Windows File Server

I need to monitor which user accessed which files in network share. at offline times. from windows file server is there a way i can get this information and send to ELK to monitor.

i need to grab their IP address/AD username and time accessed + timestamps

If Windows is able to log this information I'm sure Logstash or a one of the beats can pick it up, but the question of how to get Windows to log this is better asked elsewhere.

Yes I know . searched internet whether its available in windows.. thought someone might have an answer here or implementation done as such so could give me the answer

Windows Event Log is a large topic and it would be too much to write a whole guide on how to do exactly what you want, but in short you have to do these three steps:

  1. You have to enable auditing File System events in Windows and configure a SACL. A good basic guide can be found here:

  2. Use Winlogbeat to send the Windows Events generated by the enabled auditing (1) to your Logstash/Elasticsearch instance.

  3. Then you can search for the event with the event_id 4663 in Elasticsearch. This event is generated when an object you configured in the SACL is accessed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.