Windows File Server


(Hassan Nashrah) #1

I need to monitor which user accessed which files in network share. at offline times. from windows file server is there a way i can get this information and send to ELK to monitor.

i need to grab their IP address/AD username and time accessed + timestamps


(Magnus B├Ąck) #2

If Windows is able to log this information I'm sure Logstash or a one of the beats can pick it up, but the question of how to get Windows to log this is better asked elsewhere.


(Hassan Nashrah) #3

Yes I know . searched internet whether its available in windows.. thought someone might have an answer here or implementation done as such so could give me the answer


(Nick Erber) #4

Windows Event Log is a large topic and it would be too much to write a whole guide on how to do exactly what you want, but in short you have to do these three steps:

  1. You have to enable auditing File System events in Windows and configure a SACL. A good basic guide can be found here:

  2. Use Winlogbeat to send the Windows Events generated by the enabled auditing (1) to your Logstash/Elasticsearch instance.

  3. Then you can search for the event with the event_id 4663 in Elasticsearch. This event is generated when an object you configured in the SACL is accessed.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.