Monitoring File Access with SCOM

Awhile ago a request came in for us to monitor the access of a number of files, so how do we do this in SCOM?  What we need to do is turn on file auditing for the files we wish to monitor.  After the auditing is turned on event 560s will be created in the security log of the server hosting the files.  After that we just need to create a rule to scoop up the 560 event related to the file you want to monitor. To setup file auditing do the following   Now that we have the auditing setup for the file there will be event 560s generated in the event log. So what does it look like?

Event Type:    Success Audit Event Source:    Security Event Category:    Object Access Event ID:    560 Date:        2/1/2010 Time:        6:39:25 PM User:        Computer:    Description: Object Open:      Object Server:    Security      Object Type:    File      Object Name:      Handle ID:    27120      Operation ID:    {2,119270289}      Process ID:    4      Image File Name:         Primary User Name:    FPSHRP2$      Primary Domain:    DOMAIN       Primary Logon ID:    (0x0,0x3E7)      Client User Name:          Client Domain:          Client Logon ID:    (,)      Accesses:    ReadData (or ListDirectory)      Privileges:    –      Restricted Sid Count:    0      Access Mask:    0x1

For more information, see Help and Support Center at So there is a lot of good information in this event.  The User is the ID of the person who accessed the file, the Object Name is the name of the file we have auditing turned on for, Image File Name is the program used to access the file (only works if the file was accessed from the server the file lives on) and the Accesses is the type of access that this request was. A lot of the information we want from this alert is contained in the EventDescription area.  This event has parameters that we can key off of and utilize when building our rules.  For more information about Parameters and how to use them check out Kevin Holman’s blog post So now lets create the rule to scoop up the event!  You could create this rule in the Ops Console or the Authoring Console.  As I have started to do a lot of management pack authoring I have begun to utilize the authoring console more frequently so that is what I will use in this example. This is the ‘file name’ that I am talking about from the event above G:\DUMMY FILE PATH\Stand Alone      

This entry was posted in Management Pack Authoring and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s