Archive for April, 2013

Lepide File Server Auditor – file servers under surveillance

Thursday, April 11th, 2013

After I wrote last month about Lepide Event Log Manager, this time there’s another interesting software from the same company, intended for surveillance of file servers.
The ability to monitor the changes that occur in the resources that the file servers host is very useful, especially in situations when it comes to critical documents and content. Basic auditing that Windows Server provides through its group policy and object access auditing can provide basic information, but to locate and correctly interpret information can often be time consuming and sometimes problematic.
Therefore, the existence of a dedicated software that is focused on this type of surveillance and monitoring, for many organizations is very useful.

Similar to the Event Log Manager, File Server Auditor shares similar simple and intuitive interface and relatively lightweight configuration. Upon completion of the installation and configuration of this software, which is very simple and has pretty light hardware requirements, it is necessary to add file servers that are being monitored, and to install the agent on them, using the appropriate credentials. After that, it begins the process of real-time monitoring of changes occurring at the server, according to the adjustments that you made in the File Server Auditor console.

Setting console1

File Server Auditor as a central element upon which the monitoring is conducted is using rules to control auditing (Audit Rules). Audit rules are formed from multiple components. It is therefore advisable before forming any rules for auditing, to first configure rule sub-components, except in the case when one wants to leave everything on default values ​​(which means to monitor everything all the time, which perhaps is not always the best option). If you prefer a more detailed approach, it is possible to configure the following elements:

Lists

· Events: At this point you configure the type of events that you want to follow. For example, files that are opened, red, modified, deleted, renamed, and changes in SACL and DACL lists. Similar events can be tracked for folders as well. Default event list includes all supported events, which generally results in a pile of logs, so it is wise to narrow this list for a bit.

· Process: It is possible to configure processes that generate changes to the file server resources. Again, by default they are all selected, or if you are interested in some specific, the choice can be set to specific.

· File Name & File Type: As you would expect, it is possible to filter by file type (which is determined by specifying extensions) or by the name of the file (in which case we can also use wildcards). This can be specified in order to achieve control only over certain files and folders that match your criteria in defined filters.

· Directory: If you follow the resources contained within a particular folder on the file server, in this place you can determine which folder you want to audit. At the same time it is possible to form a list of one or more folders whose contents we want to follow.

· Drive: You can also adjust the letter of the drive on the server that is carried out auditing. Since this can vary from server to server, and other options provide ample opportunities for precise filtering, this can be left at the default value, which includes all the drives. Alternatively, it may be possible to disable the system drives (which is usually the letter marked C) and thus focus only logging to files on other drives.

· Time: The last element (ie the list, as it is called in the console) is an option to define the time range for auditing. Although it is by default set to do the monitoring continuously, it is possible to change and the option to define instance so that auditing is done only at certain intervals.

From these elements you form the Audit policy and finally the Audit Rule, which contains a list of servers that are being monitored, the identity of users who you want to audit (by default all are monitored, but also it can be further configured), and the policy that is formed earlier.

Audit rule

This modular approach to configuration is fairly effective, and once set up the structure easily changes in any of these components. In essence, the configuration components (somewhat awkwardly named list in the user interface) form one audit policy, which is then allocated to the audit rule on the specified server or servers, and the corresponding user (or users).
Users are defined by the User Group option. Here we can create groups of users who we want to associate with the proper policies for auditing. Groups that are formed here are related only to the application itself and are not visible outside. It is especially nice that you can take users directly from Active Directory, and in the same place you can associate audit policy to the new groups, which shortens and eases configuration.
The console settings also allows you to configure alerts, which can be sent via email or SMS, in case of an event that is defined by a query, and it is possible to do a backup (and restore if necessary) the configuration. Given that the full configuration of the software can require quite some time, I advise you to be sure to do a backup.

The second part of the management console is designed for reporting, as a result of what is configured. This part is based on SQL Server reporting, which has to be defined during the software installation. Reports are pretty clear and easy to read, even though the console itself (similar to the one in Event Log Manager) seems a bit archaic. It is interesting that this application layout can be changed by a variety of layouts (eg, Windows XP, Office 2007, Visual Studio, etc), which is not particularly useful, but it’s cute.

Reports console1
Predefined reports provided allow the display of all the changes, the changes that apply only to read (successfully and unsuccessfully), to create files and folders (also successfully and unsuccessfully), and modifications that occur on any resource, as well as modification of the permissions on files and folders ( SACL and DACL). Each report can be further defined with filters such as time, server, users, files, folders, processes, and specific events. In essence, the filter can use any configurable parameter that we discussed earlier. In addition, it is also possible to create custom reports.

Conclusion

LepideAuditor for File Server is a very useful piece of software. It doesn’t take much resources, nor it has complicated configuration. There are few things that should be improved (like terminology in console, and graphical interface) but, what’s most important, it does the work. More information about this product can be found at Lepide portal.