Windows Event log code
We do auditing on specific folders on windows 2003 servers.
I need to make alert on a file creation or modification on these folders.
It is hard to know when a file is create or modify. It is the same windows event number 560
I notice that, in arcsight, the device custom sting 1 refer to Accesses in the windows event log and have numbers like %%1538%%1541%%etc.......
Does somebody know what means theses numbers ?
Does a table conversion exist to tell example %%1538 = READ CONTROL
%%1537 = DELETE
Or somebody has a working solution to track a modification and a creation of a file
Thanks in advance
My problem is to try to make a difference between create a new file modify an existant file.
Effectively, you are right about the event 567
With all the info i got now, i will be able to make precise alert.
That's a good point, perhaps you can't...When I configure the system to audit both file creations and modifications, the following accessed are logged in event 567:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
This doesn't help you distinguish these actions...
Also, you have to remember that what is being logged is the application-OS interaction, not the user-application interaction. If you will use notepad and Windows Explorer to create new files you will see unexpected results. For example, when I use notepad to "Save File As..." I see a file delete event...(I'm using XP SP3).
In any case, you should investigate what events are logged when the specific application you are trying to monitor writes or modifies files.
Thanks for the info,
Save a file with notepad and you get a delete file event .....microsoft.....microsoft............................
Well i will check this seriously. We have to make rule alert when, in specific folder, file are modify, delete or create.
Each of these events are prone to false positives from the user's point of view, but not from the OS point of view. Doron already mentioned how Save As generates a Delete event, though i can't understand why. Maybe deleting a Temp file?
You really get into interesting situation when opening an MSOffice file (Word, Excel, etc). For example, just opening a .doc with Word causes that file to be written to. Metadata gets updated to record who opened it last, this is how Word can tell you that someone currently has that file opened if you are trying to edit the same file as someone else. So right off the bat, you can't tell if they opened this file just to read it, unintentionally modifying metadata in the process, or legitimately made changes to it. Additionally, some temp files will get created in the same directory as the file for Autosave and other purposes, so you'll get a bunch of WriteData (or AddFile) accesses logged for the directory itself. Then when you actually click "Save" in Word, the temp files will get deleted, and unless I am getting my applications confused, the actual original file itself will get deleted as well, and then a new file with all the incorporated changes will get created.
Don't mean to discourage you, just wanted to make sure you know what you were up against.
BTW, got a note from Support last night that they replicated our issue with the latest version of the connector and opened a bug, TTP 62627. Please call support and have them update your case with that bug ID as well as adding your company to the list of those waiting for the resolution.
Thanks Gary for the info.
As you said and Doron too:
I think i am not out of the wood with this case about checking file changes
I will test this.
I will update make my case update and make sure i am in the list for the resolution of the bug.
Have you received any feedback on this case? After almost 3 months of waiting for the bug to be fixed, i was just told that this isn't a bug, but instead an Enhancement. I am extermely frustrated and hoping you've had better luck.
I will definately be keeping my eye on this thread, as this is of interest to us as well.
It generally will be a bit of a challenge to properly weed out all false positives per se, but its something to work with.
MS's switching event ids and sometimes interesting way of recording events or actions does not always help.
I have the same problem here. Need to audit some folders but the messages have these codes in the actions field. I think my problem is bigger as i need it for reports instead of alarms. Have you got any Updates for your cases? Do you think I should open a case at support either reggarding this problem to help? I did not open a request as I saw the raw events comming with codes, so I think Its not an Arcsight issue, but a Windows Design carachteristic, what do you think about it?
Ohh great, that was corrected, and not all my hopes are wasted.
I am running the 220.127.116.1116.0-linux. version of the agent and seeing the same problem.
I haven´t sent events to ESM yet, but working them on Logger and i still have the issue.
Could you confirm what agent version and the OS you are using?
Thanks in advance.