Absent Member.
Absent Member.
1627 views

Windows Event log code

Hi everybody,

We do auditing on specific folders on windows 2003 servers.

I need to make alert on a file creation or modification on these folders.

It is hard to know when a file is create or modify. It is the same windows event number 560

I notice that, in arcsight, the  device custom sting 1 refer to Accesses in the windows event log and  have numbers like %%1538%%1541%%etc.......

Does somebody know what means theses numbers ?

Does a table conversion exist to tell   example %%1538 = READ CONTROL

                                                                    %%1537 = DELETE

Or somebody has a working solution to track a modification and a creation of a file

Thanks in advance

0 Likes
29 Replies
Absent Member.
Absent Member.

Thanks Doron,

My problem is to try to make a difference between create a new file modify an existant file.

Effectively, you are right about the event 567

With all the info i got now, i will be able to make precise alert.

0 Likes
Admiral
Admiral

That's a good point, perhaps you can't...When I configure the system to audit both file creations and modifications, the following accessed are logged in event 567:

WriteData (or AddFile)

AppendData (or AddSubdirectory or CreatePipeInstance)

This doesn't help you distinguish these actions...

Also, you have to remember that what is being logged is the application-OS interaction, not the user-application interaction. If you will use notepad and Windows Explorer to create new files you will see unexpected results. For example, when I use notepad to "Save File As..." I see a file delete event...(I'm using XP SP3).

In any case, you should investigate what events are logged when the specific application you are trying to monitor writes or modifies files.

Doron

0 Likes
Absent Member.
Absent Member.

Hi Doron,

Thanks for the info,

Save a file with notepad and you get a delete file event .....microsoft.....microsoft............................

Well i will check this seriously. We have to make rule alert when, in specific folder, file are modify, delete or create.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Each of these events are prone to false positives from the user's point of view, but not from the OS point of view. Doron already mentioned how Save As generates a Delete event, though i can't understand why. Maybe deleting a Temp file?

You really get into interesting situation when opening an MSOffice file (Word, Excel, etc). For example, just opening a .doc with Word causes that file to be written to. Metadata gets updated to record who opened it last, this is how Word can tell you that someone currently has that file opened if you are trying to edit the same file as someone else. So right off the bat, you can't tell if they opened this file just to read it, unintentionally modifying metadata in the process, or legitimately made changes to it. Additionally, some temp files will get created in the same directory as the file for Autosave and other purposes, so you'll get a bunch of WriteData (or AddFile) accesses logged for the directory itself. Then when you actually click "Save" in Word, the temp files will get deleted, and unless I am getting my applications confused, the actual original file itself will get deleted as well, and then a new file with all the incorporated changes will get created.

Don't mean to discourage you, just wanted to make sure you know what you were up against.

BTW, got a note from Support last night that they replicated our issue with the latest version of the connector and opened a bug, TTP 62627. Please call support and have them update your case with that bug ID as well as adding your company to the list of those waiting for the resolution.

0 Likes
Absent Member.
Absent Member.

Thanks Gary for the info.

As you said and Doron too:

I think i am not out of the wood with this case about checking file changes

I will test this.

And

I will update make my case update and make sure i am in the list for the resolution of the bug.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Daniel,

Have you received any feedback on this case? After almost 3 months of waiting for the bug to be fixed, i was just told that this isn't a bug, but instead an Enhancement. I am extermely frustrated and hoping you've had better luck.

0 Likes
Absent Member.
Absent Member.

Hi Gary,

Nothing on my side, still waiting.........................

If i have something, i will tell you.

Thanks

0 Likes
Absent Member.
Absent Member.

I will definately be keeping my eye on this thread, as this is of interest to us as well.

It generally will be a bit of a challenge to properly weed out all false positives per se, but its something to work with.

MS's switching event ids and sometimes interesting way of recording events or actions does not always help.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Received word that ArcSight is actively working to add support for these events as well as add resolution for other similar fields/events. ETA is the upcoming release (Q1R22010) due in mid to late April. Keeping my fingers crossed.
0 Likes
Absent Member.
Absent Member.

I have the same problem here. Need to audit some folders but the messages have these codes in the actions field. I think my problem is bigger as i need it for reports instead of alarms. Have you got any Updates for your cases? Do you think I should open a case at support either reggarding this problem to help? I did not open a request as I saw the raw events comming with codes, so I think Its not an Arcsight issue, but a Windows Design carachteristic, what do you think about it?

Regards, Michel

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

This issue has been fixed in the latest Windows Unified connector code. The events I am seeing now include the accurate representation of access requested or granted. See the attached image. The column with the image is the file handle, which is supposed to be in that format, but the column further to the right has the english representation of access.
0 Likes
Absent Member.
Absent Member.

Ohh great, that was corrected, and not all my hopes are wasted.

I am running the 4.8.2.5516.0-linux. version of the agent and seeing the same problem.

I haven´t sent events to ESM yet, but working them on Logger and i still have the issue.

Could you confirm what agent version and the OS you are using?

Thanks in advance.

Michel

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.