Navigation:  Event Log Monitoring > Security Alerts >

File Changes

If you combine the object auditing capabilities of the Operating System with event log monitoring capabilities then you can be notified when a particular file is add/deleted/changed in a directory.

In the following example we will configure the OS and EventSentry to notify us when an EXE file is either changed or added to the %SYSTEMROOT%\System32 directory.

1. Enable Object Auditing

Before we can enable auditing on a folder, we need to enable "Audit object access" in the group policy of your domain or server. You can find this auditing object in the "Local Policies -> Audit Policy" container. Make sure that at least "Success" is selected:

2. Auditing a folder on Windows

After object access has been enabled, you need to configure auditing in the file system. Using explorer, navigate to the folder you want to audit (%SYSTEMROOT%\System32 in our case), right-click the folder and select "Properties".

On the "Security" tab, click the "Advanced" button to get to the "Advanced Security Settings" for the folder. There, click the "Auditing" tab and select "Add". Now specify an account you would like to audit (we recommend "Everyone") and select the following types of Access shown in the screenshot below:

After dismissing all the open dialogs with OK auditing will be enabled in the selected folder and EventSentry is ready to forward events to you.

3. Creating an Include Filter

Now that the OS will log write access to the %SYSTEMROOT%\System32 directory, we can add a filter that will forward Audit Success events to a notification based on the properties of the event and the details of the event message. The filter below shows how to setup the filter text for this particular event:

Don't forget to assign this package to a group or computer in order for the filter to become effective.