows server or workstation.
Hi krugger,
our fileserver is Windows 2003.
Audit are actived, maybe I should check the Splunk Forwarder into our fileserver.
Thanks!
What kind of file server are we talking about?
Windows, Linux or something else? It has to be in the logs for splunk to pick it up, so you need to have an audit somewhere.