→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cillié_Truter
Engaged Sweeper
Hi

If Auditing is enabled on a file server for a folder. Is there any information regarding these events pulled into lansweeper and what script would you use to pull a report with this information?

CT
1 ACCEPTED SOLUTION
Daniel_B
Lansweeper Alumni
Lansweeper is able to scan Security event log entries, but you need to set this up under Configuration\Server options, section Eventlog scanning. Your Lansweeper database should be running on SQL Server Express or higher edition. After enabling scanning of Success Audit and Failure audit events you are able to create reports on specific event IDs or use the Event filter widget on your Dashboard to display the events.
You might consider setting up Scheduled eventlog scanning in order to rescan the eventlog on specific machines with a shorter interval.
More details on eventlog scanning for non-error events can be found in this KB article.

View solution in original post

4 REPLIES 4
Cillié_Truter
Engaged Sweeper
Thank you very much Daniel!
Daniel_B
Lansweeper Alumni
You might give the following a try. After enabling object access auditing on computers in your network and scanning of Success audit and Failure events in your Lansweeper installation, this report lists events related to object access.

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.IPAddress,
tsysOS.OSname,
tsysOS.Image As icon,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Where tblNtlog.Eventcode In (4656, 4658, 4660, 4663, 4685, 4985) And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
Cillié_Truter
Engaged Sweeper
Hi Daniel

Thank you for this information.
Could you give me a report script I can use to show this information to start with?

Thank you in advance.
Daniel_B
Lansweeper Alumni
Lansweeper is able to scan Security event log entries, but you need to set this up under Configuration\Server options, section Eventlog scanning. Your Lansweeper database should be running on SQL Server Express or higher edition. After enabling scanning of Success Audit and Failure audit events you are able to create reports on specific event IDs or use the Event filter widget on your Dashboard to display the events.
You might consider setting up Scheduled eventlog scanning in order to rescan the eventlog on specific machines with a shorter interval.
More details on eventlog scanning for non-error events can be found in this KB article.